CERTVU:547820Microsoft Windows DCOM/RPC vulnerability
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.608 Medium
EPSS
Percentile
97.8%
Overview
A vulnerability exists in Microsoft Windows DCOM/RPC that can be exploited to cause a denial of service. It may be possible for an attacker to execute arbitrary code on a vulnerable system.
Description
Microsoft Windows Remote Procedure Call (RPC) “… is a powerful, robust, efficient, and secure interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different process. That different process can be on the same machine, on the local area network, or across the Internet.” Distributed COM (DCOM) “…extends the Component Object Model (COM) to support communication among objects on different computers – on a LAN, a WAN, or even the Internet.”
Based on publicly available exploit code, there is a vulnerability in the way the RPCSS service handles DCOM/RPC messages. This vulnerability is different than those described in CA-2003-16 (VU#568148/MS03-026) and CA-2003-23 (VU#254236/VU#483492/MS03-039). As in the previous vulnerabilities, this flaw appears to occur in functions related to DCOM object activation. A remote attacker could attempt to exploit this vulnerability using crafted RPC packets.
Internet Security Systems (ISS) X-Force has published an advisory stating that this vulnerability “…manifests as a result of a separate multi-threaded race condition when processing incoming RPC requests.” Depending on variables such as network latency and CPU load, one RPCSS thread may free a memory buffer before another thread has finished processing the same buffer. This causes memory corruption that can lead to termination of the RPCSS process.
Impact
An unauthenticated, remote attacker could cause a denial of service or possibly execute arbitrary code with SYSTEM privileges. In tests, the public exploit code crashes the RPCSS service on Windows 2000 and Windows XP systems patched with MS03-039. The exploit executes code on Windows 2000 systems that do not have the MS03-039 patch.
Solution
The CERT/CC is currently unaware of a practical solution to this problem.
Until patches are available, the following workarounds can be used to reduce possible attack vectors. These workarounds are not complete solutions and may affect network and application operation. Research and test before making changes to production systems.
* Using a network or host-based firewall, block RPC network traffic (ports 135/tcp, 139/tcp, 445/tcp, 593/tcp and 135/udp, 137/udp, 138/udp, 445/udp).
* Disable COM Internet Services (CIS) and RPC over HTTP as described in Microsoft Knowledge Base Article [825819](<http://support.microsoft.com/default.aspx?scid=825819>).
* Disable DCOM as described Microsoft Knowledge Base Article [825750](<http://support.microsoft.com/default.aspx?scid=825750>).
Vendor Information
547820
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation Affected
Notified: October 10, 2003 Updated: October 13, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23547820 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/overviews.asp>
- <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/microsoft_rpc_model.asp>
- <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomtec.asp>
- <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomarch.asp>
- <http://www.securityfocus.com/archive/1/340937>
- <http://xforce.iss.net/xforce/alerts/id/155>
- <http://www.k-otik.net/bugtraq/10.15.RPC3.php>
Acknowledgements
This vulnerability was reported by 3APA3A (ZARAZA).
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2003-0813 |
|---|---|
| Severity Metric: | 43.70 Date Public: |
References
msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomarch.asp
msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomtec.asp
msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/microsoft_rpc_model.asp
msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/overviews.asp
www.k-otik.net/bugtraq/10.15.RPC3.php
www.securityfocus.com/archive/1/340937
xforce.iss.net/xforce/alerts/id/155
Related
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.608 Medium
EPSS
Percentile
97.8%