All Forums
 Microsoft Windows CE
 General CE
 Port Scans, CE Security
 Forum Locked
 Send Topic to a Friend
 Printer Friendly
Author Topic  

3963

85 Posts

Posted - 21 Jan 2005 :  11:52:15  Show Profile  Email Poster
So, in testing a release of our product that uses the VGX, I ran a port scan using, among others, the "Tenable NeWT" tool (freely available via Nessus.org), a standard security evaluation utility. I had already disabled the telnet, ftp, and http servers.

It found a 'high' risk factor on tcp port 135 (epmap):

"The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011"

It also has a complaint about general tcp handling:

"The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium"

It identified the OS as Windows NT 4.0, which may be a problem for us as we have customers who are opposed to any windows desktop SW in their networks (and they run port scanners on all new equipment).

It also had the following to say about ICMP:

"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524"

Has anyone else looked into this? The port 135/epmap issue is my main concern here -- the Microsoft link doesn't mention CE as being effected, but, hey, it's a big company.

Edited by - 3963 on 21 Jan 2005 11:53:12

akidder

1519 Posts

Posted - 21 Jan 2005 :  18:46:17  Show Profile  Email Poster
Interesting questions. Not sure if these issues create vulnerabilities for CE boxes, but we'll look into it and see what we find.
Go to Top of Page

Khor

10 Posts

Posted - 28 Jan 2005 :  17:12:59  Show Profile  Email Poster
By turning on the firewall on Windows CE, port 135 will be blocked. ICMP timestamp requests (13) will be ignored as well. You can turn on the firewall by setting the following registry keys:


;---------------------------------------------------
; Firewall setting
; Turn on firewall by setting dword:1
; Turn off firewall byt setting dword:0
;
; Here is the example of turning both IPV4 and IPv6 firewall on
;---------------------------------------------------

[HKEY_LOCAL_MACHINE\Comm\Firewall]
"EnableIPV4"=dword:1 ; Enable ipv4 firewall
"EnableIPV6"=dword:1 ; Enable ipv6 firewall



For further information regarding firewall for Windows CE, please see the following topics on MSDN:

CE .NET (4.x) firewall, registry settings
CE 5.0 firewall


Edited by akidder 29-Mar-2005: Add CE.NET links to MSDN.
Go to Top of Page
  Topic  
 Forum Locked
 Send Topic to a Friend
 Printer Friendly
Jump To:
Eurotech Support Forums © Eurotech Inc. Go To Top Of Page
This page was generated in 0.03 seconds. Snitz Forums 2000