Mitigating DCE/RPC/MSRPC Enumeration Vulnerabilities?

precmfg · October 20, 2022, 12:43pm

I’ve recently begun addressing some nagging “medium” vulnerabilities in our organization. One in particular I could use some assistance with:

GSM is able to enumerate several services along with their corresponding port(s), typically in the 49xxx range, on multiple devices. GSM recommends filtering incoming traffic to port 135. In trying to mitigate/decrease our attack surface what is the accepted/best practice course of action in this case?

I should also mention that I’ve set DFS Management (DCOM-In) on port 135 to “Allow if secure” in Windows Firewall. However, subsequent scans still turn up the vulnerability. The scanner is running on a trusted local domain.

TreAtW · October 20, 2022, 1:28pm

Hello precmfg,

My personal recommendations are:

Update the DCE/RPC services to the latest version.
Allow only local IP addresses to access port 135. Evaluate if it’s possible to establish a whitelist of IPs that are allowed to talk to Port 135.
Evaluate if using Deep Packet Inspection is viable.

precmfg · October 20, 2022, 2:58pm

Good morning,

Thank you for your reply. The services in question are already up to date and only accessible on the same internal subnet as the GSM scanner (no access from the Internet and our local network is segmented). It’s beginning to seem like this may be an “ignore/informational only” situation.

jebanks · May 31, 2023, 3:08pm

what was the outcome of this finding? How do you update it and what was your final fix?