HighProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects a LLMNR request with a leading '.'
Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: TCP traffic to port 5355 with a very low ttl could inadvertantly cause this signature to trigger.
High
Proventia Network IPS: XPU 31.040, Proventia Desktop: 2630, RealSecure Network: XPU 31.040, RealSecure Server Sensor: XPU 31.040, Proventia Network IDS: XPU 31.040, Proventia-G 1.1 and earlier: XPU 31.040, Proventia Network MFS: XPU 31.040, IBM Security Server Protection for Windows: 2.1.14.2630, Virtual Server Protection for Vmware: XPU 31.040, Proventia Server IPS for Linux technology: 31.040
Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
Microsoft Windows could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the improper handling of LLMNR queries by the DNS client service. By sending a specially-crafted LLMNR broadcast query, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS11-030. See References.
Microsoft Security Bulletin MS11-030
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
http://www.microsoft.com/technet/security/bulletin/ms11-030.mspx
IBM Security Protection Alert
Microsoft Windows DNS Resolution Could Allow Remote Code Execution
http://www.iss.net/threats/423.html
Metasploit Modules
Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb
ISS X-Force
Microsoft Windows DNS resolution code execution
http://www.iss.net/security_center/static/66441.php
CVE
CVE-2011-0657
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0657