Microsoft Security Bulletin MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution
Update to Advisory AV08-080
Date: 29 October 2008
AV08-080 was released on October 23 to bring attention to a serious vulnerability in Microsoft Server Service affecting all supported versions of Windows, which could allow remote code execution with SYSTEM-level privileges.
This update provides additional mitigation information and highlights that exploitation of this vulnerability is being reported by Microsoft and the Internet security community. Reports indicate that this issue is being exploited by “Trojan.Gimmiv.A”. Microsoft and some antivirus vendors have developed detection signatures for both the exploit and the associated Trojan. An exploit module has also been included in the Metasploit framework.
CCIRC recommends that administrators place a high priority on the testing and deployment of the MS08-067 security update.
Additionally, system administrators should check the availability of detection signatures of both the exploit and the associated Trojan with their antivirus vendors. SNORT IDS signatures are publicly available, which could be adapted for your intrusion detection appliances.
Open source references:
Microsoft:
Antivirus vendors:
IDS signatures:
Other references:
Please see the original CCIRC advisory below for more information, as well as the URL for the vendor security bulletin.
Number: AV08-080
Date: 23 October 2008
Purpose
The purpose of this advisory is to bring attention to a critical patch released by Microsoft to address a server service vulnerability that could allow for remote code execution.
Assessment
This security update resolves a privately reported vulnerability in the Server service by correcting the way that the Server service handles remote procedure call (RPC) requests. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. An attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: 1 - Consistent exploit code likely
CVE reference: CVE-2008-4250
Note: Default firewall configurations alone are not enough to mitigate against this threat as it has been determined that the RPC endpoint is reachable, and therefore exploitable, if the firewall is disabled or if the firewall is enabled with file/printer sharing also being enabled.
Suggested action
CCIRC recommends that administrators test and install the updates at the earliest opportunity.
References:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca