MS-ISAC ADVISORY NUMBER:
2009-012

DATE(S) ISSUED:
3/11/2009

SUBJECT:
Multiple Vulnerabilities in DNS and WINS Server (MS09-008)

OVERVIEW:

Multiple vulnerabilities have been discovered in Windows Domain Name System (DNS) and Windows Internet Name Service (WINS). DNS and WINS are essential core services that translate names, such as a web sites, email addresses or computer names, to numeric addresses which are needed for computers to communicate. Successful exploitation could result in an attacker redirecting Internet traffic to malicious sites without the user's knowledge.

SYSTEMS AFFECTED:

  • Windows 2000 Server SP4
  • Windows Server 2003
  • Windows Server 2008

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: Low

DESCRIPTION:
Four vulnerabilities have been discovered in Windows Domain Name System (DNS) and Windows Internet Name Service (WINS). These vulnerabilities could allow for a remote attacker to spoof DNS or WINS queries which may allow for redirection of Internet traffic to malicious locations.

Two of the four vulnerabilities involve DNS cache manipulation. A specifically designed query can assist the attacker in predicting the transaction IDs. This could allow for the injection of addresses into the DNS cache of the effected server enabling redirection of legitimate traffic to malicious websites without the individual's knowledge. However, communication between websites using either SSL or TLS is unaffected by this vulnerability.

The remaining two vulnerabilities are related to the Web Proxy Auto-Discovery (WPAD) and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) configurations in both DNS and WINS. WPAD allows administrators the ability to universally specify proxy settings for all web browsers that have elected to be automatically configured. ISATAP assists with IPv6 communication in an IPv4 environment. The vulnerability resides in the fact that, by default, neither of these features are configured and are not widely utilized. An attacker could insert entries into either DNS or WINS for WPAD/ISATAP and place an unauthorized proxy into an active network. This gives the attacker the potential for malicious web traffic redirection or the ability to perform man-in-the-middle attacks. However, if either a WPAD or ISATAP entry exists, the vulnerability is mitigated due to the inability to register multiple entries in DNS and WINS for the same entity.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Do not provide authoritative DNS name services on caching DNS servers.
  • Monitor network traffic for anomalous DNS traffic patterns.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS09-008.mspx(External Link)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0233(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0234(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0094(New Window)

Secunia:
http://secunia.com/advisories/34217/(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.