| Notification Type: |
IBM Internet Security Systems Protection Alert |
| Notification Date: |
October 23, 2008 |
| Notification Version: |
1.4 |
| |
|
| Name: |
Microsoft Windows Server Service RPC Code Execution |
Public disclosure/
In the wild date: |
October 22, 2008 |
| Aliases: |
MS08-067, gimmiv, conficker |
| CVE: |
CVE-2008-4250 |
| Description: |
Microsoft Windows Server Service could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Remote Procedure Call (RPC) service.
Although targeted exploitation was reported at the time of vulnerability disclosure, IBM MSS picked up a significant increase in public attacks on Nov. 25, and in Dec. 2008 and Jan 2009, additional activity caused by the Conficker Worm occured. See Technical Details and the link to Conficker in the References section below for more information. |
ISS Coverage |
| Product |
Content Version |
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor |
28.160 |
Proventia Desktop
Proventia Server IPS (Windows) |
2300 |
|
| Propagation Techniques |
ISS Protection |
Available |
|
remote exploit
malware (Gimmiv) |
MSRPC_Srvsvc_Bo
MSRPC_Srvsvc_Path_Bo
IPS signatures above and...
Mal/Generic-A (Sophos)
Troj/Gimmiv-A (Sophos)
Troj/Gimmiv-B (Sophos)
Win32.Worm.Gimmiv.A (BitDefender) |
Aug 8, 2006
Oct 27, 2008
Jan 29, 2008
Oct 23, 2008
Oct 27, 2008
Oct 23, 2008
| * Pre-emptive coverage for this issue was provided by MSRPC_Srvsvc_Bo (released Aug. 2006). MSRPC_Srvsvc_Path_Bo will identify attacks against this new vulnerability versus older vulnerabilities covered by the pre-emptive signature, MSRPC_Srvsvc_Bo.
|
|
|
Detailed Description |
| Business Impact: |
Compromise of networks and machines using affected versions of Microsoft Server Service may lead to exposure of confidential information, loss of productivity, and further network compromise. An attacker does not need to entice any kind of user interaction to trigger this vulnerability. For Windows Vista and Windows Server 2008 the attacker must be an authenticated user with access to the target network in order to exploit this vulnerability. |
| CVSS |
Base Score: |
10 |
| |
Access Vector: |
Network |
| Access Complexity: |
Low |
| Authentication: |
None |
| Confidentiality Impact: |
Complete |
| Integrity Impact: |
Complete |
| Availability Impact: |
Complete |
|
|
| Adjusted Temporal Score: |
8.7 |
| |
Exploitability: |
High |
| Remediation Level: |
Official-Fix |
| Report Confidence: |
Confirmed |
| Affected Products: |
For a full list of affected versions, see references below. |
| Technical Description: |
Microsoft Windows Server Service could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Remote Procedure Call (RPC) service. By sending specially-crafted RPC requests to a vulnerable system, a remote attacker could exploit this vulnerability to execute arbitrary code and gain complete control over the affected system.
In the initial days after vulnerability disclosure, public exploitation was fairly low. Over the weekend (Nov. 22), the number of sources and attacks surpassed the 1k mark. On Mon. (Nov. 24), the number of attacks started growing exponentially, passing the 10k mark by midday on Nov. 25.
|
| Remediation: |
Patches are available for this issue. See References for details. |
|
References |
|
|
Revision History |
| 1.0 |
Initial publication. |
| 1.1 |
Updated coverage information and CVSS. |
| 1.2 |
Updated CVSS exploitability from PoC to High. |
| 1.3 |
Added substantial increase in attack activity. |
| 1.4 |
Added links to Conficker Worm. |
|
|
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
About IBM Internet Security Systems
IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.
|
