of Homeland Security
Potential For Significant Impact On Internet
Operations Due To Vulnerability In
Microsoft Operating Systems' Remote Procedure Call Server Service (RPCSS)
SYSTEMS AFFECTED: Computers using the following operating systems:
Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
The National Cyber Security Division (NCSD) of the Department of Homeland
Security (DHS) / Information Analysis and Infrastructure Protection (IAIP)
Directorate is issuing this advisory in consultation with the Microsoft
Corporation to heighten awareness of potential Internet disruptions resulting
from the possible spread of malicious software exploiting a vulnerability
in popular Microsoft Windows operating systems.
DHS believes that exploits are being developed. Two additional factors are
causing heightened interest in this situation: the affected operating systems
are in wide spread use, and exploitation of the vulnerability could permit
the execution of arbitrary code. DHS is concerned that a properly written
exploit could rapidly spread on the Internet as a worm or virus in a fashion
similar to the Blaster Worm..
The recently announced Remote Procedure Call (RPC) vulnerability in computers
running Microsoft Windows operating systems listed above could be exploited
to allow the execution of arbitrary code or could cause a denial of service
state in an unprotected Windows 2000 computer. Because of the significant
percentage of Internet-connected computers running all affected Windows operating
systems and using high speed connections (DSL or cable for example), the
potential exists for a worm or virus to propagate rapidly across the Internet
carrying payloads that might exploit other known vulnerabilities in switching
devices, routers, or servers.
There are three vulnerabilities in the part of RPC that deals with RPC messages
for the Distributed Component Object Model (DCOM) activation - two that would
allow arbitrary code execution, and one that would result in a denial of
service. These flaws result from incorrect handling of malformed messages.
These particular vulnerabilities affect the DCOM interface within the RPCSS,
which listens on RPC enabled ports. This interface handles DCOM object activation
requests that are sent from one machine to another.
An attacker who successfully exploited these vulnerabilities could be able
to run code with local system privileges on an affected system, or cause
the RPCSS to fail. The attacker could be able to take any action on the system,
including installing programs, viewing changing or deleting data, or creating
new accounts with full privileges.
Due to the seriousness of the RPC vulnerability, DHS and Microsoft encourage
system administrators and computer owners to take this opportunity to update
vulnerable versions of Microsoft Windows operating systems as soon as possible.
Additional information is available at: http://www.microsoft.com/security/security_bulletins/ms03-039.asp.
and large organizations are encouraged to review
the information in this advisory, determine its applicability
to their environment and, if appropriate, block network
access to the RPCSS at network boundaries. Blocking
can minimize the impact of disruptive attacks originating
outside the perimeter; however, it also has the potential
to deny access to needed applications. The specific
ports and protocols that, if applicable, should be
TCP/139 TCP/445 TCP/593
UDP/135 UDP/137 UDP/138 UDP/445
for reasons of application operability access cannot
be blocked for all external hosts, DHS recommends
limiting access to only those hosts that require
it for normal operation. As a general rule, DHS recommends
filtering all network traffic that is not required
for normal operation. Sites should understand that
they are accepting the risks associated if they choose
to allow these ports and protocols to be accessed.
are encouraged to install and enable a personal firewall
such as the Internet Connection Firewall in Windows
XP or any firewall product for personal computers.
An additional preventive step is to disable COM Internet
Services (CIS) and RPC over HTTP, if applicable.
encourages recipients of this Advisory to report
information concerning suspicious or criminal activity
to local law enforcement, local FBI's Joint Terrorism
Task Force or the Homeland Security Operations
Center (HSOC). The HSOC may be contacted at: Phone:
DHS intends to update this advisory should it receive additional relevant
information, including information provided to it by the user community.
Based on this notification, no change to the Homeland Security Advisory System
(HSAS) level is anticipated; the current HSAS level is YELLOW.