Microsoft LSASS Vulnerability / Sasser worm (MS04-011)

The Local Security Authority Service (LSASS.EXE) in Windows is responsible for managing domain authentication, local security and certain Active Directory functions. The vulnerability exists in the lsasrv.dll function. This function does not validate the length of the parameters passed into it, creating a buffer overflow condition.

The vulnerability can be triggered by either using the SMB (CIFS) named pipe “lsarpc”over port TCP or UDP 139 or by sending a specially crafted DCE/RPC request over port TCP/135.

A self-executing worm named Sasser is known to have exploited this vulnerability. This worm scans randomly-chosen IP addresses for vulnerable systems. It creates a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it, causing the infected host to accept FTP traffic on port TCP/5554.

Using the SmartView Tracker, users of SmartDefense NG with Application Intelligence R54, R55, R55W and InterSpect will be able to identify the attack by the following log entry:

CIFS worm pattern detected:sasser

Users of R55
Using SmartView Tracker, VPN-1 NG AI R55 will identify Drop log entries against rule 99501.

Users of InterSpect and R55W
Attack Name: Null Payload Echo Requests
Attack Information: Null Payload ICMP packet detected

Users of Check Point Integrity
Integrity administrators can monitor the Program Events Report for processes named:

• avserve.exe
• avserve2.exe
• skynetave.exe

Blocking the Worm Propagation

1. To block the propagation of the Sasser worm, users of VPN-1/FireWall-1 NG AI (all versions) should manually add a pattern to the CIFS worm catcher.
   1. In the SmartDefense menu, select Application Intelligence > Microsoft Networks. Check File and Print Sharing and click the Add tab; the Worm Pattern Settings window is displayed.

      

   2. In the Name field enter Sasser; In the Pattern string (regular expression) field, enter lsarpc$.

      

   The pattern should generate the following Checksum: 0xf2009bb4.

   Warning: This configuration will block the worm's propagation but might also cause connectivity problems in some cases.

2. To prevent CIFS connections without credentials:
   1. Apply Application Intelligence > Microsoft Networks > Block Null CIFS Sessions.

      

Preemptive Protection: Blocking the DCE-RPC Vulnerability

This vulnerability hasn't been used by the Sasser worm but based on the vulnerability-related info, the Microsoft LSASS service is also vulnerable over DCE-RPC port TCP/135, which is why we suggest a SmartDefense protection against it.

To prevent the exploitation of the DCE-RPC related vulnerability:

1. From the SmartDefense menu, select Application Intelligence > MS-RPC > DCOM.
2. Uncheck the Allow DCE-RPC interfaces other than End-Point Mapper on Port 135 to block access to vulnerable LSA DS UUID (3919286a-b10c-11d0-9ba8-00c04fd92ef5].

   

Blocking Sasser ICMP Packets

Users of R55, R55W and InterSpect should update their SmartDefense by clicking the Update Now tab in the SmartDefense General window.

Some Sasser variants use ICMP Echo Request packets with zero payload to detect potentially vulnerable target machines. This protection detects such packets and blocks them.

Users of Check Point Integrity

The firewall built into Check Point Integrity will proactively prevent the infection even if the Microsoft patch has not been applied. An Integrity protected endpoint will only become infected if another computer in the "Trusted Zone" (usually the local network) is infected. In that case Program Control will alert the computer user if the malicious application attempts to access the network; Program Events Reports can also be used to monitor and identify worm activity.

MS04-011
CAN-2003-0533
CPSA-2003-08
CPAI-2003-11

This solution has been enhanced. For more information, see CPAI-2005-136.