Multiple vulnerabilities in Microsoft RPCSS services
| Attack ID: | CPAI-2003-32 |
 |
|
| Publish Date: | |
|
|
| Category: | Worms |
|
|
| Vulnerable Systems: | Microsoft Windows NT 4 Microsoft Windows 2000 Professional, Server Microsoft Windows XP Home, Professional Microsoft Windows 2003 Server |
|
|
| Source: | MS03-039 |
|
|
| Description: | Three vulnerabilities were discovered in MS RPCSS service, two of which may lead to remote code execution and the other to denial of service. Although they are somewhat related to MS03-26 (exploited by the Blaster and Welchia worms), they are not the same. Computers protected against MS03-26 are still vulnerable to this vulnerability. |
|
|
| Severity: | |
| Remote code execution. | |
| Details: | The RPCSS service in Windows is used to handle RPC (Remote Procedure Calls) messages. Part of its functionality is dealing with specific set of RPC messages, that are used for DCOM object activation calls sent from remote computers requesting to activate objects on the local computer. An incorrect handling of malformed messages may cause buffer overflow in the RPCSS service, which may lead to either remote code execution or denial of service (depending on the specific vulnerability). |
|
|
| Attack Detection: | Using the SmartView Tracker, identify drop logs with the rule number 998. |
|
|
| Solution: | Users of FireWall-1 who have applied CPAI-2003-11 are already protected from those vulnerabilities. Others are encouraged to apply the update as soon as possible, by following the instructions in CPAI-2003-11. |
|
|
| Industry Reference: | |
|
|
| Additional Information: | CERT Advisory: CA-2003-23 CVE entries: CAN-2003-0715, CAN-2003-0528, CAN-2003-0605 |