IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

NIPC Seal National Infrastructure Protection Center
NIPC Seal CyberNotes

Department of Homeland Security
September 10, 2003

Potential For Significant Impact On Internet Operations Due To Vulnerability In Microsoft Operating Systems' Remote Procedure Call Server Service (RPCSS)

Computers using the following operating systems:

Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

The National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS) / Information Analysis and Infrastructure Protection (IAIP) Directorate is issuing this advisory in consultation with the Microsoft Corporation to heighten awareness of potential Internet disruptions resulting from the possible spread of malicious software exploiting a vulnerability in popular Microsoft Windows operating systems.

DHS believes that exploits are being developed. Two additional factors are causing heightened interest in this situation: the affected operating systems are in wide spread use, and exploitation of the vulnerability could permit the execution of arbitrary code. DHS is concerned that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to the Blaster Worm..

The recently announced Remote Procedure Call (RPC) vulnerability in computers running Microsoft Windows operating systems listed above could be exploited to allow the execution of arbitrary code or could cause a denial of service state in an unprotected Windows 2000 computer. Because of the significant percentage of Internet-connected computers running all affected Windows operating systems and using high speed connections (DSL or cable for example), the potential exists for a worm or virus to propagate rapidly across the Internet carrying payloads that might exploit other known vulnerabilities in switching devices, routers, or servers.

There are three vulnerabilities in the part of RPC that deals with RPC messages for the Distributed Component Object Model (DCOM) activation - two that would allow arbitrary code execution, and one that would result in a denial of service. These flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the DCOM interface within the RPCSS, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities could be able to run code with local system privileges on an affected system, or cause the RPCSS to fail. The attacker could be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

Due to the seriousness of the RPC vulnerability, DHS and Microsoft encourage system administrators and computer owners to take this opportunity to update vulnerable versions of Microsoft Windows operating systems as soon as possible. Additional information is available at: http://www.microsoft.com/security/security_bulletins/ms03-039.asp.

Enterprises and large organizations are encouraged to review the information in this advisory, determine its applicability to their environment and, if appropriate, block network access to the RPCSS at network boundaries. Blocking can minimize the impact of disruptive attacks originating outside the perimeter; however, it also has the potential to deny access to needed applications. The specific ports and protocols that, if applicable, should be blocked include:

TCP/135 TCP/139 TCP/445 TCP/593
UDP/135 UDP/137 UDP/138 UDP/445

If for reasons of application operability access cannot be blocked for all external hosts, DHS recommends limiting access to only those hosts that require it for normal operation. As a general rule, DHS recommends filtering all network traffic that is not required for normal operation. Sites should understand that they are accepting the risks associated if they choose to allow these ports and protocols to be accessed.

Users are encouraged to install and enable a personal firewall such as the Internet Connection Firewall in Windows XP or any firewall product for personal computers. An additional preventive step is to disable COM Internet Services (CIS) and RPC over HTTP, if applicable.

DHS encourages recipients of this Advisory to report information concerning suspicious or criminal activity to local law enforcement, local FBI's Joint Terrorism Task Force or the Homeland Security Operations Center (HSOC). The HSOC may be contacted at: Phone: (202) 282-8101.

DHS intends to update this advisory should it receive additional relevant information, including information provided to it by the user community. Based on this notification, no change to the Homeland Security Advisory System (HSAS) level is anticipated; the current HSAS level is YELLOW.