Windows Server DNS Flaw Being Exploited

Published: April 18, 2007

by Alex Woodie

Internet security watchers are girding for a major round of attacks on Windows 2000 Server and Windows Server 2003 systems following Microsoft's disclosure last week of a newly discovered DNS flaw in the operating systems. Some attacks exploiting the zero-day flaw are already under way, and there is at least one worm using the DNS vulnerability, but a big increase in port scanning indicates attackers are preparing for a major assault, Symantec warned.

Reports about a potential DNS flaw exploit started trickling in April 7, when SANS Internet Storm Center says it first heard of a possible attack utilizing Active Directory and DNS. The SANS Internet Storm Center then passed the information on to Microsoft, which last week confirmed that a new buffer overflow flaw has been found in its DNS Server Service implementation in Windows 2000 Server service pack 4 and Windows Server 2003 SP1 and SP2.

According to Microsoft Security Advisory (935964), the flaw can be exploited remotely by sending a malformed Remote Procedure Call (RPC) packet to a vulnerable computer. Microsoft it is working on a patch for the flaw, but would not commit to delivering an out-of-cycle patch. Its next regularly scheduled round of patches is about three weeks away, on May 8.

Malicious code writers didn't waste any time, and by Saturday had posted code that others could use to exploit the DNS vulnerability on their own. By Sunday, three more examples of exploit code were found on the Internet, and McAfee's research arm, Avert Labs, confirmed the first worm to utilize the DNS exploit, W32.Rinbot.BC, which is a variation on the Nirbot worm.

While worms like W32.Rinbot.BC that utilize the new DNS flaw haven't made a huge impact yet, that could soon change. Symantec's security response team reports that it is seeing a considerable increase in port scans on TCP port 1025, which is used for RPC traffic. Symantec would typically see about 100 scans on port 1025 per day, but is now seeing more than 8,000 port 1025 scans, Symantec's security response team manager, Mimi Hoang, was quoted as saying. That scanning is potentially a precursor to a large attack, she said.

There are several things Windows Server shops can do to protect themselves in lieu of a patch from Microsoft, which could come tomorrow or 20 days from now. These actions include disabling remote management over RPC for the DNS server via a registry key setting; blocking unsolicited inbound traffic on ports 1024-5000, as well as TCP and UDP port 445, using IPsec or some other firewall; or enabling the advanced TCP/IP Filtering options on the appropriate interfaces of the server to block unsolicited inbound traffic. However, these actions could have negative side effects; see Microsoft Security Advisory (935964) for more details on these workarounds.

Also be aware, these workarounds may not work for some Windows shops. The SANS Internet Storm Center says some shops, such as dedicated hosting sites, may run into problems implementing Microsoft's DNS flaw workaround. At many hosting sites, multiple server workloads, such as DNS, FTP, and HTTP, are run on the same machine, and these machines often do not have their own firewall that can be specifically configured to block the DNS packets.

The second potential scenario involves boxes running DNS and Active Directory on the same box. Because the Active Directory component may need RPC open ports to perform some authentication services, blocking the RPC ports may not be possible. These machines are also usually less protected than DMZ DNS servers, the Storm Center's Maarten Van Horenbeeck writes. "If your Active Directory server is compromised, the game is essentially over."

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot