RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Just curious...wouldn't it make sense to apply the patch unless one's DNS server is firewalled both internally and externally? Definitely! I'd go as far as to say that it is reasonable to apply the same security concepts to your internal network as you do for your external network and DMZ. You simply can't trust that the bad guys are always kept outside the network; many breaches come from the inside, and one compromised host will certainly have too much privilege on the internal network. Few administrators firewall and monitor their internal traffic. In my corporate day job, I've seen far too many networks that are built like an igloo: hard and crunchy on the outside, soft and chewy on the inside. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 12:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Just curious...wouldn't it make sense to apply the patch unless one's DNS server is firewalled both internally and externally? We have seen botnet owners launch high volume trojan campaigns at the drop of a hat, and if it is in fact the botnet owners that are going to exploit this, it would seem that they could attack from clients within one's network. It's a much less likely scenario than the worm or direct Internet attack approaches, but it certainly would still seem to be a vulnerability. I suppose that it may depend on how ultimately important security is for one's organization, after all, we don't all use retinal scanners to unlock our doors :) Keep in mind that this was detected in the wild 7 days before Microsoft even released the advisory. The original posts say that the traffic looks similar to Blaster worm traffic. Here's what happened back in 2003 with that one...note that it hit one month after the advisory and that one was using ports <1024, though fixed ports that are easier to target if open: http://isc.sans.org/diary.html?date=2003-08-11 Matt Colbeck, Andrew wrote: The Administrators who should be applying the workaround are precisely the same Administrators that have accidentally allowed inbound connections on arbitrary ephemeral ports, i.e. if they clumsily opened connections as per Darryl's suggestion of how/why this lack of firewalling might happen. If you are not sure, then apply the workaround. If you are sure, but like a belt and suspenders approach and can live without using the MMC snap-in to remotely manage your DNS server, apply the workaround. Normal DNS traffic, including zone transfers, are not affected. I've provided the requisite registry entries as text file attachments. Rename from .txt to .reg and apply the disable registry file, then stop and start the DNS service. Then test your DNS with a query or two, and test if the MMC snap-in can truly not manage from a remote machine if you are so inclined. It worked for me. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 11:53 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense. We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. Based on what SANS says, they recommend option #1 of the recommendations that says "Disable remote management over RPC for the DNS server via a registry key setting." at https://isc.sans.org/diary.html?storyid=2627 It would also seem that if one is not running Windows DNS, then you are not at risk from this particular threat. Note that this bug has the potential of becoming another Code Red/Nimda/SQL Slammer if it is worm-ified and pushed out before the eventual Windows Update is widely implemented. Seems that spammers are more interested in owning boxes rather than wreaking widespread havoc with worms these days though. Matt Sanford Whiteman wrote:
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Just curious...wouldn't it make sense to apply the patch unless one's DNS server is firewalled both internally and externally? We have seen botnet owners launch high volume trojan campaigns at the drop of a hat, and if it is in fact the botnet owners that are going to exploit this, it would seem that they could attack from clients within one's network. It's a much less likely scenario than the worm or direct Internet attack approaches, but it certainly would still seem to be a vulnerability. I suppose that it may depend on how ultimately important security is for one's organization, after all, we don't all use retinal scanners to unlock our doors :) Keep in mind that this was detected in the wild 7 days before Microsoft even released the advisory. The original posts say that the traffic looks similar to Blaster worm traffic. Here's what happened back in 2003 with that one...note that it hit one month after the advisory and that one was using ports <1024, though fixed ports that are easier to target if open: http://isc.sans.org/diary.html?date=2003-08-11 Matt Colbeck, Andrew wrote: The Administrators who should be applying the workaround are precisely the same Administrators that have accidentally allowed inbound connections on arbitrary ephemeral ports, i.e. if they clumsily opened connections as per Darryl's suggestion of how/why this lack of firewalling might happen. If you /are not sure/, then apply the workaround. If you /are sure/, but like a belt and suspenders approach and can live without using the MMC snap-in to remotely manage your DNS server, apply the workaround. Normal DNS traffic, including zone transfers, are not affected. I've provided the requisite registry entries as text file attachments. Rename from .txt to .reg and apply the disable registry file, then stop and start the DNS service. Then test your DNS with a query or two, and test if the MMC snap-in can truly not manage from a remote machine if you are so inclined. It worked for me. Andrew. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Friday, April 13, 2007 11:53 AM *To:* [EMAIL PROTECTED] *Subject:* Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense. We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. Based on what SANS says, they recommend option #1 of the recommendations that says "Disable remote management over RPC for the DNS server via a registry key setting." at https://isc.sans.org/diary.html?storyid=2627 It would also seem that if one is not running Windows DNS, then you are not at risk from this particular threat. Note that this bug has the potential of becoming another Code Red/Nimda/SQL Slammer if it is worm-ified and pushed out before the eventual Windows Update is widely implemented. Seems that spammers are more interested in owning boxes rather than wreaking widespread havoc with worms these days though. Matt Sanford Whiteman wrote: It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". RPC endpoints always choose dynamic ports in the customary ephemeral range, not the reserved range. This is by definition and common sense. RPC is not a Microsoft invention. It was pioneered by Xerox & Sun and was implemented using the same basic model across many OSs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail ca
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://secunia.com/advisories/24891/ Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, April 13, 2007 12:51 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Mark, You have a link for those? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Mark Reimer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 13, 2007 1:29 PM Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution While we are on the topic of vulnerabilities I just saw 2 new vulnerabilities found in clamav. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, April 13, 2007 12:26 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution You could do Microsoft's registry workaround if you are not using the remote management. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution > However, for ISP's that use MS DNS servers and do remote management > from the inside - their customers could potentially exploit them. > I have worked with folks who run services other than mail on their DNS > servers. One example is FTP. With passive ftp high ports 1024+ need > to be open both ways. So if they are using standard ACL's and not a > firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
The Administrators who should be applying the workaround are precisely the same Administrators that have accidentally allowed inbound connections on arbitrary ephemeral ports, i.e. if they clumsily opened connections as per Darryl's suggestion of how/why this lack of firewalling might happen. If you are not sure, then apply the workaround. If you are sure, but like a belt and suspenders approach and can live without using the MMC snap-in to remotely manage your DNS server, apply the workaround. Normal DNS traffic, including zone transfers, are not affected. I've provided the requisite registry entries as text file attachments. Rename from .txt to .reg and apply the disable registry file, then stop and start the DNS service. Then test your DNS with a query or two, and test if the MMC snap-in can truly not manage from a remote machine if you are so inclined. It worked for me. Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 11:53 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense. We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. Based on what SANS says, they recommend option #1 of the recommendations that says "Disable remote management over RPC for the DNS server via a registry key setting." at https://isc.sans.org/diary.html?storyid=2627 It would also seem that if one is not running Windows DNS, then you are not at risk from this particular threat. Note that this bug has the potential of becoming another Code Red/Nimda/SQL Slammer if it is worm-ified and pushed out before the eventual Windows Update is widely implemented. Seems that spammers are more interested in owning boxes rather than wreaking widespread havoc with worms these days though. Matt Sanford Whiteman wrote: It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". RPC endpoints always choose dynamic ports in the customary ephemeral range, not the reserved range. This is by definition and common sense. RPC is not a Microsoft invention. It was pioneered by Xerox & Sun and was implemented using the same basic model across many OSs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ease/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nload/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters] "RpcProtocol"=- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters] "RpcProtocol"=dword:000
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense. We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. Based on what SANS says, they recommend option #1 of the recommendations that says "Disable remote management over RPC for the DNS server via a registry key setting." at https://isc.sans.org/diary.html?storyid=2627 It would also seem that if one is not running Windows DNS, then you are not at risk from this particular threat. Note that this bug has the potential of becoming another Code Red/Nimda/SQL Slammer if it is worm-ified and pushed out before the eventual Windows Update is widely implemented. Seems that spammers are more interested in owning boxes rather than wreaking widespread havoc with worms these days though. Matt Sanford Whiteman wrote: It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". RPC endpoints always choose dynamic ports in the customary ephemeral range, not the reserved range. This is by definition and common sense. RPC is not a Microsoft invention. It was pioneered by Xerox & Sun and was implemented using the same basic model across many OSs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
> It is also odd and possibly grossly incompetent of Microsoft to > choose to use ports 1024+ for such purposes, but I'm thinking that > they have some weakly justifiable reason to do this as a "feature". RPC endpoints always choose dynamic ports in the customary ephemeral range, not the reserved range. This is by definition and common sense. RPC is not a Microsoft invention. It was pioneered by Xerox & Sun and was implemented using the same basic model across many OSs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
This shouldn't be an issue for most of us. My DMZ boxes are already as hardened as I can get them, with the firewall ( ingress and egress ), patches, and IP filtering. I would think that most ISP's and corporate networks would be using the same techniques. We gave up relying on M$ and other vendor patches keeping us safe. Our solution is to block all traffic except that which is explicitly needed by any server. Our DNS/SmarterMail/FTP server only has those ports exposed to the Internet that are absolutely needed. Management from inside to our DMZ is limited to a few workstations by the firewall. If someone needs to work from home, they have to VPN inside, hit a registered workstation/server, and THEN hit our DMZ boxes. Convoluted, yes. PITA at times, sure. But it's pretty damn secure. 5 years and we haven't had a break yet ( crossing fingers ). Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, April 13, 2007 1:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution While we are on the topic of vulnerabilities I just saw 2 new vulnerabilities found in clamav. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, April 13, 2007 12:26 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution You could do Microsoft's registry workaround if you are not using the remote management. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution > However, for ISP's that use MS DNS servers and do remote management > from the inside - their customers could potentially exploit them. > I have worked with folks who run services other than mail on their DNS > servers. One example is FTP. With passive ftp high ports 1024+ need > to be open both ways. So if they are using standard ACL's and not a > firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Mark, You have a link for those? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Mark Reimer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 13, 2007 1:29 PM Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution While we are on the topic of vulnerabilities I just saw 2 new vulnerabilities found in clamav. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, April 13, 2007 12:26 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution You could do Microsoft's registry workaround if you are not using the remote management. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution > However, for ISP's that use MS DNS servers and do remote management > from the inside - their customers could potentially exploit them. > I have worked with folks who run services other than mail on their DNS > servers. One example is FTP. With passive ftp high ports 1024+ need > to be open both ways. So if they are using standard ACL's and not a > firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
While we are on the topic of vulnerabilities I just saw 2 new vulnerabilities found in clamav. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, April 13, 2007 12:26 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution You could do Microsoft's registry workaround if you are not using the remote management. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution > However, for ISP's that use MS DNS servers and do remote management > from the inside - their customers could potentially exploit them. > I have worked with folks who run services other than mail on their DNS > servers. One example is FTP. With passive ftp high ports 1024+ need > to be open both ways. So if they are using standard ACL's and not a > firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
You could do Microsoft's registry workaround if you are not using the remote management. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution > However, for ISP's that use MS DNS servers and do remote management > from the inside - their customers could potentially exploit them. > I have worked with folks who run services other than mail on their DNS > servers. One example is FTP. With passive ftp high ports 1024+ need > to be open both ways. So if they are using standard ACL's and not a > firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
However, for ISP's that use MS DNS servers and do remote management from the inside - their customers could potentially exploit them. I have worked with folks who run services other than mail on their DNS servers. One example is FTP. With passive ftp high ports 1024+ need to be open both ways. So if they are using standard ACL's and not a firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a "feature". Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
It does NOT effect the DNS port - ONLY RPC connections. So, if someone has Correct. Assuming that everyone is firewalling their servers so that only necessary >ports are open on the outside, this is not a high priority item. However, for ISP's that use MS DNS servers and do remote management from the inside - their customers could potentially exploit them. I have worked with folks who run services other than mail on their DNS servers. One example is FTP. With passive ftp high ports 1024+ need to be open both ways. So if they are using standard ACL's and not a firewall this could lead to some trouble as well. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, April 13, 2007 10:08 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution FYI - This looks pretty serious and will probably affect most of us. This alert is to notify you that Microsoft has released Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - on 12 April 2007. Summary: Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. Microsoft's initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Recommendations: Review Microsoft Security Advisory 935964 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources. Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site: http://support.microsoft.com/common/international.aspx. Additional Resources: * Microsoft Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/advisory/935964.mspx * MSRC Blog: http://blogs.technet.com/msrc/ Note: check the MSRC Blog periodically as new information may appear there. Regarding Information Consistency: We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Security Advisories posted to the web are occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in the web-based Security Advisory, the information in the web-based Security Advisory is authoritative. If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant. Thank you, Microsoft PSS Security Team --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
But from what I read last night, it is only serious if some one is running a MS DNS server that is not behind a firewall or otherwise has the range of ports in question open from the Internet. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darrell ([EMAIL PROTECTED]) > Sent: Friday, April 13, 2007 7:08 AM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server > Could Allow Remote Code Execution > > FYI - This looks pretty serious and will probably affect most of us. > > This alert is to notify you that Microsoft has released Security > Advisory > 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote > Code > Execution - on 12 April 2007. > > Summary: > > Microsoft is investigating new public reports of a limited attack > exploiting > a vulnerability in the Domain Name System (DNS) Server Service in > Microsoft > Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, > and > Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional > Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not > affected as these versions do not contain the vulnerable code. > > Microsoft's initial investigation reveals that the attempts to exploit > this > vulnerability could allow an attacker to run code in the security > context of > the Domain Name System Server Service, which by default runs as Local > SYSTEM. > > Upon completion of this investigation, Microsoft will take appropriate > action to help protect our customers. This may include providing a > security > update through our monthly release process or providing an out-of-cycle > security update, depending on customer needs. > > Recommendations: > > Review Microsoft Security Advisory 935964 for an overview of the issue, > details on affected components, mitigating factors, suggested actions, > frequently asked questions (FAQ) and links to additional resources. > > Customers who believe they are affected can contact Product Support > Services. Contact Product Support Services in North America for help > with > security update issues or viruses at no charge using the PC Safety line > (1-866-PCSAFETY). International customers can use any method found at > this > location: http://support.microsoft.com/security. > > International customers can receive support from their local Microsoft > subsidiaries. There is no charge for support that is associated with > security updates. For more information about how to contact Microsoft > for > support issues, visit the International Support Web site: > http://support.microsoft.com/common/international.aspx. > > Additional Resources: > > * Microsoft Security Advisory 935964 - Vulnerability in RPC on Windows > DNS > Server Could Allow Remote Code Execution - > http://www.microsoft.com/technet/security/advisory/935964.mspx > > * MSRC Blog: > http://blogs.technet.com/msrc/ > > Note: check the MSRC Blog periodically as new information may appear > there. > > Regarding Information Consistency: > > We strive to provide you with accurate information in static (this > mail) and > dynamic (web-based) content. Security Advisories posted to the web are > occasionally updated to reflect late-breaking information. If this > results > in an inconsistency between the information here and the information in > the > web-based Security Advisory, the information in the web-based Security > Advisory is authoritative. > > If you have any questions regarding this alert please contact your > Technical > Account Manager or Application Development Consultant. > > Thank you, > Microsoft PSS Security Team > > > --- > Check out http://www.invariantsystems.com for utilities for Declude, > Imail, > mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration, MRTG Integration, and Log Parsers. > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Hi Darrell: It does NOT effect the DNS port - ONLY RPC connections. So, if someone has infiltrated your local network ALREADY, then they can issue remote procedure calls (which is what the DNSadmin uses to manage your DNS server from your workstation) to also gain access to your DNS server system. Assuming that everyone is firewalling their servers so that only necessary ports are open on the outside, this is not a high priority item. In reality, it's not any worse than all the other vulnerabilities of the operating system itself that are detected every month that rely on NetBIOS, SMBs, etc ports/features which should never be open to the WAN side. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, April 13, 2007 10:08 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution FYI - This looks pretty serious and will probably affect most of us. This alert is to notify you that Microsoft has released Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - on 12 April 2007. Summary: Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. Microsoft's initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Recommendations: Review Microsoft Security Advisory 935964 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources. Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site: http://support.microsoft.com/common/international.aspx. Additional Resources: * Microsoft Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/advisory/935964.mspx * MSRC Blog: http://blogs.technet.com/msrc/ Note: check the MSRC Blog periodically as new information may appear there. Regarding Information Consistency: We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Security Advisories posted to the web are occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in the web-based Security Advisory, the information in the web-based Security Advisory is authoritative. If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant. Thank you, Microsoft PSS Security Team --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
FYI - This looks pretty serious and will probably affect most of us. This alert is to notify you that Microsoft has released Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - on 12 April 2007. Summary: Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. Microsoft's initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Recommendations: Review Microsoft Security Advisory 935964 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources. Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site: http://support.microsoft.com/common/international.aspx. Additional Resources: * Microsoft Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/advisory/935964.mspx * MSRC Blog: http://blogs.technet.com/msrc/ Note: check the MSRC Blog periodically as new information may appear there. Regarding Information Consistency: We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Security Advisories posted to the web are occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in the web-based Security Advisory, the information in the web-based Security Advisory is authoritative. If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant. Thank you, Microsoft PSS Security Team --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.