April 13th, 2007

Zero-day RPC flaw in Microsoft DNS exploited in the wild

Posted by George Ou @ 3:06 am

Categories: Infrastructure, Malware alert, Microsoft, Networking, News, Security, Servers

Tags:

According to David Maynor of Erratasec, a zero-day exploit against Microsoft DNS server is being seen in the wild. This affects the most up-to-date Windows Server 2000, 2003, and 2003 R2 for all service packs. This is somewhat unusual for Microsoft's DNS service because it's been rock solid for many years without any DNS server flaws. Fortunately, the attacks seem to be limited because this vulnerability isn't normally exposed to the Internet on a properly configured firewall. I'll show you how to protect your Microsoft DNS servers below.

The vulnerability is in the RPC interface of Windows DNS, and port 53 is not vulnerable. A properly configured firewall should permit only inbound UDP 53 to the DNS server, and TCP 53 needs to be open only for excessively large DNS records or DNS zone transfers. The RPC interface for Windows DNS resides on a dynamic port between ports 1024 to 5000. Microsoft is suggesting that you block these ports, but it doesn't really tell you how or where to do that, so I'll explain below.

The external firewall should block all ports by default and only permit UDP 53 going to your authoritative DNS server facing the Internet. TCP 53 should not normally be opened unless you have very large DNS records. Targeted openings to TCP 53 can be made for designated servers that need to get zone transfers. This unfortunately doesn't protect you from the internal LAN. For that, you will need to use a host-based firewall, such as the one built into Windows Server 2003.

Once you enable the host-based firewall on Windows Server 2003, you'll need to permit UDP and TCP port 53 on the DNS server. Then only allow incoming ports 1024-5000 from designated management stations that need to manage DNS remotely. You'll also need to open TCP 3389 to your management stations if you want to Remote Desktop into the DNS server. This would be the best interim solution to prevent your DNS server from being hacked and taken over. Even when the patch does become available, you should keep these hardened firewall settings as best practice. Note that if you're using your Active Directory Domain Controller for DNS, you'll need to follow these instructions to open more ports for the Domain Controller to function.

Microsoft also gives the option of using a registry modification, but that simply disables remote management completely. You can't specifically open up that capability to certain management stations. I wouldn't recommend the registry fix, because you don't have fine-grained control over it: Remote DNS management is either on or off. But if you're running Windows 2000 for DNS, your only choice is to implement that registry key, unless you want to install a third-party firewall (there is no host-based firewall in Windows 2000). If you don't want to use the firewalling method and you want to use the registry key, I have a REG file here for you to download. This does mean you won't be able to remotely manage DNS, but you can still do that locally on the console or you can do it via Remote Desktop.  Note that if you want to undo the registry change, you'll have to use regedit and delete the key called RpcProtocol located under HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, DNS, and then Parameters.