Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Protect Yourself from DCE-RPC Invalid NDR Value Evasion Technique

Subscribe

Check Point Reference: SBP-2010-33
Date Published:
Severity:
Source: IPS Research Center
Industry Reference(s): CVE-2010-0102
Protection Provided by: Security Gateway
  • R71
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
Who is Vulnerable?
Computers and networks
Vulnerability Description
DCE/RPC stands for Distributed Computing Environment / Remote Procedure Calls. It is a Remote Procedure Call system that allows software to work across multiple computers, as if it were all working on the same computer. This system allows programmers to write distributed software without having to worry about the underlying network code.
Vulnerability Details
There are many known vulnerabilities in applications based on the DCE-RPC protocol. Though IDS and IPS devices have signatures to detect attacks exploiting these vulnerabilities, these devices can be evaded by using an invalid value in the NDR field. Attackers may use this as an IDS/IPS evasion technique.

Protection Overview
This protection will detect and block DCE-RPC requests containing an invalid NDR value.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05Protection tab and select the version of your choice. 

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence MS-RPC.
2. In the right pane, double-click the following protection:

DCE-RPC Invalid NDR Value Evasion Technique

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: DCE-RPC Enforcement Violation
Attack Information: DCE-RPC invalid NDR value detected

VPN-1 NGX R65 & VSX NGX R65

How Can I Protect My Network?
1.In the SmartDefense tab, click Application Intelligence MS-RPC > DCE-RPC Invalid NDR Value Evasion Technique.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: DCE-RPC Enforcement Violation
Attack Information: DCE-RPC invalid NDR value detected