Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - * Microsoft Vulnerability in RPC on Windows DNS Server InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* Microsoft Vulnerability in RPC on Windows DNS Server

Published: 2007-04-13
Last Updated: 2007-04-13 15:05:37 UTC
by Scott Fendley (Version: 2)
0 comment(s)
As a follow up to our diary earlier this week about a potential new DNS Vulnerability,  Microsoft has released an advisory in regard to the vulnerability.  Microsoft has investigated and it appears a vulnerability exists that could allow an attacker to run code under the Domain Name System Server service.  This service by default runs as the local SYSTEM id. 

Microsoft has a few suggested actions that can mitigate the risk with the caveat that some tools may break.
  1. Disable remote management over RPC for the DNS server via a registry key setting.
  2. Block unsolicited inbound traffic on ports 1024-5000 using  IPsec or other firewall.
  3. Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server.
Looking over the information at hand, I believe that the first option may be the best option until an update is released. For more information, please see  KB 935964 (Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution).

---
Scott Fendley
ISC Handler


Keywords:
0 comment(s)
Diary Archives