| Author |
Topic |
|
|
3963
85 Posts |
 Posted - 21 Jan 2005 : 11:52:15
|
So, in testing a release of our product that uses the VGX, I ran a port scan using, among others, the "Tenable NeWT" tool (freely available via Nessus.org), a standard security evaluation utility. I had already disabled the telnet, ftp, and http servers.
It found a 'high' risk factor on tcp port 135 (epmap):
"The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.
Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011"
It also has a complaint about general tcp handling:
"The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium"
It identified the OS as Windows NT 4.0, which may be a problem for us as we have customers who are opposed to any windows desktop SW in their networks (and they run port scanners on all new equipment).
It also had the following to say about ICMP:
"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524"
Has anyone else looked into this? The port 135/epmap issue is my main concern here -- the Microsoft link doesn't mention CE as being effected, but, hey, it's a big company. |
Edited by - 3963 on 21 Jan 2005 11:53:12 |
|
|
akidder
1519 Posts |
Posted - 21 Jan 2005 : 18:46:17
|
| Interesting questions. Not sure if these issues create vulnerabilities for CE boxes, but we'll look into it and see what we find. |
 |
|
|
Khor
10 Posts |
Posted - 28 Jan 2005 : 17:12:59
|
By turning on the firewall on Windows CE, port 135 will be blocked. ICMP timestamp requests (13) will be ignored as well. You can turn on the firewall by setting the following registry keys:
;---------------------------------------------------
; Firewall setting
; Turn on firewall by setting dword:1
; Turn off firewall byt setting dword:0
;
; Here is the example of turning both IPV4 and IPv6 firewall on
;---------------------------------------------------
[HKEY_LOCAL_MACHINE\Comm\Firewall]
"EnableIPV4"=dword:1 ; Enable ipv4 firewall
"EnableIPV6"=dword:1 ; Enable ipv6 firewall
|
For further information regarding firewall for Windows CE, please see the following topics on MSDN:
CE .NET (4.x) firewall, registry settings
CE 5.0 firewall
Edited by akidder 29-Mar-2005: Add CE.NET links to MSDN. |
|
|
| |
Topic |
|
|
|
All Forums
Microsoft Windows CE
Port Scans, CE Security
Forum Locked
Send Topic to a Friend
Printer Friendly