Exploitation of Vulnerabilities in Microsoft RPC Interface (including Blaster/LovSan worm)

Attack ID:	CPSA-2003-08

Publish Date:

Last Update:

Category:	Exploitation of Vulnerabilities in Microsoft RPC Interface (including Blaster/LovSan worm)

Vulnerable Systems:	Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003

Source:	CERT Advisory CA-2003-19

Description:	Remote Code Execution A worm known as the W32/Lovsan.worm, MSBlast, Blaster/LovSan, or simply RPC worm is known to exploit this vulnerability.

Severity:

Details:	CERT Coordination Center (CERT CC) was reported of active exploits for Microsoft's DCOM RPC vulnerability (MS03-026) as well as apparently a different denial of service vulnerability that is being targeted. According to CERT CC, both attacks use a TCP session to port 135.

Attack Detection:	Dropped logs with rule number 998 appear for service TCP/135.

Solution:	Do not allow external unauthenticated access for TCP ports 135, 139, 445, if not needed. SmartDefense CPAI-2003-11 includes updated protection against DCE-RPC attacks. Follow the instructions and install the latest dcerpc.def, providing protection against both exploits. Use CIFS resources to protect ports TCP/139 and TCP/445.

Industry Reference:

Additional Information: