__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Cumulative Update for RPC/DCOM [MS04-012] April 13, 2004 19:00 GMT Number O-115 ______________________________________________________________________________ PROBLEM: Microsoft has released a cumulative upgrade for MS RPC/DCOM. Vulnerabilities include remote code execution, denial of service, and information disclosure. PLATFORM: Microsoft Windows NT® Workstation 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP and Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition Service Pack 1 Microsoft Windows XP 64-Bit Edition Version 2003 Microsoft Windows Server™ 2003 Microsoft Windows Server 2003 64-Bit Edition Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of Microsoft's bulletin for details about these operating systems. DAMAGE: An attacker could take complete control of the affected system. An attacker could then take any action on the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. SOLUTION: Apply the update immediately. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. An attacker can take complete control of the ASSESSMENT: affected system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-115.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/bulletin/ ms04-012.mspx CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0813 CVE-2004-0116 CVE-2003-0807 CVE-2004-0124 ______________________________________________________________________________ [***** Start MS04-012 *****] Microsoft Security Bulletin MS04-012 Cumulative Update for Microsoft RPC/DCOM (828741) Issued: April 13, 2004 Version: 1.0 Summary Who should read this document: Customers who use Microsoft® Windows® Impact of vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list. Caveats: None Tested Software and Security Update Download Locations: Affected Software: • Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update • Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update • Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the update • Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the update • Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update • Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update • Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update • Microsoft Windows Server™ 2003 – Download the update • Microsoft Windows Server 2003 64-Bit Edition – Download the update • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site. Technical Details Executive Summary: This update resolves several newly-discovered vulnerabilities in RPC/DCOM. Each vulnerability is documented in this bulletin in its own section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of the affected system. An attacker could then take any action on the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. Microsoft recommends customers apply the update immediately. Severity Ratings and Vulnerability Identifiers: Vulnerability Identifiers: RPC Runtime Library Vulnerability - CAN-2003-0813 Impact Of Vulnerability: Remote Code Execution Windows 98, 98 SE, ME: None Windows NT Workstation 4.0: None Windows NT Server 4.0: None Windows NT Server 4.0, Terminal Server Edition: None Windows 2000: Critical Windows XP: Critical Windows Server 2003: Critical Vulnerability Identifiers: RPCSS Service Vulnerability - CAN-2004-0116 Impact Of Vulnerability: Denial Of Service Windows 98, 98 SE, ME: None Windows NT Workstation 4.0: None Windows NT Server 4.0: None Windows NT Server 4.0, Terminal Server Edition: None Windows 2000: Important Windows XP: Important Windows Server 2003: Important Vulnerability Identifiers: COM Internet Services (CIS) – RPC over HTTP Vulnerability - CAN-2003-0807 Impact Of Vulnerability: Denial Of Service Windows 98, 98 SE, ME: None Windows NT Workstation 4.0: None Windows NT Server 4.0: Low Windows NT Server 4.0, Terminal Server Edition: Low Windows 2000: Low Windows XP: None Windows Server 2003: Low Vulnerability Identifiers: Object Identity Vulnerability - CAN-2004-0124 Impact Of Vulnerability: Information Disclosure Windows 98, 98 SE, ME: Not Ciritical Windows NT Workstation 4.0: Low Windows NT Server 4.0: Low Windows NT Server 4.0, Terminal Server Edition: Low Windows 2000: Low Windows XP: Low Windows Server 2003: Low Vulnerability Identifiers: Aggregate Severity of all Vulnerabilities Impact Of Vulnerability: Information Disclosure Windows 98, 98 SE, ME: Not Ciritical Windows NT Workstation 4.0: Low Windows NT Server 4.0: Low Windows NT Server 4.0, Terminal Server Edition: Low Windows 2000: Critical Windows XP: Critical Windows Server 2003: Critical The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability Details RPC Runtime Library Vulnerability - CAN-2003-0813: A remote code execution vulnerability exists that results from a race condition when the RPC Runtime Library processes specially crafted messages. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, in the most likely attack scenario, this issue is a denial of service vulnerability. Mitigating factors for RPC Runtime Library Vulnerability - CAN-2003-0813: • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. • Windows NT 4.0 is not affected by this vulnerability. RPCSS Service Vulnerability - CAN-2004-0116: A denial of service vulnerability exists in the RPCSS service. If a specially crafted message is sent to the RPCSS service, the service may not reclaim discarded memory. This behavior could result in a denial of service. Mitigating factors for the RPCSS Service Vulnerability - CAN-2004-0116: • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. • Windows NT 4.0 is not affected by this vulnerability. COM Internet Services (CIS) – RPC over HTTP Vulnerability - CAN-2003-0807: A denial of service vulnerability exists in the CIS and in the RPC over HTTP Proxy components. When a forwarded request to a backend system passes through them, an attacker could reply to the request by using a specially crafted message that could cause the affected components to stop accepting later requests. Mitigating factors for the COM Internet Services (CIS) and RPC over HTTP Vulnerability - CAN-2003-0807: By default, none of the affected operating systems are vulnerable. All the affected operating systems would require that an administrator either enable the affected components or enable a vulnerable configuration. For more information about how a vulnerable configuration could occur, see the FAQ. Object Identity Vulnerability - CAN-2004-0124: A information disclosure vulnerability exists in the way that object identities are created. This vulnerability could allow an attacker to enable applications to open network communication ports. Although this vulnerability does not directly enable an attacker to compromise a system, it could be used to enable network communication through unexpected communication ports. Mitigating factors for the Object Identity Vulnerability - CAN-2004-0124: Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Acknowledgments Microsoft thanks the following for working with us to help protect customers: • eEye Digital Security for reporting the RPC Runtime Library Vulnerability (CAN-2003-0813) and the RPCSS Service Vulnerability (CAN-2004-0116). • Qualys for reporting the CIS – RPC over HTTP Vulnerability (CAN-2003-0807). • Todd Sabin of BindView for reporting the Object Identity Vulnerability (CAN-2004-0124). Obtaining other security updates: Updates for other security issues are available from the following locations: • Security updates are available from the Microsoft Download Center: you can find them most easily by doing a keyword search for “security_patch”. • Updates for consumer platforms are available from the Windows Update Web site. Support: • Customers in the U.S. and Canada can get technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. • International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. For more information on how to contact Microsoft for support issues, visit the International Support Web site. Security Resources: • The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. • Microsoft Software Update Services • Microsoft Baseline Security Analyzer (MBSA) • Windows Update • Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166. • Office Update Software Update Services (SUS): Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop systems running Windows 2000 Professional or Windows XP Professional. For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer Note The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • V1.0 April 13, 2004: Bulletin published [***** End MS04-012 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-105: Multiple Vulnerabilities in Ethereal 0.10.2 O-106: Mozilla 1.4 Vulnerabilities O-107: vfte Buffer Overflow Vulnerabilities O-108: Squid ACL Bypass Vulnerability O-109: Heimdal Kerberos Cross-Realm Vulnerability O-110: MAC OS X Jaguar and Panther Security Vulnerabilities o-111: CISCO WLSE and HSE Contain Default Passwords O-112: Cisco IPSec VPN Services Module Malformed IKE Packet Vulnerability O-113: Debian tcpdump Denial of Service O-114: Microsoft Security Update for Microsoft Windows