RPC call with suspicious credentials (RPC_Suspicious_Host_Credentials)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor, RealSecure Desktop Protector, BlackICE Server Protection, BlackICE PC Protection, RealSecure Sentry, RealSecure Guard, BlackICE Agent for Server, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Server IPS for Linux technology, Proventia Network IPS, RealSecure Desktop Protector 3.6, Virtual Server Protection for Vmware:

This signature detects a suspicious computer name in the credentials of an RPC request. For example, suspicious credentials might include the name "localhost" in an attempt to convince the server that the remote request was actually local.


False positives

RealSecure Network, RealSecure Server Sensor, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Server IPS for Linux technology, Proventia Network IPS, Virtual Server Protection for Vmware: Currently untestable

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

RealSecure Network: 7.0, RealSecure Server Sensor: 7.0, RealSecure Desktop Protector: 3.6, BlackICE Server Protection: 3.6.cbd, BlackICE PC Protection: 3.6.cbd, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, BlackICE Agent for Server: 3.6, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: 1.0, Proventia Desktop: 8.0.614.1, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, Virtual Server Protection for Vmware: 1.0

Systems affected

Various vendors Any application, Various vendors RPC Portmapper

Type

Suspicious Activity

Vulnerability description

RPC (Remote Procedure Call) credentials have been supplied to the server that look suspicious, which could indicate an attempt by a remote attacker to bypass security checks. When authenticating with the RPC server, the client may provide credentials that include the caller's computer name. For example, some of these credentials might include the name "localhost" in an attempt to convince the server that the remote request was actually local.

How to remove this vulnerability

Ensure that your personal firewall, operating system, and programs are up-to-date in order to minimize the threat of a system compromise.

References

Request for Comment document RFC 1831
RPC: Remote Procedure Call Protocol Specification Version 2
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1831.html

ISS X-Force
RPC call with suspicious credentials
http://www.iss.net/security_center/static/8491.php