CERT-In Vulnerability Note CIVN-2009-34
Multiple Vulnerabilities in Microsoft Windows DNS Server and WINS Server
Original Issue Date:March 12, 2009
Severity Rating:
High
Systems Affected
- DNS Server Running on
- Microsoft Windows 2000 Server Service Pack 4
- Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 Service Pack 2
- Microsoft Windows Server 2003 x64 Edition
- Microsoft Windows Server 2003 x64 Edition
Service Pack 2
- Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
- Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
- Microsoft Windows Server 2008 for 32-bit Systems
- Microsoft Windows Server 2008 for x64-based Systems
Overview
Multiple vulnerabilities have been reported in Microsoft Windows DNS Server and WINS Server which could allow remote attacker to redirect network traffic intended for systems on the Internet to the attacker's systems.
Description
1. DNS Server WPAD Registration Vulnerability
(CVE-2009-0093)
A vulnerability exist in Microsoft Windows DNS Servers which could allow man-in-the-middle attacks . This vulnerability is caused where dynamic update is used and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) and Web Proxy Auto-Discovery (WPAD) are not registered in DNS. Due to this, Windows DNS Servers does not restrict registration of WPAD hostnames which does not provide a fully-qualified domain name (FQDN). The WPAD feature fails to handle names with more than two domains. An Unauthenticated remote attacker could exploit this vulnerability by hijacking the WPAD feature and conduct a man-in-the-middle attack by spoofing a proxy server via a Dynamic Update request for hostname for redirecting internet traffic to an attacker's choice IP address.
Workaround
- Create a WPAD.DAT Proxy Auto Configuration File on a Host Named WPAD in Your
Organization to Direct Web Browsers to Your Organization’s Proxy
2. WPAD WINS Server Registration Vulnerability
(CVE-2009-0094)
A vulnerability exist in Microsoft Windows WINS Servers which could allow man-in-the-middle attacks. Successful exploitation of this vulnerability could allow a remote authenticated attacker to spoof a web proxy to redirect internet traffic to an attacker's choice IP address.
Workaround
- Create a WPAD.DAT Proxy Auto Configuration File on a Host Named WPAD in Your
Organization to Direct Web Browsers to Your Organization’s Proxy
3. DNS Server Query Validation Vulnerability (CVE-2009-0233)
A spoofing vulnerability exists in Microsoft Windows DNS server. This vulnerability is caused due to an error while processing repeated malicious queries. The DNS server does not reuse the cache responses for repeated DNS lookups, which may allow remote attacker to predict future transaction IDs. An unauthenticated remote attacker could exploit this vulnerability by sending a series of malicious DNS requests to server. The processing of requests could cause server to store the request in cache and allowing attacker to insert arbitrary entries into the DNS cache.
4. DNS Server Response Validation Vulnerability
(CVE-2009-0234)
A response validation vulnerability exists in Microsoft Windows DNS Server. This vulnerability is caused due to an error while handling malformed DNS responses. The processing of a malicious DNS response could cause a server to perform large number of DNS lookups and returning a series of transaction IDs to the requester. An attacker could exploit this vulnerability by sending malicious DNS response to the server and could gather returned lookups and their transaction IDs to predict future transaction IDs. Attacker could use the transaction IDs to send further request that could poison the Server DNS cache.
Note: These vulnerabilities affect Windows Server 2008 installed using the Server Core installation.
Solution Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-008
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx
References
CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=14683
http://tools.cisco.com/security/center/viewAlert.x?alertId=12945
http://tools.cisco.com/security/center/viewAlert.x?alertId=17742
http://tools.cisco.com/security/center/viewAlert.x?alertId=17743
VUPEN Security
http://www.vupen.com/english/advisories/2009/0661
CVE Name
CVE-2009-0093
CVE-2009-0094
CVE-2009-0233
CVE-2009-0234
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
