MS-ISAC ADVISORY NUMBER:
2007-009 Updated

DATE(S) ISSUED:
04/16/2007
04/20/2007 - Updated
5/8/2007 - Updated

SUBJECT:
Microsoft Windows Domain Name System Service Remote Procedure Call Interface Vulnerability

ORIGINAL OVERVIEW:
A new un-patched vulnerability in the Microsoft Windows DNS Service could allow either a remote or local attacker to take complete control of the affected system. This service typically runs on most Microsoft Active Directory Domain Controllers which, if exploited, could result in compromise of the entire domain.

This vulnerability has the potential to be used in new worms or worm variants and should be addressed as soon as possible.

APRIL 20 UPDATED INFORMATION:
Microsoft has updated its advisory to include new attack vectors for this vulnerability.

MAY 08 UPDATED INFORMATION:
Microsoft has released security bulletin MS-07-029, which provides a patch to this vulnerability.

SYSTEMS AFFECTED:

  • Microsoft Small Business Server 2000
  • Microsoft Small Business Server 2003
  • Microsoft Small Business Server 2003 Premium Edition
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows Server 2003 SP1
  • Microsoft Windows Server 2003 SP2

RISK:
Government:

  • Large and medium government entities: High
  • Small governmnt entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

ORIGINAL DESCRIPTION:
A new vulnerability in the Microsoft Windows Domain Name System Service has been discovered. The DNS is used to translate fully-qualified domain names (e.g. some.host.domain) to IP addresses (e.g. 10.23.45.56). This is a stack based buffer overflow vulnerability in the Remote Procedure Call (RPC) interface of the DNS Server Service.

This vulnerability can be exploited over the Internet through a randomly assigned port between 1024/TCP and 5000/TCP. Successful exploitation could result in arbitrary code execution with the privileges of DNS Service (SYSTEM) which could lead to complete control of affected systems. Exploitation can also occur by authenticated (e.g. Workstation, VPN) users sending specially-crafted RPC packets to port 445/TCP to affected servers. This port should typically be filtered from the Internet and other untrusted networks, per best practices.

It should be noted that DNS Service often runs on the same hosts as Active Directory Domain Controllers. In these instances, successful exploitation could lead to complete compromise of the entire domain. It should also be noted that this vulnerability cannot be exploited over the standard DNS ports 53/TCP or 53/UDP.

Exploit code for this vulnerability is publicly available, and it is being actively exploited on the Internet. This vulnerability has the potential to be used in new worms or worm variants, so should be addressed as soon as possible.

APRIL 20 UPDATED DESCRIPTION:
Microsoft has updated its advisory to reflect that this vulnerability can also be exploited by authenticated users on ports 139/TCP and 139/UDP. Please be advised that the initial recommendation to disable remote management for DNS over RPC will protect against attacks on these ports.

MAY 08 UPDATED DESCRIPTION:
Microsoft has released a bulletin (MS07-029) to reflect the newly released patch that resolves the DNS RPC Management Vulnerabilities in Microsoft Windows 2000 and 2003 Server Systems.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply all the appropriate patches provided by Microsoft to vulnerable systems as soon as they are available, after appropriate testing.
  • Block un-trusted incoming traffic on port 445/TCP from the Internet at your network perimeter.
  • Utilize IP filtering to only allow trusted hosts to access the remote management of DNS service.
  • If possible, separate the DNS Service from any critical host(s), i.e. domain controllers, to ensure domain integrity in case of compromise.
  • If possible, disable remote management for DNS over RPC via the method suggested by Microsoft's security advisory (936964).

APRIL 20 UPDATED RECOMMENDATIONS:

  • Block un-trusted incoming traffic on ports 139/TCP and 139/UDP from the Internet at your network perimeter.

MAY 08 UPDATED RECOMMENDATIONS:

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/advisory/935964.mspx(New Window)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx(New Window)

US-CERT:
http://www.kb.cert.org/vuls/id/555920(New Window)

eEye:
http://research.eeye.com/html/alerts/zeroday/20070407.html(New Window)

SANS:
http://www.dshield.org/diary.html?storyid=2627&dshield=fee6f11d0f262e540c359d71691d65b1(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.