Check Point Advisories

Security Best Practice: Enforcement of MS-RPC Protections over all TCP Ports

Check Point Reference: SBP-2006-03
Date Published: 27 Apr 2006
Severity: High
Last Updated: 8 May 2007
Source: SmartDefense Research Center
Industry Reference:CAN-2005-2119
Protection Provided by:
Who is Vulnerable? Microsoft Windows operating systems
Vulnerability Description Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. Microsoft Remote Procedure Call (MS-RPC) is Microsoft's implementation of RPC. Microsoft Windows has reported multiple vulnerabilities (MS05-039, MS05-043, MS05-051, MS06-008) in its MS-RPC protocol that can be abused over the Common Internet File Sharing (CIFS) protocol on TCP/139 and TCP/445 (the standard ports used by CIFS).  However, MS-RPC can be abused on any other TCP port used by the MS-RPC server to compromise a system. SmartDefense Protection allows you enforce the MS-RPC protections over all TCP ports.
Vulnerability DetailsA scenario where MS-RPC was abused on a random TCP Port was described on MS05-051 . A remote code execution vulnerability was reported in the Microsoft Distributed Transaction Coordinator (MSDTC) service. The MSDTC interface proxy (MSDTCPRX.DLL) functions as an RPC server that handles requests on the interface. The vulnerability allows an anonymous attacker to take complete control over an affected system. MSDTC listens on TCP port 3372 and a dynamic high TCP port, and is enabled by default on all Windows 2000 systems.

Protection Overview