Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Server Service Remote Code Execution Vulnerability (MS08-067)

Subscribe

Check Point Reference: CPAI-2008-158
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS08-067
Industry Reference(s): CVE-2008-4250
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1
Windows Server 2003 SP2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition SP2
Windows Server 2003 with SP1 (Itanium)
Windows Server 2003 with SP2 (Itanium)
Windows Vista
Windows Vista SP1
Windows Vista x64 Edition
Windows Vista x64 Edition SP1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 (Itanium)
Vulnerability Description
A remote code execution vulnerability has been discovered in Microsoft Windows Server Service. Microsoft Server Service provides support for Remote Procedure Call (RPC), resource sharing, and named pipe communication over the network. A remote unauthenticated attacker may exploit this issue to take complete control of an affected system. The vulnerability may be used to create an exploit that will propagate as a worm.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS08-067
Vulnerability Details
The vulnerability is due to an error in the Windows Server service that fails to properly handle specially crafted RPC requests. A remote attacker could exploit this issue by specially crafting a malicious RPC request and sending it to an affected system. Successful exploitation may allow execution of arbitrary code on a target system.

Protection Overview
By enabling this protection, SmartDefense will detect and block malformed RPC requests sent to the vulnerable service.

In order for the protection to be activated, update your VPN-1 product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following protection:

Block Microsoft Server Service Remote Code Execution (MS08-067)

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Microsoft server service remote code execution (MS08-067)

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following protection:

Block Microsoft Server Service Remote Code Execution (MS08-067)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Microsoft server service remote code execution (MS08-067)

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following protection:

Block Microsoft Server Service Remote Code Execution (MS08-067)

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Microsoft server service remote code execution (MS08-067)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > MS-RPC, and select the SrvSvc Overflow protection group.
3. For each of the SrvSvc NetPathCanonicalize Directory Traversal Overflow, SrvSvc NetPathCompare Directory Traversal Overflow, and WksSvc NetPath Directory Traversal Overflow protections, check the Active box under Settings in the configuration pane.
4. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: MS06-040 Alert Source
Description:
SrvSvc NetPathCanonicalize Directory Traversal Overflow
SrvSvc NetPathCompare Directory Traversal Overflow
WksSvc NetPath Directory Traversal Overflow