TruSecure ALERT

TSA 03-012 Microsoft RPCSS Buffer Overrun

Alert Type: TruSecure HOT Action Alert

Executive Summary

Microsoft released a security bulletin and patch today (MS03-039 Sep 10, 2003). TruSecure believes that a new worm based on the newly released vulnerabilities is likely -- in as soon as 48 hours. Organizations that rely on patching to prevent or recover from the Blaster worm should apply MS03-039 immediately to protect themselves from an imminent threat. Organizations that utilized TruSecure essential practices and were protected by more fundamental mechanisms (e.g., turning off the DCOM service widely; protections such as personal firewalls and current AV updates on the desktop, laptop, and among remote users with VPN connections; and organizations that effectively prevent the problem of infected laptops being able to "resume" instead of re-booting before reconnecting to their internal LAN) should be protected from a potential new worm as they were protected against Lovesan/Blaster. Even organizations that applied the previous patch (MS03-026) should now apply MS 03-039.

Description

Microsoft Windows NT, 2000, XP and 2003 Server contain multiple vulnerabilities in the RPC service that may allow a remote attacker to execute arbitrary code with Local System privileges on the system, or create a denial of service (DoS) condition. The vulnerabilities occur in the part of the RPCSS service that handles RPC messages for DCOM activation. The vulnerabilities result from improper handling of malformed RPC messages by the RPCSS service. A remote attacker could exploit these vulnerabilities by sending a malformed RPC message to the vulnerable system on multiple ports.

Two of the vulnerabilities allow an attacker to trigger a buffer overflow in such a way that it is possible to run arbitrary code under elevated privileges. The DoS vulnerability affects only Windows 2000 systems. Patches are available. Other safeguards will be effective.

Warning Indicators

Systems running Windows NT, 2000, XP and 2003 Server are vulnerable to the buffer overrun vulnerabilities. Only Windows 2000 is vulnerable to the DoS vulnerability.Environments that allow remote RPC communications over TCP or UDP ports 135, 139, 445, 593, and possibly ports 80 and 443 if COM Internet Services (CIS) or RPC over HTTP is configured, may see increased scanning and attempted exploits on these ports.

TruSecure Comments

Threat:

Medium-High - Exact Sample exploit code has not been released but the TruSecure predictive models indicate that this exploit could lead to malicious code within the very near future.

Vulnerability Prevalence

High - Most corporate deployed versions of the Microsoft Windows operating system are vulnerable including those patched with MS 03-029; however, TruSecure's Essential Configuration for windows (especially disabling DCOM, and its default-deny essential practice and other recommendations will limit the exposure of corporate networks from the Internet.

Cost

High - The exploits could allow the execution of arbitrary code with Local System privileges. COM Internet Services is not installed by default on any shipping version of any Microsoft operating system or application (it is installed in Exchange 2003 Beta and Windows 2003 Server Beta). For this and other reasons TruSecure believes attacks related to port 593 or 80 (IIS ISAPI CIS) services will do represent a likely threat.

These buffer overflow vulnerabilities are very similar to those described in the RPC DCOM MS03-026 Bulletin. It is likely that the malicious code (Lovesan/Blaster and Nachi) used to exploit that vulnerability will require only minor modifications to exploit these new vulnerabilities. While it took attackers almost a month to develop those exploits, it is likely that exploits for these vulnerabilities will be developed much sooner.

Because we believe that there are no installed services to attack on the vast majority of IIS servers and that the port 593 service is not enabled in the great majority of organizations, we do not anticipate a new attack related to these vectors for at least months.  TruSecure believes that the knowledge and motivation to create a new worm similar to Lovesan/Blaster will very rapidly propagate to the worm-writing community and that a new worm will likely (probability 0.4) result within 48 hours. This new worm would propagate by exactly the same mechanisms and will affect more or less the same companies and computers that were infected by Lovesan/Blaster whether or not the particular patch (MS03-026) was successfully deployed.

Therefore organizations who are dependent upon patching to mitigate or recover from Lovesan/Blaster will need to immediately and aggressively apply the MS03-039 patch.  Other mitigations primarily disabling DCOM, are both easier to implement and are more powerful and will function without the need for emergency patching if and when new vulnerabilities related to this system are described and published (see safeguards section).

If a worm does come, its likelihood of harm to organizations will come from remote users via VPN, partners via WAN connections, and laptops resuming from hibernation where they were infected while running on unprotected networks. Organizations who have not already successfully implemented effective default deny at inter segment routers (including routers supporting VPN and WAN networks) should apply these controls. Likewise organizations should be prepared to take effective steps against users with laptops "resuming" while connected to internal LAN segments - posting notices at entry points and distributing pre-written emergency policies by email should be effective controls.

Simple tools to determine whether or not systems are properly patched are very likely to return with misleading results. 1. File checking alone will indicate the wrong file versions/hashes. If they were checking for MS03-026, it would make more sense to check for a version number *or higher* rather than strict checking, but if you're checking hashes only it can only fail. 2. Registry checking alone will indicate MS03-026 and MS03-039 are installed. MS03-039 doesn't remove or alter the registry keys for KB823980 (MS03-026). 3. Checking for both will fail since the files will be updated but the registry key is still there.

As many sites may not be able to deploy this patch more rapidly than incidents of exploits begin to occur, administrators are advised to apply the firewall filtering safeguards at the perimeter and internal firewalls as a mitigating measure. As with the previous malicious code, this will not prevent internally generated infections or exploits. Administrators are advised to apply the patch to the workstations as rapidly as possible and use the filtering to protect server systems in a controlled environment. Internet facing HTTP servers should also be considered a priority for patching due to the possible HTTP exploits, or consider filtering RPC HTTP traffic at the firewall if possible.

Vendor Announcements

Microsoft has released a security bulletin at the following link:

MS03-039

Impact

A worm infecting inside enterprise networks is possible. A remote attacker could run code with Local System privileges by exploiting either of the buffer overflow vulnerabilities on the affected system. The attacker could also perform actions on the system such as installing programs, deleting or modifying data or creating new accounts with full privileges. An attacker could cause the RPCSS service to stop responding to legitimate messages by exploiting the DoS vulnerability.

Technical Information

Windows RPCSS service fails to properly check message input data under certain circumstances. An attacker could send a malformed RPC message that causes the DCOM activation infrastructure to fail. The RPC service is normally associated with the TCP or UDP ports 135, 137, 138 and 445. However, RPC is supported over HTTP if the system has installed the CIS services. On Windows NT systems with the NT Option pack, user can determine if it is installed by searching for the file rpcproxy.dll. If this file is on the system, CIS is installed. On Windows 2000 and 2003 systems, administrators can check for the presence of COM Internet Services Proxy or RPC over HTTP Proxy in the Control Panel, Add/Remove Programs, Add/Remove Windows Components Wizard.

Microsoft has released a tool to scan networks for vulnerable systems. Information on this tool is available in Microsoft Knowledge Base article 827363 This tool supersedes the provided in Microsoft Knowledge Base article 826369. Administrators that applied firewall filtering rules to block the standard RPC ports will also mitigate this vulnerability from remote exploits. However, this does not prevent internal exploits or remote exploits over the CIS HTTP services. The patches provided for these vulnerabilities supersede patches provided in MS03-026 and MS01-048.

Safeguards

Disable DCOM
Administrators are advised to assure that DCOM is disabled on all windows NT, 2000, and XP systems. Instructions to disable DCOM have been part of the TruSecure Essential Configuration for Windows since 2002. Organizations that have used the TruSecure Essential Configurations should be protected as they were for Lovsan/Blaster. Disabling DCOM is possible in most organizations and is the preferred, short and long term mitigation because it is rapid, requiring only a registry change, and its implementation will protect against other, yet to be published DCOM vulnerabilities.

DISABLE DCOM:
Disabling DCOM is an effective method of preventing this particular exploit. This current vulnerability represents only one possible attack vector. Since the initial discovery, another vulnerability in DCOM was discovered and a denial of service attack crafted. It is possible that further research will result in other attack vectors.  TruSecure recommends disabling DCOM as part of the Essential Configuration of Windows systems. Disabling DCOM prevents COM objects on one system from communicating with COM objects on another system, which may prevent proper functioning in some environments.

Administrators can disable DCOM by changing the REG_SZ setting to "N" in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftOLE\EnableDCOM

Administrators can also disable DCOM by performing the following:

* Run dcomcnfg.exe. Windows 2000, Windows XP and Windows Server 2003

users must perform the following additional steps:

Click on the Component Services node under Console Root.

Open the Computers subfolder.

For the local computer, right-click on My Computer and choose Properties.

For a remote computer, right-click on the Computers folder and choose New, then Computer. Enter the computer name. Right-click on the new computer name and choose Properties.

* Choose the Default Properties tab.

* Check the Enable Distributed COM on this Computer check box to enable or disable it.

* Click OK to apply the changes and exit dcomcnfg.exe.

If it is not possible to disable DCOM, then TruSecure recommends installation of the appropriate patch from Microsoft within the next 7 days. This should be seriously considered particularly for systems which are outside of the corporate Firewall environment.

PROTECT REMOTE USERS:

Besides disabling DCOM, The Internet Connection Firewall in Windows XP and Windows Server 2003 block inbound RPC traffic by default.  Users can enable this service to protect their systems. Other personal firewalls should be equally effective.

HIBERNATING LAPTOPS:

Be prepared to disallow laptop users to "resume" from hibernation on your LAN. We recommend using signs at entry points and or email instruct ructions to users in advance of a worm event.

INSTALL PREEMPTIVE "PERMIT" ACLS ON INTERNAL ROUTERS

Add a Router or Firewall Access Control List rule on all internal routers or firewalls specifically permitting TCP and UDP 135 inbound and outbound if it is currently required (this will be true for most Windows environments). Having such a rule already in place permits changes to a specific deny rule in memory, without having to reload the router, in the event of an internal outbreak. Should an attack occur, the network can be quickly segmented by modifying the rule.  This allows an opportunity to mitigate the potential effects of a compromise. In the event of a compromise, ensure that TCP 135 outbound stays closed until all systems are cleaned.

PATCH:

For systems where the other safeguards are not possible, administrators are advised to apply the MS03-039 patch as soon as possible, prioritizing their systems according to risk. Administrators are advised to can block TCP and UDP ports 135, 139, 445 and 593 at the perimeter and many internal firewalls and routers though the standard default deny stance attained at most TruSecure Security Assurance customer sites should already accomplish this result. , and HTTP RPC on ports 80 and 443. Administrators can also disable the HTTP RPC service where enabled, but this should be a lower priority.

For a rapid response to this vulnerability, administrators that responded to the previous MS03-026 vulnerability by patching systems are advised to apply the new patch. Administrators that responded to the previous MS03-026 vulnerability by filtering are advised to adjust those filtering rules to mitigate this vulnerability.

Users can disable DCOM on all affected systems, however this may impact some system-to-system communications

Communication:
Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability.

TruSecure Corporation provides information security assurance services including TruSecure (r) which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk (virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk. Visit Security Solutions for further information on these services.

Disclaimer:
Copyright (c) 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS.“ The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- ---------------------------------------------------------------
Copyright @ 2003 by TruSecure: http://www.trusecure.com.