Microsoft Security Bulletin MS07-058 - Important Vulnerability in RPC Could Allow Denial of Service (933729)

Microsoft Security Bulletin MS07-058 - Important
Vulnerability in RPC Could Allow Denial of Service (933729)
Published: October 9, 2007

Version: 1.0
General Information
Executive Summary

This update resolves a privately reported vulnerability. A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin.

This is an important security update for all supported editions of Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the vulnerability by validating the RPC request. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues. None
Top of sectionTop of section
Affected and Non-Affected Software

The software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software
Software Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by This Update

Microsoft Windows 2000 Service Pack 4

Information Disclosure

Low

MS06-031

Windows XP Service Pack 2

Denial of Service

Important

None

Windows XP Professional x64 Edition

Denial of Service

Important

None

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Denial of Service

Important

None

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Denial of Service

Important

None

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Denial of Service

Important

None

Windows Vista

Denial of Service

Important

None

Windows Vista x64 Edition

Denial of Service

Important

None
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

I am using an older version of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your product and version, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older versions of the software to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information

Severity Ratings and Vulnerability Identifiers
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software RPC Authentication Vulnerability CVE-2007-2228 Aggregate Severity Rating

Microsoft Windows 2000 Service Pack 4

Low

Information Disclosure

Low

Windows XP Service Pack 2

Important

Denial of Service

Important

Windows XP Professional x64 Edition

Important

Denial of Service

Important

Windows Server 2003 Service pack 1 and Windows Server 2003 Service Pack 2

Important

Denial of Service

Important

Windows Server 2003 x64 Edition and Windows 2003 Service pack 2

Important

Denial of Service

Important

Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems

Important

Denial of Service

Important

Windows Vista

Important

Denial of Service

Important

Windows Vista x64 Edition

Important

Denial of Service

Important
Top of sectionTop of section

RPC Authentication Vulnerability Could Allow Denial of Service - CVE-2007-2228

A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An anonymous attacker could exploit the vulnerability by sending a specially crafted RPC authentication request to a computer over the network. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.

Mitigating Factors for RPC Authentication Vulnerability Could Allow Denial of Service - CVE-2007-2228

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Top of sectionTop of section

Workarounds for RPC Authentication Vulnerability Could Allow Denial of Service - CVE-2007-2228

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
•

Block the following at the firewall:
•

UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
•

All unsolicited inbound traffic on ports greater than 1024
•

Any other specifically configured RPC port

These ports are used to initiate a connection with RPC. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports that RPC uses, visit the following Web site.

Impact of Workaround:Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below.

Applications that use SMB (CIFS)
Applications that use mailslots or named pipes (RPC over SMB)
Server (File and Print Sharing)
Group Policy
Net Logon
Distributed File System (DFS)
Terminal Server Licensing
Print Spooler
Computer Browser
Remote Procedure Call Locator
Fax Service
Indexing Service
Performance Logs and Alerts
Systems Management Server
License Logging Service
•

To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as Windows Firewall, which is included with Windows XP and with Windows Server 2003.

By default, the Windows Firewall feature in Windows XP and Windows Server 2003 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet.

To enable the Windows Firewall feature by using the Network Setup Wizard, follow these steps:

Click Start and then click Control Panel.

Double-click Network Connections and then click Change Windows Firewall settings.

On the General tab, ensure that the On (recommended) value is selected. This will enable the Windows Firewall.

Once the Windows Firewall is enabled, select Don’t allow exceptions to prohibit all incoming traffic.

Note If you want to enable certain programs and services to communicate through the firewall, de-select Don’t allow exceptions and click the Exceptions tab. On the Exceptions tab, select the programs, protocols, and services that you want to enable.

Impact of Workaround:Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below.

Applications that use SMB (CIFS)
Applications that use mailslots or named pipes (RPC over SMB)
Server (File and Print Sharing)
Group Policy
Net Logon
Distributed File System (DFS)
Terminal Server Licensing
Print Spooler
Computer Browser
Remote Procedure Call Locator
Fax Service
Indexing Service
Performance Logs and Alerts
Systems Management Server
License Logging Service
•

To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.

You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.
•

To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.

Use Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.
Top of sectionTop of section

FAQ for RPC Authentication Vulnerability Could Allow Denial of Service - CVE-2007-2228:

What is Microsoft RPC Authentication?
To complete any remote procedure call, all distributed applications must create a binding between the client and the server. Microsoft RPC provides multiple levels of authentication. Depending on the authentication level, the origin of the traffic (which security principal sent the traffic) can be verified when the connection is established, when the client starts a new remote procedure call, or during each packet exchange between the client and server. For additional information on RPC and RPC Authentication please see the following MSDN Article.

What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to stop responding and automatically restart. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.

What causes the vulnerability?
Specially crafted packets using the NTLMSSP authentication type can cause the RPC service to fail in such a way that could cause the system to restart.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could a user’s system to become non-responsive and restart.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially crafted RPC message and sending the message to an affected system over an affected TCP/UDP port. The message could then cause the RPCSS service to stop responding and cause the vulnerable system to fail in such a way that it could cause a denial of service.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your system. End users can visit Security At Home. IT professionals can visit TechNet Security Center.

What systems are primarily at risk from the vulnerability?
Both workstations and servers are at risk. Systems that allow RPC traffic from untrusted networks could be at more risk.

What does the update do?
The update removes the vulnerability by validating the RPC request.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
of section

Other Information
Acknowledgments

Microsoft thanks the following for working with us to help protect customers:
•

Zero Day Initiative for reporting the Windows RPC Authentication Vulnerability (CVE-2007-2228).
Top of sectionTop of section
Support
•

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
•

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Top of sectionTop of section
Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Top of sectionTop of section
Revisions
•

V1.0 (October 9, 2007): Bulletin published.