AusCERT - AU-2007.0013 -- AusCERT Update - [Win] - Updated information on unpatched Windows DNS Service vulnerability

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AU-2007.0013 -- AusCERT Update - [Win] - Updated information on unpatched Windows DNS Service vulnerability
Date: 20 April 2007
References: AL-2007.0047 AU-2007.0015

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2007.0013 - [Win]
Updated information on unpatched Windows DNS Service vulnerability
16 April 2007

        AusCERT Update Summary
        ----------------------

Product:              Microsoft Small Business Server 2003
                      Microsoft Small Business Server 2000
                      Windows Server 2003 SP2 and prior
                      Windows 2000 Server SP4 and prior
Operating System:     Windows
Impact:               Administrator Compromise
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-1748
Member content until: Monday, May 14 2007

Ref:                  AL-2007.0047

Revision History:  April 20 2007: New information regarding port 139 and 
                                  Guest account
                   April 16 2007: Initial Release

OVERVIEW:

	This update provides new information on the Microsoft DNS Service
	vulnerability reported last week in AusCERT Alert AL-2007.0047.


DETAILS:

	- Microsoft have updated their advisory to clarify that the Microsoft 
	  Small Business Server 2003 and Small Business Server 2000 products are
	  also affected by this vulnerability. 

	- Ports 445 or 139 may also be used to exploit the vulnerability, if 
	  attackers have or are able to guess valid logon credentials. 
	  In particular, existing user accounts may be used to target the server
	  using this vector. If the Guest account has been enabled on the 
	  server, this potentially allows exploitation via ports 445 or 139 
	  without authentication. 

	  Therefore Microsoft have updated their mitigation recommendations to 
	  include blocking both TCP and UDP ports 445 and 139, in addition to 
	  blocking the unsolicited inbound traffic on the high TCP ports 
	  1024 and greater as suggested in the original advisory.

	- Example exploit code has been widely published over the weekend. 
	  Therefore widespread scanning and exploitation of this vulnerability 
	  is expected.

	- Servers likely to be running the vulnerable DNS service include 
	  Domain Controllers and MS Small Business Servers, which run the 
	  DNS service by default, as well as servers explicitly configured 
	  for the DNS server role.

	- Major network intrusion detection/prevention products have now been 
	  updated with signatures able to detect attempts to exploit this 
	  vulnerability.


REFERENCES:

	[1] AusCERT Alert AL-2007.0047
	    http://www.auscert.org.au/7486

	[2] Updated Microsoft Advisory (935964)
	    http://www.microsoft.com/technet/security/advisory/935964.mspx

	[3] Microsoft Security Response Center weblog
	    http://blogs.technet.com/msrc/archive/2007/04/15/situation-update-on-microsoft-security-advisory.aspx

	[4] Microsoft Security Response Center weblog
	    http://blogs.technet.com/msrc/archive/2007/04/19/update-and-clarifications-in-microsoft-security-advisory-935964.aspx


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRihXdSh9+71yA2DNAQLYNgP/Rh4crMjmyt+8Ea5LB2gbr69D1faWgSM3
4O+h9Zf9zjhEdTw+8Eu8wV6Y5Q260ZSHDFIeHg90SXb628hQ1z/kEURJ1yGyvyK6
RRY4Us13mY7Y04qiiwSCjSTFLVZAOTd0AdgrcC/R0atcp4bvFaOQUteQ535SgJJD
PT9edP2XXrE=
=uRZ6
-----END PGP SIGNATURE-----