Microsoft Windows Plug and Play Vulnerability Protection (MS05-039) / Zotob worm
| Attack ID: | CPAI-2005-120 |
 |
|
| Publish Date: | |
|
|
| Last Update: | |
|
|
| Category: | Remote Code Execution |
|
|
| Vulnerable Systems: | Microsoft Windows 2000 SP4 Microsoft Windows XP SP1 and SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition |
|
|
| Source: |
Microsoft Security Bulletin MS05-039 |
|
|
| Description: | A vulnerability was detected in Microsoft's Plug and Play (PnP) service that can be exploited by remote attackers to compromise a vulnerable system. The vulnerability is now being exploited in the wild by the Zotob worm. For more information about the worm, please refer to Zone Labs Virus Information Center. |
|
|
| Severity: | |
| Details: | The vulnerability is due to a buffer overflow error in the Plug and Play service that does not properly handle specially crafted requests. |
|
|
| Attack Detection: | Users of VPN-1 NG with Application Intelligence R55W, VPN-1 NGX R60 and users of InterSpect who have applied the solution outlined below will identify the attack by the following log entries: Attack Name: MS-RPC over CIFS Enforcement Violation Attack Information: MS-RPC over CIFS - Detected Microsoft uPnP Vulnerability (MS05-039) Users of VPN-1 NG with Application Intelligence will receive rule 99445 on the SmartView Tracker screen. |
|
|
| Solution: | Users of VPN-1 NG AI R55, R55W, VPN-1 NGX R60 and InterSpect: Users of VPN-1 NGX R60 should update their SmartDefense by clicking Online Update in the SmartDashboard General window. By enabling the protection, SmartDefense will block the Plug and Play (PnP) interface over the MS-RPC Common Internet File Sharing (CIFS) protocol. To enable the protection: 1. On the SmartDefense navigation tree, click MS-RPC and enable MS-RPC over CIFS.  2. Enable Block Microsoft uPnP Vulnerability (MS05-039).  3. Install policy on all modules. Note: When Monitor Only is enabled with the Microsoft Networks > File and Print Sharing protection, the MS-RPC over CIFS protection is also activated in the Monitor Only mode. Users of Integrity: Install Microsoft patches to remove this vulnerability from the Windows Operating System and other software components: http://windowsupdate.microsoft.com Check Point Integrity protects your system against this vulnerability and the Zotob worm through the following available services: Classic Firewall Rules Classic Firewall rules restrict TCP ports 139 and 445 to only trusted hosts. Ensure that settings are applied to active policies. SmartDefense Program Advisor SmartDefense Program Advisor automatically blocks malware. It is recommended that you ensure the following:
For more information about activating SmartDefense Program Advisor, please refer to CPSA-2005-10. Firewall It is recommended that you ensure that only trusted hosts are in the ‘Trusted’ Zone. Antivirus Rules Use Antivirus rules to enforce latest versions of Antivirus engine and definition files. Advanced Cooperative Enforcement Use Advanced Cooperative Enforcement to enforce policy upon remote endpoints. |
|
|
| Industry Reference: | CAN-2005-1983 |
|
|
| Additional Information: | Zone Labs Security Advisory Zone Labs Virus Information Center Microsoft Security Advisory This Update also includes the following protections:
|