The CERT for France Industry, Services and Tertiary sector

Members area [version française]

HOME PRESENTATION PUBLICATIONS SUBSCRIPTION CONTACTS FAQ SEARCH

Security Advisory

Public Advisories/Alerts Articles by Cert-IST Useful links In the Press - Events Printable version		Accueil | Resources | Public Advisories/Alerts | Security Advisories Vulnerability in the "Server" service on Microsoft Windows (MS08-067) Reference: CERT-IST/AV-2008.460 Version: 2.1 Version date: 27 October 2008 Vulnerability Classification Risk: very-high Impact: Take control Vulnerability category: Buffer overflow Confidence: Vendor-acknowledged Attack expertise: Skilled Attack requirements: Remote (no account) over a standard service System Information Affected Platform(s): Windows 2000 SP4 Windows XP SP2 and SP3 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition SP2 Windows Server 2003 SP1 and Windows Server 2003 SP2 Windows Server 2003 SP1 (Itanium) and Windows Server 2003 SP2 (Itanium) Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP2 Windows Vista and Windows Vista SP1 Windows Vista X64 Edition and Windows Vista X64 Edition SP1 Windows Server 2008 for 32-bit, 64-bit and Itanium systems Affected Software(s): "Server" service (netapi32.dll) Description Publication context:  [Version 2.0]: This advisory has been re-issued on October 24, 2008 following the release of the CERT-IST/DG-2008.009 potential danger and the increase of the risk level (from High to Very high). Workarounds and detection signatures have also been added.  Problem description: A vulnerability has been discovered in the handling of RPC requests by the "Server" service on Microsoft Windows systems. It allows a malicious remote person to take the full control of a vulnerable system.  Note:  According to Microsoft, this vulnerability is already exploited (targetted attacks) on the Internet. On Windows Vista and Windows Server 2008, successful exploitation of this vulnerability requires the attacker to be authenticated. Technical context: The "Server" service provides RPC ("Remote Procedure Call") support, file print support (through SMB - "Server Message Block") and named pipe sharing over the network. Windows services that use MS RPC may use SMB named pipes as the transport service for MS RPC calls. Technical information: The vulnerability is due to a buffer overflow during the handling of RPC requests by the "Server" service (netapi32.dll). It allows a remote attacker, by sending a specially crafted RPC request, to execute arbitrary code with the "SYSTEM" privileges. Solution 01 - Apply the Microsoft patches (KB958644) regarding the Windows "Server" service vulnerability Patches are available for the various impacted platforms. See the Microsoft security bulletin MS08-067 to get the appropriate patch. The patches described in this Microsoft security bulletin replace the ones described in the MS06-040 bulletin (see the CERT-IST/AV-2006.315 advisory). Microsoft security bulletin MS08-067 http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 02 - Recommendations to mitigate the "Server" service vulnerability Filter the TCP ports 139 and 445 on network devices located in the LAN boundary and/or near the vulnerable Microsoft Windows systems. Keep the anti-virus software updated. Note : A workaround could be to disable the "Server" service on vulnerable systems. However, this solution leads to some significant side-effects. For example: you will be unable to share local resources (folders or printers), you will be unable to be remotely managed by classical Microsoft tools. 03 - Tools and signatures to detect the flaw and its exploitation The following signatures enable to detect exploitations of this vulnerability (not exhaustive list). Nessus plugin #34476 allowing the detection of vulnerable systems http://www.nessus.org/plugins/index.php?view=single&id=34476 NAI update - DAT file 5414 or later, to be released on 10/24/08 http://www.mcafee.com/us/enterprise/downloads/index.html Symantec Initial Rapid Release version October 23, 2008 revision 040 http://www.symantec.com/business/security_response/definitions/download/index.jsp CA signature 31.6.6167 http://www3.ca.com/support/vicdownload/ Snort rules to detect attacks targeting the vulnerability (MS08-067) http://www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html Standard vulnerability IDs Microsoft: KB958644 CVE: CVE-2008-4250 CERT/CC: VU#827267 Additional Resources Microsoft security advisory MS08-067 dated October 23, 2008 http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx Post in the Microsoft SWI blog dated October 23, 2008 http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx US-CERT security advisory TA08-297A dated October 23, 2008 http://www.us-cert.gov/cas/techalerts/TA08-297A.html Nortel security advisory 2008009147 dated October 28, 2008 http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2008/43/024190-01.pdf History Version Comment Date 2.1 Nessus plugin (#34476) 27 October 2008 2.0 Risk level increase and addition of the temporary solutions 24 October 2008 1.0 Advisory creation 23 October 2008

Copyright © 1999-2012 Cert-IST | Legal Notice | Sitemap