CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Vulnerability Note VN-2009-8

Multiple Vulnerabilities in Microsoft Windows DNS Server and WINS Server

Original Issue Date: March 12, 2009

Severity Rating: High

Systems Affected

DNS Server Running on

Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 x64 Edition
Service Pack 2
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for x64-based Systems

Overview

Multiple vulnerabilities have been reported in Microsoft Windows DNS Server and WINS Server which could allow remote attacker to redirect network traffic intended for systems on the Internet to the attacker's systems.

Description

A vulnerability exist in Microsoft Windows DNS Servers which could allow man-in-the-middle attacks . This vulnerability is caused where dynamic update is used and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) and Web Proxy Auto-Discovery (WPAD) are not registered in DNS. Due to this, Windows DNS Servers does not restrict registration of WPAD hostnames which does not provide a fully-qualified domain name (FQDN). The WPAD feature fails to handle names with more than two domains. An Unauthenticated remote attacker could exploit this vulnerability by hijacking the WPAD feature and conduct a man-in-the-middle attack by spoofing a proxy server via a Dynamic Update request for hostname for redirecting internet traffic to an attacker's choice IP address.

Workaround

Create a WPAD.DAT Proxy Auto Configuration File on a Host Named WPAD in Your Organization to Direct Web Browsers to Your Organization’s Proxy

WPAD WINS Server Registration Vulnerability

A vulnerability exist in Microsoft Windows WINS Servers which could allow man-in-the-middle attacks. Successful exploitation of this vulnerability could allow a remote authenticated attacker to spoof a web proxy to redirect internet traffic to an attacker's choice IP address.

Workaround

Create a WPAD.DAT Proxy Auto Configuration File on a Host Named WPAD in Your Organization to Direct Web Browsers to Your Organization’s Proxy

DNS Server Query Validation Vulnerability

A spoofing vulnerability exists in Microsoft Windows DNS server. This vulnerability is caused due to an error while processing repeated malicious queries. The DNS server does not reuse the cache responses for repeated DNS lookups, which may allow remote attacker to predict future transaction IDs. An unauthenticated remote attacker could exploit this vulnerability by sending a series of malicious DNS requests to server. The processing of requests could cause server to store the request in cache and allowing attacker to insert arbitrary entries into the DNS cache.

DNS Server Response Validation Vulnerability

A response validation vulnerability exists in Microsoft Windows DNS Server. This vulnerability is caused due to an error while handling malformed DNS responses. The processing of a malicious DNS response could cause a server to perform large number of DNS lookups and returning a series of transaction IDs to the requester. An attacker could exploit this vulnerability by sending malicious DNS response to the server and could gather returned lookups and their transaction IDs to predict future transaction IDs. Attacker could use the transaction IDs to send further request that could poison the Server DNS cache.

Note: These vulnerabilities affect Windows Server 2008 installed usin the Server Core installation.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-008

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx

CVE Name
CVE-2009-0093
CVE-2009-0094
CVE-2009-0233
CVE-2009-0234

References

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=14683
http://tools.cisco.com/security/center/viewAlert.x?alertId=12945
http://tools.cisco.com/security/center/viewAlert.x?alertId=17742
http://tools.cisco.com/security/center/viewAlert.x?alertId=17743