CERT-In Vulnerability Note CIVN-2008-170
Microsoft Windows Server Service Vulnerability
Original Issue Date:October 24, 2008
Severity Rating:
High
Systems Affected
- Windows 2000 SP4
- Windows XP SP3 and SP2
- Windows XP Professional x64 Edition SP2 and prior
- Windows Server 2003 SP2 and prior
- Windows Server 2003 x64 Edition SP2 and prior
- Windows Server 2003 with SP2 and prior for Itanium-based Systems
- Windows Vista SP1 and prior
- Windows Vista x64 Edition SP1 and prior
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for Itanium-based Systems
Overview
A buffer overflow vulnerability has been reported in Microsoft Windows that could allow an unauthenticated, remote attacker to execute arbitrary code and gain complete control of the affected system.
Description
This vulnerability exists due to insufficient input validation by ” netapi.dll” of the “ Server “service. This service provides remote computers access to file and print services and is responsible for named pipes and other communication channels to support RPC.
An attacker could exploit the vulnerability by sending a specially crafted remote procedure call (RPC) request designed to trigger an error condition. As a result of this error, an attacker could create a DoS condition or execute arbitrary code with the elevated privileges of the Server service.
On Windows Vista and Windows Server 2008, the vulnerability is only exploitable by authenticated users. On other Windows versions mentioned in “system-affected” section this vulnerability could be exploited by anonymous users.
Note: This vulnerability is being exploited in targeted attacks.
Workarounds
- Disable the Server and Computer Browser services
- On Windows Vista and Windows Server 2008, block all RPC requests with the Universally Unique Identifier (UUID) equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188
- Block TCP ports 139 and 445 at the firewall
For detailed steps and impact of applying these workarounds refer to Microsoft security Bulletin MS08-067
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-067
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx
References
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
IBM ISS X-Force
http://xforce.iss.net/xforce/xfdb/46040
FrSIRT
http://www.frsirt.com/english/advisories/2008/2902
SecurityFocus
http://www.securityfocus.com/bid/31874
CVE Name
CVE-2008-4250
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
