MediumRealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, Proventia Network IPS, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Server IPS for Microsoft Windows technology:
This signature detects a DNS cache poisoning attack.
RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, Proventia Network IPS, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Server IPS for Microsoft Windows technology: If an attacker can successfully spoof and route the downstream IP address of a remote DNS server on your network, then this signature may block access to that server during an attack.
RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, Proventia Network IPS, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Server IPS for Microsoft Windows technology: A false negative is possible when the attacker guesses the a correct DNS transaction ID on the first attempt.
Medium
RealSecure Server Sensor: XPU 27.110, BlackICE Server Protection: 3.6.cqr, BlackICE PC Protection: 3.6cqr, RealSecure Network: XPU 27.110, Proventia Network IPS: XPU 27.110, Proventia Server IPS for Linux technology: 27.110, Proventia Desktop: 2120, Proventia Network MFS: XPU 27.110, Proventia-G 1.1 and earlier: XPU 27.110, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2120
Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2, HP Storage Management Appliance: 2.1, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows 2003 Server: SP1, Microsoft Windows 2003 Server: x64, Microsoft Windows 2000: SP4
Protocol Signature
The Microsoft Windows DNS service in certain versions of Windows 2000 and Windows 2003 could allow a remote attacker to spoof DNS responses and obtain sensitive information. The DNS service fails to provide an adequate amount of entropy in randomization of transaction IDs when querying an upstream DNS server. An attacker could exploit this vulnerability to obtain sensitive information and modify the behavior of services running on a vulnerable system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-062. See References.
Microsoft Security Bulletin MS07-062
Vulnerability in DNS Could Allow Spoofing (941672)
http://www.microsoft.com/technet/security/Bulletin/MS07-062.mspx
BugTraq Mailing List, Tue Nov 13 2007 - 12:26:43 CST
After 6 months - fix available for Microsoft DNS cache poisoning attack
http://archives.neohapsis.com/archives/bugtraq/2007-11/0176.html
Full-Disclosure Mailing List, Wed Nov 14 2007 - 06:07:28 CST
Predictable DNS transaction IDs in Microsoft DNS Server
http://archives.neohapsis.com/archives/fulldisclosure/2007-11/0348.html
Nortel Web site
Nortel Response to Microsoft Security Bulletin MS07-062
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=667796
HPSBST02291 SSRT071498
Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-061 and MS07-062
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01287209&jumpid=reg_R1002_USEN
ISS X-Force
Microsoft Windows DNS spoofing information disclosure
http://www.iss.net/security_center/static/36805.php
CVE
CVE-2007-3898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3898