Microsoft Windows WINS Replication Packet Handling Vulnerability (MS04-045)
| Attack ID: | CPAI-2004-61 |
 |
|
| Publish Date: | |
|
|
| Last Update: | |
|
|
| Category: | Microsoft Windows vulnerabilities |
|
|
| Vulnerable Systems: | Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Server Microsoft Windows 2000 Server Microsoft Windows NT 4.0 Server Microsoft Windows NT 4.0 Server, Terminal Server Edition Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows 2000 Server Datacenter Server Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition |
|
|
| Source: | Secunia ID 13328 |
|
|
| Description: | A vulnerability exists in Microsoft Windows Internet Naming Service (WINS), a service that maps IP addresses to computer names. By supplying a specially crafted packet to a vulnerable WINS server, an attacker may be able to execute arbitrary code or cause a denial of service condition. |
|
|
| Severity: | |
| Details: | The Microsoft WINS service maps IP addresses to NETBIOS computer names. WINS servers share information via a server-to-server replication protocol that operates on TCP port 42 or UDP port 42. The WINS replication protocol allows WINS servers to synchronize their databases. The vulnerability is caused due to an error within WINS during the handling of replication packets. This can be exploited to write 16 bytes to an arbitrary memory location by sending a specially crafted WINS replication packet to a vulnerable server. |
|
|
| Attack Detection: | Using SmartView Tracker, users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect who have performed the Update outlined below, will be able to identify this attack by the following logging entries: Users of R55W and InterSpect Users of R55: Rule 99642 - MS WINS replication protocol over TCP attack |
|
|
| Solution: | Users of VPN-1 NG with Application Intelligence R55 and InterSpect should update their SmartDefense by clicking the Update Now button on the SmartDefense SmartDashboard General window. Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking the Online Update button on the SmartDefense SmartDashboard General window. The Update blocks specially crafted WINS packets before theses packets manage to enter the network. For more granularity, two services have been added: inspection of WINS replication protocol over TCP on IP protocol 6 and inspection of WINS replication protocol over UDP on IP protocol port 17. The new protection has been added to the SmartDefense navigation tree, under Microsoft Networks > Block WINS replication attack. To activate the protection (R55, R55W, InterSpect): 1. On the SmartDefense navigation tree, select Application Intelligence > Microsoft Networks and then select Block WINS replication attack. 2. Install policy on all modules. Note: Alternatively, for a more granular inspection, a service has been added for users of VPN-1 NG with Application Intelligence R55 and R55W. Placing the service in the VPN-1 rule base will enable to block WINS replication traffic among specific WINS servers with pre-defined IP addresses. The service can be viewed by clicking Manage > Services and scrolling down to MS_WINS_Replication_TCP_SD. |
|
|
| Industry Reference: | CAN-2004-1080 |
|
|
| Additional Information: | US-CERT VU#145134 |
