RPC call with suspicious credentials (RPC_Suspicious_Host_Credentials)

About this signature or vulnerability

RealSecure Network, RealSecure Desktop Protector, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Sentry, RealSecure Guard, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier:

This signature detects a suspicious computer name in the credentials of an RPC request. For example, suspicious credentials might include the name "localhost" in an attempt to convince the server that the remote request was actually local.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

RealSecure Network: 7.0, RealSecure Desktop Protector: 3.6, BlackICE Agent for Server: 3.6, RealSecure Server Sensor: 7.0, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, BlackICE PC Protection: 3.6.cbd, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cbd, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: baseline, Proventia Network MFS: 1.0, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, RealSecure Desktop: baseline

Systems affected

Various vendors Any application, Various vendors RPC Portmapper

Type

Suspicious Activity

Vulnerability description

RPC (Remote Procedure Call) credentials have been supplied to the server that look suspicious, which could indicate an attempt by a remote attacker to bypass security checks. When authenticating with the RPC server, the client may provide credentials that include the caller's computer name. For example, some of these credentials might include the name "localhost" in an attempt to convince the server that the remote request was actually local.

How to remove this vulnerability

Ensure that your personal firewall, operating system, and programs are up-to-date in order to minimize the threat of a system compromise.

References

Request for Comment document RFC 1831
RPC: Remote Procedure Call Protocol Specification Version 2
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1831.html

ISS X-Force
RPC call with suspicious credentials
http://www.iss.net/security_center/static/8491.php