MediumProventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology:
This signature detects a DNS cache poisoning attack where an attacker sends many DNS responses trying to guess the correct transaction ID for an outstanding query. If the attacker guesses correctly, he can poison the DNS cache of the receiving server. After this signature detects an attack, all future packets associated with the attack will be dropped (this only applies to sensors operating in inline mode). The automatic drop response will occur when the signature is enabled, REGARDLESS of the blocking configuration of the signature.
This signature detects a DNS cache poisoning attack where an attacker sends many DNS responses trying to guess the correct transaction ID for an outstanding query. If the attacker guesses correctly, he can poison the DNS cache of the receiving server. After this signature detects an attack, all future packets associated with the attack will be dropped (this only applies to sensors operating in inline mode). The automatic drop response can be disabled by setting the tuning parameter 'pam.dns_cache_poison.drop' to 'false'.
Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology: A false positive is possible if a single DNS query receives a very large number of legitimate answers. Multiple legitimate answers occur when a DNS query is fanned out upstream, but this activity normally does not rise to the level necessary to trigger this signature. If false positives are known to occur, change the parameter pam.dns_cache_poison.answer.limit to a higher value.
Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology: A false negative is possible if the attacker guesses the correct DNS transaction ID of a specific question with very few attempts.
Medium
Proventia Server IPS for Microsoft Windows technology: 1.0.914.2120, BlackICE PC Protection: 3.6cqr, BlackICE Server Protection: 3.6.cqr, Proventia Network MFS: XPU 27.110, Proventia-G 1.1 and earlier: XPU 27.110, Proventia Network IDS: XPU 27.110, Proventia Desktop: 2120, Proventia Network IPS: XPU 27.110, RealSecure Server Sensor: XPU 27.110, RealSecure Network: XPU 27.110, Proventia Server IPS for Linux technology: 27.110
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows 2003 Server: SP1, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows 2003 Server: SP2, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2 x64, HP Storage Management Appliance: 2.1
Protocol Signature
The Microsoft Windows DNS service in certain versions of Windows 2000 and Windows 2003 could allow a remote attacker to spoof DNS responses and obtain sensitive information. The DNS service fails to provide an adequate amount of entropy in randomization of transaction IDs when querying an upstream DNS server. An attacker could exploit this vulnerability to obtain sensitive information and modify the behavior of services running on a vulnerable system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-062. See References.
Microsoft Security Bulletin MS07-062
Vulnerability in DNS Could Allow Spoofing (941672)
http://www.microsoft.com/technet/security/Bulletin/MS07-062.mspx
BugTraq Mailing List, Tue Nov 13 2007 - 12:26:43 CST
After 6 months - fix available for Microsoft DNS cache poisoning attack
http://archives.neohapsis.com/archives/bugtraq/2007-11/0176.html
Full-Disclosure Mailing List, Wed Nov 14 2007 - 06:07:28 CST
Predictable DNS transaction IDs in Microsoft DNS Server
http://archives.neohapsis.com/archives/fulldisclosure/2007-11/0348.html
Nortel Web site
Nortel Response to Microsoft Security Bulletin MS07-062
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=667796
HPSBST02291 SSRT071498
Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-061 and MS07-062
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01287209&jumpid=reg_R1002_USEN
IBM Internet Security Systems X-Force Database
Multiple vendor socket entropy DNS spoofing
http://xforce.iss.net/xforce/xfdb/43334
ISS X-Force
Microsoft Windows DNS spoofing information disclosure
http://www.iss.net/security_center/static/36805.php
CVE
CVE-2007-3898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3898