Security Advisory

Microsoft Security Advisory 911052

Memory Allocation Denial of Service Via RPC

Published: November 16, 2005 | Updated: November 18, 2005

Microsoft is aware of public reports of proof-of-concept code that seeks to exploit a possible vulnerability in Microsoft Windows 2000 Service Pack 4 and in Microsoft Windows XP Service Pack 1. This vulnerability could allow an attacker to perform a denial of service attack of limited duration.

On Windows 2000 Service Pack 4, an attacker could potentially exploit this vulnerability anonymously. On Windows XP Service Pack 1, an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. Customers who have installed Windows XP Service Pack 2 are not affected by this vulnerability. Additionally, customers running Windows Server 2003 and Windows Server 2003 Service Pack 1 are not affected by this vulnerability.

Microsoft is not aware of active attacks that use this vulnerability or of customer impact at this time. However, Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

Microsoft is concerned that this new report of a vulnerability in Windows 2000 Service Pack 4 and Windows XP Service Pack 1 was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

While this vulnerability was discovered by a security researcher while investigating the vulnerability addressed by Security Bulletin MS05-047, this is a completely separate vulnerability and is not related to the vulnerability discussed in MS05-047. We do continue to encourage customers to apply the MS05-047 update and all recent security updates released by Microsoft.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software Customers can learn more about these steps by visiting Protect Your PC Web site.

Mitigating Factors:

  • On Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. In certain configurations, anonymous users could authenticate as the Guest account. For more information, see Microsoft Security Advisory 906574.
  • Customers who are running Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1 are not affected by this vulnerability.
  • Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

General Information

Overview

Purpose of Advisory: To advise customers of a publicly disclosed issue, to clarify the scope and impact of that issue, and to provide prescriptive guidance

Advisory Status: Under Investigation.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification
CVE Reference CAN-2005-3644
Microsoft Knowledge Base Article 911052

This advisory discusses the following software.

Related Software
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1

Frequently Asked Questions

What is the scope of the advisory?
Microsoft has been made aware of a new memory allocation denial of service vulnerability in Microsoft Windows. This affects the software that is listed in the “Overview” section.

What is remote procedure call (RPC)?
Remote procedure call (RPC) is a protocol that is used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program that is running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions.

Is this a security vulnerability that requires Microsoft to issue a security update?
At this point, the issue is still under investigation. After the investigation is complete, a security update may be released for this issue.

What causes this threat?
An attacker can send specially crafted malicious packets to a vulnerable machine, which would potentially result in a denial of service condition of limited duration.

What might an attacker use this function to do?
An attacker can send specially crafted malicious packets to a vulnerable machine which would potentially result in a Denial of Service condition of limited duration.

Suggested Actions

Workarounds

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • To help protect against anonymous network-based connection attempts to exploit this vulnerability, configure the RestrictAnonymous registry setting to a more restrictive setting:

    By default on Windows 2000, the RestrictAnonymous entry is set to a value of 0, which does not restrict Anonymous users. By setting the registry entry to a value of 2, Anonymous users will have no access without explicit anonymous permissions. For more information about how to use the RestrictAnonymous registry entry in Windows 2000, see Microsoft Knowledge Base Article 246261.

    Impact of Workaround: When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.

  • Block the following at the firewall:

    • UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
    • All unsolicited inbound traffic on ports greater than 1024
    • Any other specifically configured RPC port
    • If installed, COM Internet Services (CIS) or RPC over HTTP, which listen on ports 80 and 443

    These ports are used to initiate a connection with RPC. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports that RPC uses, visit the following Web site. For more information about how to disable CIS, see Microsoft Knowledge Base Article 825819.

  • To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP Service Pack 1.

    By default, the Internet Connection Firewall feature in Windows XP Service Pack 1 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet.

    To configure Internet Connection Firewall manually for a connection, follow these steps:

    1. Click Start, and then click Control Panel.
    2. In the default Category View, click Networking and Internet Connections, and then click Network Connections.
    3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
    4. Click the Advanced tab.
    5. Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.

    Note If you want to enable certain programs and services to communicate through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services that are required.

  • To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.

    You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.

  • To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPsec on the affected systems.

    Use Internet Protocol security (IPsec) to help protect network communications. Detailed information about IPsec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.

  • Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site. All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.

  • Protect Your PC

    We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.

  • For more information about staying safe on the Internet, customers can visit theMicrosoft Security Home Page.

  • Keep Your System Updated

    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Other Information

Resources:

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • November 16, 2005: Advisory published
  • November 18, 2005: Advisory updated to reference a CVE and to clarify that this issue is anonymously exploitable on Windows 2000 Service Pack 4.

Built at 2014-04-18T13:49:36Z-07:00