Microsoft Windows Workstation Service NetpManageIPCConnect Overflow

Hi sccm t

The error you're seeing is related to a legacy vulnerability in LSASRV.DLL - specifically CVE-2006-4691, also referenced in Microsoft Security Bulletin MS06-070. This is a buffer overflow in the NetpManageIPCConnect function of the Workstation service, which can be triggered remotely via crafted RPC packets. Palo Alto's firewall signature flagged this as a critical threat, likely because the communication pattern between your Management Point and Distribution Point matched the exploit signature.

This detection is not necessarily an active attack, it could be a false positive triggered by legitimate SCCM traffic that mimics the exploit pattern. However, to rule out any compromise, you should verify that all systems involved are fully patched beyond the MS06-070 bulletin. That patch was released in 2006, so any modern Windows Server version should already be protected unless you're running legacy systems.

Check the firewall logs for the exact packet and source IP. If the traffic is consistently coming from your Management Point during content distribution or health checks, you can safely create an exception for that signature in your Palo Alto threat profile, but only after confirming the source is clean and the systems are patched.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

Harry.