November 11, 2003
It has been reported that Microsoft Windows Workstation (WKSSVC.DLL) service is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable host. The problem is in the handling of requests by the Workstation Service. The Workstation Service does not properly check bounds on remote data therefore making it possible to overwrite sensitive regions of system memory.
Block external access at the network boundary, unless external parties require service.
Filter network traffic of questionable integrity at network boundaries. Use ingress and egress filtering to block the entry and exit of prohibited traffic. Since the service binds to a number of ports, including random ports over 1024, it is strongly encouraged that all ports that do not explicitly require remote access are filtered. Filter all traffic destined for internal broadcast addresses. Employ the use of a stateful inspection firewall or application proxy server to ensure that incoming UDP packets with source port 53 are in fact DNS packets and, of those, only expected replies to internally transmitted DNS queries are allowed in.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Use network intrusion detection systems to monitor networks for anomalous activity and report attempted attacks against network resources.
Disable any services that are not needed.
Systems not requiring the ability of remote users to execute commands should disable remote procedure call (RPC) where possible.
Microsoft has released security advisory MS03-049 to address this issue. Users are strongly advised to obtain fixes, as new attacker vectors greatly increase the speed of an attack on a targeted network.
Cisco has released a security advisory detailing affected Cisco products. See referenced advisory for details concerning obtaining fixes.
Vulnerability discovery credited to eEye Digital Security. Core Security Technologies has been credited with providing the updated information about the new attack vector of sending a single UDP packet to a broadcast address to exploit all vulnerable systems on a target network.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.