RE: Command Line RPC vulnerability scanner?

["Bojan Zdrnja" <[EMAIL PROTECTED]>]

> -----Original Message-----
> From: Stong, Ian C. (Contractor) [mailto:[EMAIL PROTECTED] 
> Sent: Friday, 1 August 2003 11:33 p.m.
> To: 'Russell Fulton'; Schmehl, Paul L
> Cc: [EMAIL PROTECTED]
> Subject: RE: Command Line RPC vulnerability scanner?
> 
> 
> Hi Russell,
> 
> A possible workaround (depending on your WAN requirements for port 135)
for
> the systems that can't be patched is to simply block port 135 into your
> network.  If you need port 135 to be accessible from certain remote sites
> then allow those specific source/destination address and port pairs
through
> your router or firewall.

This will work well to stop attacks originating from the Internet, but as it
was discussed on another mailing list (Full-disclosure), this is definetly
not sufficient.

I'd like to warn people that port blocking on their perimeter firewalls is
*not* enough (and only a small number of companies can afford *good&
firewalling in internal networks). It is probably just a question of time
when one of the following two will happen:

1) An employee inside your network or with VPN access runs exploit on your
internal network.
2) Worm is written which exploits this vulnerability and enters your network
via employees computer and VPN.
3) Same worm spreads with mass e-mail.

Therefore, I'd consider patching as the only solution against this (nasty)
vulnerability. 


---------------------------------------------------------------------------
----------------------------------------------------------------------------