| Vulnerability Description |
DCE/RPC stands for "Distributed Computing Environment / Remote Procedure Calls". It is a Remote Procedure Call system that allows software to work across multiple computers, as if it were all working on the same computer. This system allows programmers to write distributed software without having to worry about the underlying network code.
Microsoft RPC (Microsoft Remote Procedure Call) is a modified version of DCE/RPC. Additions include support for Unicode strings, implicit handles, inheritance of interfaces, and complex calculations in the variable-length string and structure paradigms already present in DCE/RPC. |
| Vulnerability Details | IPS offers several MS-RPC and DCE-RPC protections:
MS-RPC - General Settings
Unauthenticated MS-RPC traffic may lead to malicious attacks on the target host.
There are a variety of malicious attacks that can be performed using the DCE-RPC protocol, exploiting DCE-RPC services.
By enabling the ‘Drop unauthenticated DCE-RPC traffic’ option, unauthenticated MS-RPC traffic is blocked.
By enabling the ‘Block MS-RPC On All TCP High Ports’ option, all MS-RPC protections are enforced on TCP high ports, not only for the two specific TCP ports used by the CIFS protocol (139 and 445).
MS-RPC Programs Lookup
The MS-RPC Programs Lookup operation can be used to query the End Point Mapper to obtain all UUIDs and their port numbers. This information can be used to exploit the system.
Non Standard MS-RPC Message Types
The DCE-RPC protocol has message type values ranging from 0 to 19. This protection blocks messages with an invalid message type.
Non Compliant MS-RPC
The DCE-RPC protocol over TCP has a Major Version 5 and a Minor Version 0 or 1. This protection blocks messages with a non compliant Major or Minor Version. |
Feedback