Outpost 個人防火牆 - RDP vulnerability could lead to computer resets

Agnitum Security Advisories

Update:

The patch correcting the vulnerability has been released by the vendor. Users are advised to download it through Windows Update service available at http://windowsupdate.microsoft.com

Temporary workaround involving the closure of vulnerable TCP port number 3389 with a firewall can now be revoked.

ASA-03-0507-3: RDP vulnerability could lead to computer resets

Vulnerability summary:

Severity rating: Important
Date Published: July 16, 2005
Software Vendor: Microsoft
Affected Software: Remote Desktop Protocol (RDP)
Affected OS: Windows XP (incl. x64 Edition), Windows Server 2003 (incl. x64 Edition), Windows 2000
Unaffected with:
Vulnerability class: Denial of Service
Status: Patch due

Vulnerability details:

Tech brief:

The vulnerability is caused due to an error in Remote Desktop Services. A specifically crafted request sent to the Remote Desktop Protocol could crash the host system.

Vendor reference information:

Vendor details pertaining to the problem are available here:
http://www.microsoft.com/technet/security/advisory/904797.mspx

General Mitigating Recommendations:

• Disable Terminal Services or the Remote Desktop feature if they are not required.
• Secure Remote Desktop Connections by using an IPsec policy.
• Secure Remote Desktop Connections by employing a Virtual Private Network (VPN) connection.

How Outpost Firewall PRO protects you:

Outpost Firewall PRO protects your system against this vulnerability through the Global System and Rawsocket Rules feature:

1) Make sure Outpost is not running in Disabled or Allow Most mode.

2) Go to Options > System and click Rules under Global System and Rawsocket rules .

3) Click Add to create the new global rule.

4) Select the Where the specified protocol is , Where the specified direction is , and Where the specified local port is events.

5) In the Rule description field, click on the Undefined keyword next to Where the protocol is and specify the TCP protocol.

6) In the Rule description field, click on the Undefined keyword next to Where the direction is and specify the Inbound connection direction.

7) In the Rule description field, click on the Undefined keyword next to Where the local port is and specify the port number 3389 or select RDP.

8) Finally, in the Select Actions with which the rule will respond field, select Block it , Make rule as High Priority and Ignore Component Control actions .

9) Name the rule appropriately (in the Rule name field) and click OK to save it.

10) You should now see the new rule in the list of global rules.

Disclaimer:

The information in the present advisory is believed to be accurate as of the time of publishing, based on currently available information. Use of the information signifies acceptance for use in an AS IS condition. There are no warranties with regard to this information. Agnitum Ltd. doesn't accept any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on, this information. 

關於Version 2 Limited

Version 2 Limited 是亞洲其中一間最有活力的IT公司，公司發展及代理各種不同的互聯網及IP-Based 網絡IT產品，當中包括通訊系統、保安、網絡及媒體產品。透過公司龐大的網絡、銷售點、分銷商及合作顆伴，Version 2 Limited 便可提供廣被市場讚賞的產品及服務。Version 2 Limited 客戶來自各行各業，包括全球1000大跨國企業、上市公司、公用機構、政府部門、無數成功的中小企及來自亞洲各城市的客戶。

如對產品有興趣，可瀏覽以下網址:
http://www.version-2.com/op
http://www.version-2.com/nod32op