Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Enforcement of MS-RPC Protections over all TCP Ports

Subscribe

Check Point Reference: SBP-2006-03
Date Published:
Severity:
Last Updated:
Source: SmartDefense Research Center
Industry Reference(s): CAN-2005-2119
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
Who is Vulnerable?
Microsoft Windows operating systems
Vulnerability Description
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. Microsoft Remote Procedure Call (MS-RPC) is Microsoft's implementation of RPC. Microsoft Windows has reported multiple vulnerabilities (MS05-039, MS05-043, MS05-051, MS06-008) in its MS-RPC protocol that can be abused over the Common Internet File Sharing (CIFS) protocol on TCP/139 and TCP/445 (the standard ports used by CIFS).  However, MS-RPC can be abused on any other TCP port used by the MS-RPC server to compromise a system. SmartDefense Protection allows you enforce the MS-RPC protections over all TCP ports.
Vulnerability Details
A scenario where MS-RPC was abused on a random TCP Port was described on MS05-051 . A remote code execution vulnerability was reported in the Microsoft Distributed Transaction Coordinator (MSDTC) service. The MSDTC interface proxy (MSDTCPRX.DLL) functions as an RPC server that handles requests on the interface. The vulnerability allows an anonymous attacker to take complete control over an affected system. MSDTC listens on TCP port 3372 and a dynamic high TCP port, and is enabled by default on all Windows 2000 systems.

Protection Overview
The protection extends the MS-RPC protections beyond the inspection on the standards ports used by the CIFS protocol (TCP/139 and TCP/445). Enabling the Enforce MS-RPC Protections on all TCP Ports will enforce the MS-RPC protections over all other TCP ports as well.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. On the SmartDefense tree, click Application Intelligence > MS-RPC.



2. Enable Enforce MS-RPC Protections on all Ports.


How Do I Know if My Network is Under Attack?
SmartView Tracker may log entries such as the following (example only):

Attack Name: MS-RPC over CIFS Enforcement Violation
Attack Information: MS-RPC over CIFS - Detected Microsoft DTC Vulnerability (MS05-051)

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. On the SmartDefense tree, click Application Intelligence > MS-RPC.



2. Enable Enforce MS-RPC Protections on all Ports.



Note: The Enforce MS-RPC Protections On All TCP Ports protection will be enforced only for RPC services that are explicitly allowed in the rulebase. Therefore, for the protection to be enabled, users of R55 should define a service of type DCE-RPC.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log rule 99449 indicating that MS-RPC over CIFS Violation was detected (example only).