Preemptive Protection against Malformed DNS Resource Records Vulnerability (MS06-041)
| Check Point Reference: | CPAI-2006-095 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS06-041 US-CERT VU#794580 |
|
| Industry Reference(s): | CVE-2006-3441 | |
| Protection Provided by: |
VPN-1
|
|
|
Who is Vulnerable? Microsoft Windows 2000 SP4 Microsoft Windows XP SP1, SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition |
||
| Vulnerability Description The Domain Name System (DNS) client service resolves and caches DNS names. The Microsoft DNS Client service fails to handle specific overly long resource records. An attacker could exploit the vulnerability by sending a specially crafted DNS record to an affected client. Successful exploitation could grant an attacker complete control of the affected system. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS06-041 |
|
|
Vulnerability Details The vulnerability can be triggered when Microsoft DNS client service handles overly long Text (TXT) and Host Information (HINFO) resource records. If successful, a remote unauthenticated attacker can gain complete control of a system by either sending a a specially crafted DNS communication to an affected system from a subnet between the target host and DNS server; or by convincing the target host to make a DNS request to receive a specially crafted record response from an attacking server. |
Protection Overview
The vulnerability can be blocked by enabling The DNS TCP Protocol Enforcement protection, supported for VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W and InterSpect NGX. This protection monitors DNS traffic to ensure that only RFC compliant DNS records passing over TCP are allowed. As such, overly long Text (TXT) and Host Information (HINFO) DNS resource records will be blocked.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > DNS > Protocol Enforcement; in the configuration pane click TCP protocol enforcement.
2. Apply security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Invalid DNS
Attack Information: DNS data is too long
InterSpect NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > DNS > Protocol Enforcement; in the configuration pane click TCP protocol enforcement. 
2. Apply security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Invalid DNS
Attack Information: DNS data is too long