MS RPC vulnerability is being actively exploited
Many reports are showing that intruders are actively scanning for and exploiting the latest Microsoft’s DCOM RPC interface vulnerability.
Public available Exploits are using the TCP port 135 to execute the attack and to open a privileged command shell on another specific TCP port (commonly TCP port 4444).
Mitigation Procedures
It is highly recommended, as part of the best practices procedures, to filter the following network services at the network border:
- TCP/135
- UDP/135
- TCP/139
- UDP/139
- TCP/445
- UDP/445
Fix
You should apply the Microsoft’s hot fix described in the MS03-026 security bulletim. Some customers have reported to be vulnerable to a DoS attack even with the official patch applied.0 Microsoft is still investigating the issue — meanwhile, you should apply the TCP filter recommendation to avoid attack from your network perimeter.