MS-ISAC ADVISORY NUMBER:
2008-034

DATE(S) ISSUED:
10/23/2008

SUBJECT:
Vulnerability in Server Services Could Allow Remote Code Execution

OVERVIEW:

A new vulnerability has been discovered in the Microsoft Server Service that could allow a remote attacker to take complete control of the vulnerable system. The Server Service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. A vulnerable computer could be exploited if a malicious user sends a specially-crafted Remote Procedure Call (RPC) request over the Internet or an internal network. RPC is a protocol that a program can use to request a service from a program located on another computer in a network. Successful exploitation will result in an attacker gaining complete control of the affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

SYSTEMS AFFECTED:

  • Windows 2000
  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been discovered in Microsoft Server Service. The Server Service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for Remote Procedure Calls (RPC).

On Windows XP, Windows 2000 and Windows 2003 Server, any anonymous user could deliver a specially-crafted message to exploit this vulnerability. However, on Windows Vista and Windows 2008 systems, exploitation requires users to be authenticated. Successful exploitation will result in an attacker gaining complete control of the affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

This vulnerability has the potential to be used in new worms or worm variants, so it should be addressed as soon as possible. It should be noted that this vulnerability is currently being exploited on the Internet.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Block un-trusted incoming traffic on ports 139/TCP and 445/TCP from the Internet at your network perimeter.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx(New Window)

Security Focus:
http://www.securityfocus.com/bid/31874(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250(New Window)

Secunia:
http://secunia.com/advisories/32326/(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.