Educause Security Discussion mailing list archives
Re: DHS --> Updated MS Advisory
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Wed, 6 Aug 2003 17:53:33 -0500
I think at this point there have been *many* campuses that have blocked (temporarily or permanently) most if not all MS Networking ports. It will take some behavior changes if users are used to having access to MS shares or Outlook against Exchange (MAPI) from off campus, and in those cases having a tunnel (like VPN) for users would most likely be necessary. It does not affect OWA, which is port 443 (or port 80 if your email team isn't paying attention to security). M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Barros, Jacob [mailto:jkbarros () GRACE EDU] Sent: Friday, August 01, 2003 11:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] DHS --> Updated MS Advisory DHS and Microsoft further suggest that Internet Service Providers and network administrators consider blocking TCP and UDP ports 135, 139, and 445 for inbound connections unless absolutely needed for business or operational purposes. Can anyone say that they have done this and what are any reprocussions you've felt? I might be missing something in my research but is there any traffic on those ports that I might care about? Will this effect OWA? Jacob Barros Grace College and Seminary 574-372-5100 -----Original Message----- From: Bruhn, Mark S. [mailto:mbruhn () INDIANA EDU] Sent: Thursday, July 31, 2003 8:39 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] DHS --> Updated MS Advisory Below, from DHS. (I removed their logo on purpose.) M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Advisory Title: Potential For Significant Impact On Internet Operations Due To Vulnerability In Microsoft Operating Systems (UPDATED) Original Date July 24, 2003 Updated July 30, 2003 SYSTEMS AFFECTED: Computers using the following operating systems: Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 OVERVIEW THIS IS AN UPDATE TO THE DEPARTMENT OF HOMELAND SECURITY (DHS) JULY 24, 2003 ADVISORY ON MICROSOFT OPERATING SYSTEMS. The DHS/ Information Analysis and Infrastructure Protection (IAIP) National Cyber Security Division (NCSD) is issuing this advisory in consultation with the Microsoft Corporation to heighten awareness of potential Internet disruptions resulting from the possible spread of malicious software exploiting a vulnerability in popular Microsoft Windows operating systems. DHS expects that exploits are being developed for malicious use. (UPDATE: SEVERAL WORKING EXPLOITS ARE NOW IN WIDESPREAD DISTRIBUTION ON THE INTERNET. THESE EXPLOITS PROVIDE FULL REMOTE SYSTEM LEVEL ACCESS TO VULNERABLE COMPUTERS.) Two additional factors are causing heightened interest in this situation: the affected operating systems are in wide spread use, and exploitation of the vulnerability could permit the execution of arbitrary code. DHS and Microsoft are concerned that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to Code Red or Slammer. (UPDATE: NO WORM CODE HAS BEEN REPORTED; HOWEVER, AN INTERNET-WIDE INCREASE IN SCANNING FOR VULNERABLE COMPUTERS OVER THE PAST SEVERAL DAYS REINFORCES THE URGENCY FOR UPDATING AFFECTED SYSTEMS.) IMPACT The recently announced Remote Procedure Call (RPC) vulnerability in computers running Microsoft Windows operating systems listed above could be exploited to allow the execution of arbitrary code or could cause a denial of service state in an unprotected computer. Because of the significant percentage of Internet-connected computers running Windows operating systems and using high speed connections (DSL or cable for example), the potential exists for a worm or virus to propagate rapidly across the Internet carrying payloads that might exploit other known vulnerabilities in switching devices, routers, or servers. DETAILS There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The vulnerability results from the handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. An attacker who successfully exploited this vulnerability would be able to run code with local system privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges. RECOMMENDATION Due to the seriousness of the RPC vulnerability, DHS and Microsoft encourage system administrators and computer owners to take this opportunity to update vulnerable versions of Microsoft Windows operating systems as soon as possible. Microsoft updates, workarounds, and additional information are available at <http://microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/MS03-026.asp> DHS and Microsoft further suggest that Internet Service Providers and network administrators consider blocking TCP and UDP ports 135, 139, and 445 for inbound connections unless absolutely needed for business or operational purposes. Advisories recommend the immediate implementation of protective actions, including best practices when available. DHS encourages recipients of this advisory to report information concerning suspicious or criminal activity to law enforcement or a DHS watch office. The DHS Information Analysis and Infrastructure Protection watch offices may be contacted at: For private citizens and companies - Phone: (202) 323-3205, 1-888-585-9078 Email: nipc.watch () fbi gov <mailto:nipc.watch () fbi gov> Online: <http://www.nipc.gov/incident/cirr.htm> For telecommunications industry - Phone: (703) 607-4950 Email: ncs () dhs gov <mailto:ncs () ncs gov> For Federal agencies/departments - Phone: (888) 282-0870 Email: fedcirc () fedcirc gov <mailto:fedcirc-info () fedcirc gov> Online: <https://incidentreport.fedcirc.gov> DHS intends to update this alert should it receive additional relevant information, including information provided to it by the user community. Based on this notification, no change to the Homeland Security Advisory System level (HSAS) is anticipated; the current HSAS level is YELLOW. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- DHS --> Updated MS Advisory Bruhn, Mark S. (Jul 31)
- <Possible follow-ups>
- Re: DHS --> Updated MS Advisory Barros, Jacob (Aug 01)
- Re: DHS --> Updated MS Advisory Tim St. Laurent (Aug 01)
- Re: DHS --> Updated MS Advisory Gary Flynn (Aug 01)
- Re: DHS --> Updated MS Advisory Omar Herrera (Aug 01)
- Re: DHS --> Updated MS Advisory Barros, Jacob (Aug 01)
- Re: DHS --> Updated MS Advisory Bruhn, Mark S. (Aug 06)