Microsoft Windows DNS spoofing information disclosure

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: November 13, 2007
Notification Version: 1.0
   
Name: Microsoft Windows DNS spoofing information disclosure
Public disclosure/
In the wild date:		 November 13, 2007
Description: The Microsoft Windows DNS service in certain versions of Windows 2000 and Windows 2003 could allow a remote attacker to spoof DNS responses and obtain sensitive information.

 

ISS Coverage
Product Content Version

Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Mail
Proventia Server (Linux)

XPU 27.110

Proventia Desktop 2120
BlackICE PC Protection 3.6 eqr
Propagation Techniques ISS Protection Available
remote exploit DNS_Cache_Poison  Nov. 13, 2007

Detailed Description
Business Impact:

This vulnerability could be exploited in DNS cache poisoning attacks. An attacker could provide crafted responses to DNS queries that would cause the server to direct clients to the wrong destination IP addresses for domains they have looked up. Attackers could set up malicious servers at those addresses that capture connecting victims and mislead them into disclosing private information or attack them in other ways. X-Force considers this the most severe out of all the bulletins issued by Microsoft this month due to the ease of exploitation and the potential detriment an attack could cause.

CVSS: Base Score: 6.4
  Access Vector: Remote
Access Complexity: Low
Authentication: Not Required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
Impact Bias: Normal 
Adjusted Temporal Score: 4.7
  Exploitability: Unproven
Remediation Level: Official Fix
Report Confidence: Confirmed
Affected Products: For a full list of affected software and versions, see references below.
Technical Description: The Microsoft Windows DNS service in certain versions of Windows 2000 and Windows 2003 could allow a remote attacker to spoof DNS responses and obtain sensitive information. The DNS service fails to provide an adequate amount of entropy in randomization of transaction IDs when querying an upstream DNS server. An attacker could exploit this vulnerability to obtain sensitive information and modify the behavior of services running on a vulnerable system.
Remediation:

See References for details.

References
XFDB http://xforce.iss.net/xforce/xfdb/36805
Microsoft http://www.microsoft.com/technet/security/Bulletin/MS07-062.mspx

Revision History

1.0

Initial publication.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.