Severity rating


Discovered date

Attack vector

Authentication required

Public exploits available

Signature detection

On this page


A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An anonymous attacker could exploit the vulnerability by sending a specially crafted RPC authentication request to a computer over the network.


An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.

Technical details (analysis)

To complete any remote procedure call, all distributed applications must create a binding between the client and the server. Microsoft RPC provides multiple levels of authentication. Depending on the authentication level, the origin of the traffic (which security principal sent the traffic) can be verified when the connection is established, when the client starts a new remote procedure call, or during each packet exchange between the client and server. A vulnerability exists in RPCSS when handling an NTLMSSP null session followed by a request of a differing authentication level, which results in an integer underflow that corrupts heap memory and will crash the RPCSS service.

Affected software

Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003

Non-affected software

Those not on the affected applications list.



NIS signature

Name: Vulnerability:Win/RPCSS.NTLMSSPAuth.DoS!CVE-2007-2228
Release Date: 2007-10-09T00:00:00

Known false positives

No known false positives at this time.


Block the following at the firewall: UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. All unsolicited inbound traffic on ports greater than 1024. Any other specifically configured RPC port.
To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as Windows Firewall, which is included with Windows XP and with Windows Server 2003.
To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.
To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.