[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[MS] Schwachstelle im Windows Server Service - MS08-067 / TA08-297A

To: win-sec-ssc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: [MS] Schwachstelle im Windows Server Service - MS08-067 / TA08-297A
From: WiN Site Security Contacts <win-sec-ssc@xxxxxxxxxxxxxxxxx>
Date: Fri, 24 Oct 2008 11:50:59 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des Microsoft Product Security
Notification Service. Wir geben diese Informationen unveraendert an Sie
weiter.

CVE-2008-4250 - Buffer Overflow im RPC Interface des Windows Server
Service

  Der Windows Server Service ist fuer die Freigabe von Shares, Druckern
  und Named Pipes im Netz zustaendig. Im RPC Interface des Dienstes
  laesst sich ein Buffer Overflow ausloesen. Ein Angreifer kann diese
  Schwachstelle ueber das Netz dazu ausnutzen, beliebigen Code mit
  SYSTEM Rechten auszufuehren.

  Die Schwachstelle wird bereits aktiv ausgenutzt.

  Um die Schwachstelle ausnutzen zu koennen, muessen folgende
  Bedingungen erfuellt sein: 
  - Der Server Service ist aktiviert. Dies ist immer der Fall, wenn 
    Laufwerke oder Drucker freigegeben werden, jedoch kann der Service 
    auch ohne explizite Freigabe aktiviert sein.
  - Firewall Regeln erlauben den Zugriff auf den RPC-Dienst, d.h. auf 
    Port 139 bzw. 445. Die Windows Firewall wird bei Freigabe von 
    Resourcen automatisch auf diesen Ports geoeffnet, ebenso wenn das 
    System Mitglied einer Windows Domaene ist.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Microsoft Windows 2000 Service Pack 4
  
  Windows XP Service Pack 2
  Windows XP Service Pack 3
  Windows XP Professional x64 Edition
  Windows XP Professional x64 Edition Service Pack 2
  
  Windows Server 2003 Service Pack 1
  Windows Server 2003 Service Pack 2
  Windows Server 2003 x64 Edition
  Windows Server 2003 x64 Edition Service Pack 2
  Windows Server 2003 mit SP1 fuer Itanium-basierte Systeme
  Windows Server 2003 mit SP2 fuer Itanium-basierte Systeme
  
  Windows Vista
  Windows Vista Service Pack 1
  Windows Vista x64 Edition
  Windows Vista x64 Edition Service Pack 1
  
  Windows Server 2008 fuer 32-bit Systeme
  Windows Server 2008 fuer x64-basierte Systeme
  Windows Server 2008 fuer Itanium-basierte Systeme

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                     National Cyber Alert System

               Technical Cyber Security Alert TA08-297A


Microsoft Windows Server Service RPC Vulnerability

   Original release date: October 23, 2008
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Windows 2000
     * Microsoft Windows XP
     * Microsoft Windows Server 2003
     * Microsoft Windows Vista
     * Microsoft Windows Server 2008


Overview

   A vulnerability in the way the Microsoft Windows server service
   handles RPC requests  could  allow  an unauthenticated, remote
   attacker to execute arbitrary code with SYSTEM privileges.


I. Description

   Microsoft has released Microsoft Security Bulletin MS08-067 to
   address a buffer  oveflow  vulnerability  in  the  Windows  Server
   service. The vulnerability is caused by a flaw in the way the
   Server service handles Remote Procedure Call (RPC) requests. For
   systems running Windows 2000, XP, and Server 2003, a remote,
   unauthenticated attacker could exploit this vulnerability. For
   systems running Windows Vista and Server 2008, a remote attacker
   would most likely need to authenticate.

   Microsoft Security Bulletin MS08-067 rates this vulnerability as
   "Critical" for Windows 2000, XP, and Server 2003. The bulletin also
   notes "...limited, targeted attacks attempting to exploit the
   vulnerability."

   This vulnerability has been assigned CVE-2008-4250. Further
   information is available in a Security Vulnerability & Research
   blog entry and US-CERT Vulnerability Note VU#827267.


II. Impact

   A remote, unauthenticated attacker could execute arbitrary code or
   cause a vulnerable  system to crash. Since the Server service runs
   with SYSTEM privileges, an attacker could take complete control of
   a vulnerable system.


III. Solution

Apply update

   Microsoft has provided updates for this vulnerability in Microsoft
   Security Bulletin MS08-067. Microsoft also provides security
   updates through the Microsoft Update web site and Automatic
   Updates. System administrators should  consider using an automated
   update distribution system such as Windows Server Update Services
   (WSUS).

Disable Server and Computer Browser services

   Disable the Server and Computer Browser services on Windows systems
   that do not require those services. A typical Windows client that
   is not sharing files or printers is unlikely to need either the
   Server or Computer Browser services. As a best security practice,
   disable all unnecessary services.

Restrict access to server service

   Restrict access to the server service (TCP ports 139 and 445). As a
   best security practice, only allow access to necessary network
   services.

Filter affected RPC identifier

   The host firewalls in Windows Vista and Windows Server 2008 can
   selectively filter RPC Universally Unique Identifiers (UUID). See
   Microsoft Security Bulletin MS08-067 for instructions to filter RPC
   requests with the UUID equal to 
   4b324fc8-1670-01d3-1278-5a47bf6ee188.


IV. References

     * US-CERT Vulnerability Note VU#827267 -
       <http://www.kb.cert.org/vuls/id/827267>

     * Microsoft Security Bulletin MS08-067 -
       <http://www.microsoft.com/technet/security/Bulletin/
       ms08-067.mspx>

     * Microsoft Update - <https://update.microsoft.com/>

     * Windows Update: Automatic Update
       <http://www.microsoft.com/windows/downloads/windowsupdate/
       automaticupdate.mspx>

     * Windows Server Update Services (WSUS) Home -
       <http://technet.microsoft.com/en-us/wsus/default.aspx>

     * CVE-2008-4250 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250>

     * More detail about MS08-067, the out-of-band netapi32.dll
       security update -
       <http://blogs.technet.com/swi/archive/2008/10/23/
       More-detail-about-MS08-067.aspx>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA08-297A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA08-297A Feedback VU#827267" in
   the subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2008 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   October 23, 2008: Initial release

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSQDoMnIHljM+H4irAQJaYwgAwTlLruLijREi3IjEanhKH9DOFykxE9Mr
Mmt4yurwHjt+TPMyqgzPGuk44xd5ySPTm0qIszwIXSiIDYS50PNhg0atluiQeLVC
ToFNdd6W++75upBIQMkYUENj4GHExDcMOs0uMjlIcjqUGIERlqRHnkIWDvMU0ouc
pKnx4p50IimdVMlabHbZ1AiL1tRWFgsc0IM2FExpyVpHKXy6dCXjMbfV5pPgB23l
0CaRk5ENONr9BPDx0nN/1hwS6cQ5vaU7/i6KH1GL+hPkAAEvns002FUHPoUiaj2W
Z415eNR3psa9vDU0hsajsqySbXcgUSSW12M0FxRb2DP5HSxriXi0IQ==
=vk3f
- -----END PGP SIGNATURE-----

- -- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen   https://www.cert.dfn.de/autowarn




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBSQGag0hXCWfrVVdXAQH7tgf+JlhxavbUugTBmNdGeJasSBDHhxuxcGSR
4puym9sX9Hmf0H8z50eJKfWxXCTNEJ1VV+J0rtLyhChZTVxd4UD3TXzhOi9Zj6/N
ydG7+2addsBON8+0L2/TMN17Jgcx7MmBhQU7qJPFYRCYSUiID6SeLA3wvYFwDA1V
sTDgISm6sYe0FaKbMvBLGX2Oj1Pp0o0EUKUr4Cxua9+wq7RmD4V0z8BnH8ZFysnb
A9ZCEOC8qyw9sBvJsUbzhtKkSQyFucNNslcNUcKVJiGEf2+VtSNPnphAOpzbwaSI
QFPF3+vfggo0A9NmWxHVgsay9/PMI54d0bXMc1AWGK/FHFKevNux/g==
=xXj0
-----END PGP SIGNATURE-----
Prev by Date: [Debian] Schwachstelle in LibSPF2 vor Version 1.2.8 - dsa-1659-1
Next by Date: [Fedora] Schwachstelle in Fedora Linux Kernel - FEDORA-2008-8929
Previous by thread: [Debian] Schwachstelle in LibSPF2 vor Version 1.2.8 - dsa-1659-1
Next by thread: [Fedora] Schwachstelle in Fedora Linux Kernel - FEDORA-2008-8929
Index(es):
- Date
- Thread