Microsoft Windows Server Service RPC Vulnerability

Original release date: October 23, 2008
Last revised: October 29, 2009
Source: US-CERT

Systems Affected

• Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows Server 2003
• Microsoft Windows Vista
• Microsoft Windows Server 2008

Overview

A vulnerability in the way the Microsoft Windows server service handles RPC requests could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.

I. Description

Microsoft has released Microsoft Security Bulletin MS08-067 to address a buffer oveflow vulnerability in the Windows Server service. The vulnerability is caused by a flaw in the way the Server service handles Remote Procedure Call (RPC) requests. For systems running Windows 2000, XP, and Server 2003, a remote, unauthenticated attacker could exploit this vulnerability. For systems running Windows Vista and Server 2008, a remote attacker would most likely need to authenticate.

Microsoft Security Bulletin MS08-067 rates this vulnerability as "Critical" for Windows 2000, XP, and Server 2003. The bulletin also notes "…limited, targeted attacks attempting to exploit the vulnerability."

This vulnerability has been assigned CVE-2008-4250. Further information is available in a Security Vulnerability & Research blog entry and US-CERT Vulnerability Note VU#827267.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable system to crash. Since the Server service runs with SYSTEM privileges, an attacker could take complete control of a vulnerable system.

III. Solution

Apply update

Microsoft has provided updates for this vulnerability in Microsoft Security Bulletin MS08-067. Microsoft also provides security updates through the Microsoft Update web site and Automatic Updates. System administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

Disable Server and Computer Browser services

Disable the Server and Computer Browser services on Windows systems that do not require those services. A typical Windows client that is not sharing files or printers is unlikely to need either the Server or Computer Browser services. As a best security practice, disable all unnecessary services.

Restrict access to server service

Restrict access to the server service (TCP ports 139 and 445). As a best security practice, only allow access to necessary network services.

Filter affected RPC identifier

The host firewalls in Windows Vista and Windows Server 2008 can selectively filter RPC Universally Unique Identifiers (UUID). See Microsoft Security Bulletin MS08-067 for instructions to filter RPC requests with the UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188.

IV. References

• US-CERT Vulnerability Note VU#827267 - <http://www.kb.cert.org/vuls/id/827267>
• Microsoft Security Bulletin MS08-067 - <http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx>
• Microsoft Update - <https://update.microsoft.com/>
• Windows Update: Automatic Update <http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx>
• Windows Server Update Services (WSUS) Home - <http://technet.microsoft.com/en-us/wsus/default.aspx>
• CVE-2008-4250 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250>
• More detail about MS08-067, the out-of-band netapi32.dll security update - <http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx>

---

Feedback can be directed to US-CERT.

---

Produced 2008 by US-CERT, a government organization. Terms of use

Revision History

October 23, 2008: Initial release
October 29, 2008: Fixed WSUS reference