Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft Windows LSASS Protection

Attack ID: CPAI-2005-136
Publish Date:
Last Update:
Category: MS-RPC
Vulnerable Systems: Microsot Windows 2000
Microsoft Windows XP
Source:

Microsoft Security Bulletin MS04-011
Description: A vulnerability exists in Microsoft Windows Local Security Authority Subsystem Service (LSASS). LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. The vulnerability can be triggered by sending a specially crafted DCE/RPC request over CIFS to an affected system, which could then cause the affected system to execute code.
Severity:
Details:

The vulnerability specifically exists in the lsasrv.dll function, a Microsoft Active Directory service function exposed by the LSASS DCE/RPC endpoint. This function does not validate the length of the parameters passed into it, creating a buffer overflow condition.
Attack Detection:

Users of VPN-1 NG with Application Intelligence R55 & R55W, users of VPN-1 NGX R60 and users of InterSpect who have applied the solution outlined below will identify the following log entries:

Attack Name: MS-RPC over CIFS Enforcement Violation
Attack Information: MS-RPC over CIFS - Detected Microsoft LSASS Vulnerability (MS04-011)

Users of VPN-1 NG with Application Intelligence R55 will identify rule 99447 on the SmartView Tracker screen.

Attack Name: MS-RPC over CIFS Enforcement Violation
Attack Information: MS-RPC over CIFS - Fragmented Bind detected

Users of VPN-1 NG with Application Intelligence R55 will identify rule 99444 on the SmartView Tracker screen.

Solution:

Users of VPN-1 NG with Application Intelligence R55 and R55W, users of VPN-1 NGX R60 and users of InterSpect should update their SmartDefense by clicking Online Update (R55 - Update Now) in the SmartDashboard General window.

The Update protects against this vulnerability by blocking specially crafted DCE-RPC messages.

To enable the protection:

1. On the SmartDefense navigation tree, click MS-RPC and then click MS-RPC over CIFS.



2. Enable Block LSASS Vulnerability (MS04-011).

3. Under MS-RPC > MS-RPC over CIFS Inspection Properties it is also recommended to enable Block fragmented Bind request and Block multiple context Bind

 

Update from November 1, 2005

An update released on November 1, 2005 included an enhancement and a fix to this inspection:

1. An enhancement to the Block multiple context Bind inspection property. The Block Multiple Context Bind inspection property now blocks a Bind request with more than 4 contexts. For security reasons it is highly recommended that this inspection property be enabled.

2. A fix to the Monitor Only mode that was not working properly in specific configurations.

Industry Reference:

CAN-2005-0533
Additional Information:

CPAI-2004-20

This update also includes:
- Microsoft DTC protection (MS05-051) - CPAI-2005-140 
- Microsoft uPnP protection (MS05-047) - CPAI-2005-139 
- Microsoft Client Service for NetWare protection (MS05-046) - CPAI-2005-138