|
Brought to you by:
Suppliers of:
|
|
|
| |
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions.
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service.
To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.
Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ below, which is to protect the NT 4.0 system with a firewall that blocks Port 135. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected Software:
* Microsoft Windows NT 4
* Microsoft Windows 2000
* Microsoft Windows XP
Mitigating factors:
* To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper running on the target machine. For intranet environments, the Endpoint Mapper would normally be accessible, but for Internet connected machines, the port used by the Endpoint Mapper would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
* Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet. More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn more about the ports used by RPC, please refer to http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp
* This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine.
Patch availability:
Download locations for this patch
* Microsoft Windows 2000
* All except Japanese NEC
* Japanese NEC
* Windows XP
* 32-bit Edition
* 64-bit edition
If Windows NT 4.0 is listed as an affected product, why is Microsoft not issuing a patch for it?
During the development of Windows 2000, significant enhancements were made to the underlying architecture of RPC. In some areas, these changes involved making fundamental changes to the way the RPC server software was built. The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors. It is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require re-architecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a re-architecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.
Microsoft strongly recommends that customers still using Windows NT 4.0 protect those systems by placing them behind a firewall that is filtering traffic on Port 135. Such a firewall will block attacks attempting to exploit this vulnerability, as discussed in the workarounds section below.
Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?
Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future.
What's the scope of this vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause a remote computer to fail. However, the attacker could not modify or retrieve data or execute code of his or her choice on the remote machine.
To carry out such an attack, an attacker would require the ability to make a TCP/IP connection to the Endpoint Mapper running on the target machine. Once a TCP connection had been made, the attacker could send a malformed message to the RPC service and thereby cause the target machine to fail.
The best defense against remote RPC attacks from the Internet is to configure the firewall to block port 135. RPC over TCP is not intended to be used across hostile environments such as the Internet
What causes the vulnerability?
The vulnerability results because the Windows RPC Endpoint Mapper does not properly check message inputs under certain circumstances. If an attacker were to send a certain type of malformed RPC message after RPC established a connection that could cause the RPC Endpoint Mapper process on the remote machine to fail. This process is responsible for maintaining the connection information of all the processes on that machine using RPC. Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.
What is RPC (Remote Procedure Call)?
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.
What is the RPC endpoint mapper?
The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. An endpoint is a protocol port or named pipe on which the server application listens to for client remote procedure calls. Client/server applications can use either well-known or dynamic ports.
What's wrong with Microsoft's implementation of Remote Procedure Call (RPC)?
There is a flaw in the part of RPC that deals with message exchange over TCP/IP. A failure results because of incorrect handling of malformed messages. This particular failure affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC Endpoint Mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. By sending a malformed RPC message, an attacker could the RPC service on a machine to fail.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker who could send RPC messages to the RPC Endpoint Mapper process on a server to launch a denial of service attack. Even though an attacker could cause machines to fail, it would not be possible to modify or retrieve data or execute code.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by programming a machine that could communicate with a vulnerable server over TCP port 135 to send a specific kind of malformed RPC message. Receipt of such a message could cause the RPC service on the vulnerable machine to fail.
What does the patch do?
The patch eliminates the vulnerability by correctly verifying the format of messages that are received via TCP/IP. This verification permits the RPC Endpoint Mapper to reject malformed messages.
Workarounds
I'm unable to install the patch for this vulnerability immediately. Is there anything I can do to protect myself from attempts to exploit this vulnerability?
Microsoft recommends the following workarounds:
* Block Port 135 at your firewall. Port 135 is used to initiate an RPC connection with the RPC Endpoint Mapper service. Blocking Port 135 at the firewall will prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability. However to ensure that those systems cannot be attacked by systems behind the firewall, you should still consider applying the patch.
* Internet Connection Firewall. If you are using the Internet Connection Firewall in Windows XP to protect your Internet connection, it will by default block inbound RPC traffic.
|
|
|
|
|
