__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in RPC on Windows DNS Server [Microsoft Security Advisory (935964)] April 13, 2007 19:00 GMT Number R-212 [REVISED 19 Apr 2007] [REVISED 20 Apr 2007] ______________________________________________________________________________ PROBLEM: Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service. PLATFORM: Microsoft Windows 2000 Server Service Pack 4 Windows Server 2003 Service Pack 1 Windows Server 2003 Service Pack 2 DAMAGE: Could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. SOLUTION: Please follow the worksarounds provided by Microsoft. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could allow an attacker to run code in the ASSESSMENT: security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-212.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/935964.mspx CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-1748 ______________________________________________________________________________ REVISION HISTORY: 04/19/2007 - revised R-212 to reflect changes Microsoft has made in Microsoft Security Advisory (935964) where updated the "Suggested Actions" section to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue. 04/20/2007 - revised R-212 to reflect changes Microsoft has made in Microsoft Security Advisory (935964) to provide information on Windows Live OneCare malware detection capability and to clarify that the registry key workaround provides protection to all attempts to exploit this vulnerability. Advisory also updated to provide additional data regarding exploitability through port 139. [***** Start Microsoft Security Advisory (935964) *****] Microsoft Security Advisory (935964) Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution. Published: April 12, 2007 | Updated: April 19, 2007 Microsoft is investigating new public reports of attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. Our ongoing monitoring in indicates that we are seeing new attacks to exploit the vulnerability by the Win32/Siveras bot family. Windows Live Safety Scanner and Windows Live OneCare can be used to detect currently known malware types that are attempting to exploit the vulnerability. Microsoft continues to strongly urge customers to deploy the registry workaround identified below to comprehensively mitigate all attempts to exploit the vulnerability through the various identified ports and authentication requirements. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. General Information Overview Purpose of Advisory: To provide customers with initial notification of limited attacks exploiting a vulnerability in the Domain Name System (DNS) Server Service. For more information see the “Suggested Actions” section of the security advisory. Advisory Status: Issue Confirmed. Security Update Planned. Recommendation: Review the suggested actions and configure as appropriate. References Identification CVE Reference CVE-2007-1748 Microsoft Knowledge Base Article 935964 Identified Malware Silveras.A Silveras.B Silveras.C Silveras.D This advisory discusses the following software. Related Software Microsoft Windows 2000 Server Service Pack 4 Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 Service Pack 2 Top of section Frequently Asked Questions What is the scope of the advisory? Microsoft is aware of limited attacks that exploit a vulnerability affecting the RPC interface of the Microsoft DNS service. Is this a security vulnerability that requires Microsoft to issue a security update? Microsoft is completing development of a security update for Windows that addresses this vulnerability. What causes the vulnerability? A stack-based buffer overrun exists in the Windows DNS Server's RPC interface implementation. How could an attacker exploit the vulnerability? On Windows 2000 Server and Windows Server 2003 running the DNS Server Service, an anonymous attacker could try to exploit the vulnerability by sending a specially crafted RPC packet to an affected system. Is my DNS Server vulnerable to attack over port 53? The name resolution functionality of the DNS service exposed over port 53 is not vulnerable to this attack. What is Remote Procedure Call (RPC)? Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server. What versions of Microsoft Windows are associated with this advisory? This advisory discusses Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows Small Business Server 2000 and Small Business Server 2003 run the DNS Server Service by default are also affected by this vulnerability. Top of section Suggested Actions Microsoft has tested the following workarounds. While the workarounds will not correct the underlying vulnerability, it helps block known attack vectors. Specifically, all these workarounds have been tested and shown to block attempts to exploit the vulnerability over RPC traffic as well as port 139 and 445. When a workaround reduces functionality, it is identified in the following section. • Disable remote management over RPC capability for DNS Servers through the registry key setting. Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in regedit.exe. Note We recommend backing up the registry before you edit it. 1. On the start menu click 'Run' and then type 'Regedit' and then press enter. 2. Navigate to the following registry location: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters” 3. On the 'Edit' menu select 'New' and then click 'DWORD Value' 4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter. 5. Double click on the newly created value and change the value's data to '4' (without the quotes). 6. Restart the DNS service for the change to take effect. • Managed Deployment Script The following sample registry script can be used to enable this registry setting: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters] "RpcProtocol"=dword:00000004 The above registry script can be saved to a file with a .REG file extension and can be deployed silently as part of an automated deployment script using regedit.exe using the /s command line switch. The DNS service needs to be restarted for this change to take effect. For help using regedit.exe to deploy registry scripts please refer to Microsoft Knowledge Base Article Q82821: Registration Info Editor (REGEDIT) Command-Line Switches. How to undo workaround: To undo the workaround perform the following steps: 1. On the start menu click 'Run' and then type 'Regedit' and then press enter. 2. Navigate to the following registry location: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters” 3. Select Registry Key RpcProtocol. 4. Right click on the RpcProtocol Key and select Delete. 5. Restart the DNS service for the change to take effect. RpcProtocol registry key values The value ‘4’ being used above restricts the DNS RPC interface to LPC-only. Combine values from the table below to change the transport mechanisms allowed set to the RpcProtocol key. • #define DNS_RPC_USE_TCPIP0x1 • #define DNS_RPC_USE_NAMED_PIPE0x2 • #define DNS_RPC_USE_LPC0x4 You can re-configure the DNS server’s management interface to accept only LPC by setting a value in the registry Other registry values will modify or disable RPC communication differently. For more information on the RpcProtocol registry key please see the following TechNet article. Setting the value to 4 will mitigate a remote attempt to exploit the vulnerability. Setting the value to 0 will disable all DNS RPC functionality and will protect against both local and remote attempts to exploit the vulnerability. Impact of Workaround: Setting the registry value to 4 will disable remote management and configuration of DNS server functionality using RPC or WMI will be disabled. DNS management tools, will fail to work remotely. Local management and remote management through terminal services can be still used to manage your DNS Server configuration. You will still be able to use the DNS management MMC Snap-in, DNSCMD.exe, and the DNS WMI provider. Setting the registry value to 0 will disable all DNS RPC management capability including local administration and configuration DNS Server local administration and configuration may not work if the server being managed has a computer name of 15 characters and is selected by its computer name. To avoid this issue, use the Fully Qualified Domain Name (FQDN) of the computer being managed in the DNS administration tools. • Block the following at the firewall: Block TCP and UDP port 445 and 139 as well as all unsolicited inbound traffic on ports greater than 1024. The RPC interface of Windows DNS is bound to a port greater than 1024. While the majority of RPC port binding occurs between the 1024 to 5000 range it is possible for the RPC interface to potentially bind to higher unreserved port numbers. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports that RPC uses, visit the following Web site. To block all unsolicited RPC requests while preserving DNS management functionality please see Microsoft Knowledge Base Article 555381 NoteAn attacker will need to authenticate using a valid username and password to exploit the vulnerability via ports 139 or 445 Impact of Workaround: Remote management of DNS server functionality using RPC will be disabled. DNS management tools, will fail to work remotely. Local and remote management through terminal services can be still used to manage your DNS Server configuration This includes the DNS management MMC Snap-in, DNSCMD.exe, DNS WMI provider. Additional management and control functionality may be lost for applications or components that use the affected ports. Blocking port 445 will prevent computers connecting to the server through SMB as well as the server will being unable to access folders shared on the network. Management tools that depend on SMB for connectivity will be unable to connect to the server. • Enable advanced TCP/IP filtering on systems You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798. • Block TCP and UDP port 445 and 139 as well as affected ports greater than 1024 by using IPsec on the affected systems Use Internet Protocol security (IPsec) to help protect network communications. Detailed information about IPsec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878. NoteAn attacker will need to authenticate using a valid username and password to exploit the vulnerability via ports 139 or 445 Impact of Workaround: Remote management of DNS server functionality using RPC will be disabled. DNS management tools, will fail to work remotely. Local and remote management through terminal services can be still used to manage your DNS Server configuration This includes the DNS management MMC Snap-in, DNSCMD.exe, DNS WMI provider. Additional management and control functionality may be lost for applications or components that use affected ports. Blocking port 445 will prevent computers connecting to the server through SMB as well as the server will being unable to access folders shared on the network. Management tools that depend on SMB for connectivity will be unable to connect to the server. Top of section Protect Your PC We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site. For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country. All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site. Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. Resources: You can provide feedback by completing the form by visiting the following Web site. Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • April 12, 2007: Advisory published. • April 13, 2007: Advisory updated to include additional details about Windows Small Business Server. Mitigations also updated to include additional information regarding the affected network port range and firewall configuration. Additional details also provided for registry key mitigation values. . • April 15, 2007: Advisory “Suggested Actions” section updated to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue. • April 16, 2007: Advisory updated: Ongoing monitoring indicates that we are seeing a new attack that is attempting to exploit this vulnerability. • April 19, 2007: Advisory updated: To provide information on Windows Live OneCare malware detection capability and to clarify that the registry key workaround provides protection to all attempts to exploit this vulnerability. Advisory also updated to provide additional data regarding exploitability through port 139. [***** End Microsoft Security Advisory (935964) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-202: Symantec Enterprise Security Manager Remote Upgrade Authentication Bypass R-203: Vulnerability in Windows Kernel R-204: Yahoo! ActiveX Audio Conferencing Update R-205: Mercury Quality Center ActiveX R-206: Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points R-207: Multiple Vulnerabilities in the Cisco Wireless Control System R-208: Internet Pictures Corporation iPIX Image Well ActiveX R-209: HP-UX ICMP Vulnerable to DoS via ICMP Path R-210: mandb R-211: XMMS