CERT-In Vulnerability Note CIVN-2008-100
Microsoft Windows DNS Spoofing Vulnerabilities
Original Issue Date:
July 10, 2008
Severity Rating:
Medium
System Affected :
DNS Client
- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
DNS Server
- Microsoft Windows 2000 Server Service Pack 4
- Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Server 2008 for 32-bit Systems (with server core installation)
- Windows Server 2008 for x64-based Systems (with server core installation)
Overview
Dual vulnerabilities have been reported in the Windows Domain Name System (DNS) that could allow spoofing. These vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems.
Description
Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP /IP. The DNS database contains records that map user-friendly alphanumeric names for network resources to the IP addresses used by those resources for communication. DNS is implemented using two software components: the DNS server and the DNS client (or resolver). Both components are run as background service applications.
Domain Name System (DNS) caching resolver service is a service that saves the responses to DNS queries so that the DNS server is not repeatedly queried for the same information.
1. DNS Insufficient Socket Entropy Vulnerability
(CVE-2008-1447)
This vulnerability is due to insufficient socket entropy when performing DNS queries. The Windows DNS service in the Windows DNS client and DNS server both are affected by this vulnerability.
Successful exploitation of this vulnerability allows an attacker to insert arbitrary addresses into the DNS cache, i.e. DNS cache poisoning and could then redirect Internet traffic from legitimate locations to an address of the attacker's choice.
Workaround
- Use IPsec or SSL/ TLS , which may prevent an attacker from being able to monitor or interfere with redirected traffic.
2. DNS Cache Poisoning Vulnerability (CVE-2008-1454)
This vulnerability is due to certain conditions in which the DNS server accepts records from a response that is outside the remote server’s authority. Only Windows DNS servers are affected by this vulnerability.
Successful exploitation of this vulnerability allows an attacker to insert false or misleading DNS data in the response to specific DNS requests, thereby redirecting Internet traffic.
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS08-037
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS08-037.mspx
References
Secunia
http://secunia.com/advisories/30925/
SecurityTracker
http://securitytracker.com/alerts/2008/Jul/1020437.html
FrSIRT
http://www.frsirt.com/english/advisories/2008/2019
SecurityFocus
http://www.securityfocus.com/bid/30132
XForce-ISS
http://xforce.iss.net/xforce/xfdb/43334
CVE Name
CVE-2008-1447
CVE-2008-1454
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
