Thread-topic: Microsoft Security Advisory - Memory Allocation Denial of Service Via RPC
Microsoft Security Advisory (911052)
Memory Allocation Denial of Service Via RPC
Published: November 16, 2005
Microsoft is aware of public reports of proof-of-concept code that seeks
to exploit a possible vulnerability in Microsoft Windows 2000 Service
Pack 4 and in Microsoft Windows XP Service Pack 1. This vulnerability
could allow an attacker to levy a denial of service attack of limited
duration.
On Windows XP Service Pack 1, an attacker must have valid logon
credentials to try to exploit this vulnerability. The vulnerability
could not be exploited remotely by anonymous users. However, the
affected component is available remotely to users who have standard user
accounts. Customers who have installed Windows XP Service Pack 2 are not
affected by this vulnerability. Additionally, customers running Windows
Server 2003 and Windows Server 2003 Service Pack 1 are not affected by
this vulnerability.
Microsoft is not aware of active attacks that use this vulnerability or
of customer impact at this time. However, Microsoft is actively
monitoring this situation to keep customers informed and to provide
customer guidance as necessary.
Microsoft is concerned that this new report of a vulnerability in
Windows 2000 Service Pack 4 and Windows XP Service Pack 1 was not
disclosed responsibly, potentially putting computer users at risk. We
continue to encourage responsible disclosure of vulnerabilities. We
believe the commonly accepted practice of reporting vulnerabilities
directly to a vendor serves everyone's best interests. This practice
helps to ensure that customers receive comprehensive, high-quality
updates for security vulnerabilities without exposure to malicious
attackers while the update is being developed.
We continue to encourage customers to follow our Protect Your PC
guidance of enabling a firewall, getting software updates, and
installing antivirus software Customers can learn more about these steps
by visiting Protect Your PC Web site.
Mitigating Factors:
*
On Windows XP Service Pack 1 an attacker must have valid logon
credentials to try to exploit this vulnerability. The vulnerability
could not be exploited remotely by anonymous users. However, the
affected component is available remotely to users who have standard user
accounts. In certain configurations, anonymous users could authenticate
as the Guest account. For more information, see Microsoft Security
Advisory 906574.
*
Customers who are running Windows XP Service Pack 2, Windows Server 2003
and Windows Server 2003 Service Pack 1 are not affected by this
vulnerability.
*
Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to
the Internet have a minimal number of ports exposed.
General Information
Overview
Purpose of Advisory: To advise customers of a publicly disclosed issue,
to clarify the scope and impact of that issue, and to provide
prescriptive guidance
Advisory Status: Under Investigation.
Recommendation: Review the suggested actions and configure as
appropriate.
This advisory discusses the following software.
Related Software
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Top of sectionTop of section
Frequently Asked Questions
What is the scope of the advisory?
Microsoft has been made aware of a new memory allocation denial of
service vulnerability in Microsoft Windows. This affects the software
that is listed in the "Overview" section.
What is remote procedure call (RPC)?Remote procedure call (RPC) is a
protocol that is used by the Windows operating system. RPC provides an
inter-process communication mechanism that allows a program that is
running on one computer to seamlessly access services on another
computer. The protocol itself is derived from the Open Software
Foundation (OSF) RPC protocol, but with the addition of some
Microsoft-specific extensions.
Is this a security vulnerability that requires Microsoft to issue a
security update?
At this point, the issue is still under investigation. After the
investigation is complete, a security update may be released for this
issue.
What causes this threat?
An attacker can send specially crafted malicious packets to a vulnerable
machine, which would potentially result in a denial of service condition
of limited duration.
What might an attacker use this function to do?
An attacker can send specially crafted malicious packets to a vulnerable
machine which would potentially result in a Denial of Service condition
of limited duration.
Top of sectionTop of section
Suggested Actions
Workarounds
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is
identified in the following section.
*
To help protect against anonymous network-based connection attempts to
exploit this vulnerability, configure the RestrictAnonymous registry
setting to a more restrictive setting:
By default on Windows 2000, the RestrictAnonymous entry is set to a
value of 0, which does not restrict Anonymous users. By setting the
registry entry to a value of 2, Anonymous users will have no access
without explicit anonymous permissions. For more information about how
to use the RestrictAnonymous registry entry in Windows 2000, see
Microsoft Knowledge Base Article 246261.
Impact of Workaround: When the RestrictAnonymous registry value is set
to 2, the access token built for non-authenticated users does not
include the Everyone group, and because of this, the access token no
longer has access to those resources which grant permissions to the
Everyone group. This could cause undesired behavior because many Windows
2000 services, as well as third-party programs, rely on anonymous access
capabilities to perform legitimate tasks.
*
Block the following at the firewall:
*
UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
*
All unsolicited inbound traffic on ports greater than 1024
*
Any other specifically configured RPC port
*
If installed, COM Internet Services (CIS) or RPC over HTTP, which listen
on ports 80 and 443
These ports are used to initiate a connection with RPC. Blocking them at
the firewall will help prevent systems that are behind that firewall
from attempts to exploit this vulnerability. Also, make sure that you
block any other specifically configured RPC port on the remote system.
We recommend that you block all unsolicited inbound communication from
the Internet to help prevent attacks that may use other ports. For more
information about the ports that RPC uses, visit the following Web site.
For more information about how to disable CIS, see Microsoft Knowledge
Base Article 825819.
*
To help protect from network-based attempts to exploit this
vulnerability, use a personal firewall, such as the Internet Connection
Firewall, which is included with Windows XP Service Pack 1.
By default, the Internet Connection Firewall feature in Windows XP
Service Pack 1 helps protect your Internet connection by blocking
unsolicited incoming traffic. We recommend that you block all
unsolicited incoming communication from the Internet.
To configure Internet Connection Firewall manually for a connection,
follow these steps:
1.
Click Start, and then click Control Panel.
2.
In the default Category View, click Networking and Internet Connections,
and then click Network Connections.
3.
Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.
4.
Click the Advanced tab.
5.
Click to select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check box, and then
click OK.
Note If you want to enable certain programs and services to communicate
through the firewall, click Settings on the Advanced tab, and then
select the programs, the protocols, and the services that are required.
*
To help protect from network-based attempts to exploit this
vulnerability, enable advanced TCP/IP filtering on systems that support
this feature.
You can enable advanced TCP/IP filtering to block all unsolicited
inbound traffic. For more information about how to configure TCP/IP
filtering, see Microsoft Knowledge Base Article 309798.
*
To help protect from network-based attempts to exploit this
vulnerability, block the affected ports by using IPsec on the affected
systems.
Use Internet Protocol security (IPsec) to help protect network
communications. Detailed information about IPsec and about how to apply
filters is available in Microsoft Knowledge Base Article 313190 and
Microsoft Knowledge Base Article 813878.
Top of sectionTop of section
*
Customers in the U.S. and Canada who believe they may have been affected
by this possible vulnerability can receive technical support from
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge
for support that is associated with security update issues or viruses."
International customers can receive support by using any of the methods
that are listed at Security Help and Support for Home Users Web site.
All customers should apply the most recent security updates released by
Microsoft to help ensure that their systems are protected from attempted
exploitation. Customers who have enabled Automatic Updates will
automatically receive all Windows updates. For more information about
security updates, visit the Microsoft Security Web site.
*
Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance
of enabling a firewall, getting software updates and installing
anti-virus software. Customers can learn more about these steps by
visiting Protect Your PC Web site.
*
For more information about staying safe on the Internet, customers can
visit the Microsoft Security Home Page.
*
Keep Your System Updated
All Windows users should apply the latest Microsoft security updates to
help make sure that their computers are as protected as possible. If you
are not sure whether your software is up to date, visit the Windows
Update Web site, scan your computer for available updates, and install
any high-priority updates that are offered to you. If you have Automatic
Updates enabled, the updates are delivered to you when they are
released, but you have to make sure you install them.
