Protection against Microsoft Windows HTTP Services Certificate Name Mismatch Remote Code Execution Vulnerability (MS09-013)

Vulnerability
Protection

Check Point Reference:	SBP-2009-10
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS09-013
Industry Reference(s):	CVE-2009-0089
Protection Provided by:	Security Gateway R70 VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 VSX NGX R65 InterSpect NGX IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Microsoft Windows 2000 SP4 Windows XP SP2 Windows XP SP3 Windows XP Professional x64 Edition Windows XP Professional x64 Edition SP2 Windows Server 2003 SP1 Windows Server 2003 SP2 Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition SP2 Windows Server 2003 with SP1 (Itanium) Windows Server 2003 with SP2 (Itanium) Windows Vista Windows Vista SP1 Windows Vista x64 Edition Windows Vista x64 Edition SP1 Windows Server 2008 for 32-bit Systems Windows Server 2008 for x64-based Systems
Vulnerability Description A spoofing vulnerability has been reported in Microsoft Windows HTTP Services. Windows HTTP Services (WinHTTP) provides developers with an HTTP client application programming interface (API) to send requests through the HTTP protocol to other HTTP servers. A remote attacker may exploit this issue to impersonate a secure (HTTPS) web site.

Update/Patch Available Apply patches: Microsoft Security Bulletin MS09-013
Vulnerability Details The vulnerability is due to the WinHTTP incomplete validation of the distinguished name in a digital certificate. An attacker would need to combine this vulnerability with DNS spoofing to allow him to successfully spoof the digital certificate of a web site for any application that uses the Windows HTTP Services.

Protection Overview
IPS/SmartDefense offers protections against DNS cache poisoning, that when enabled will block attempts to exploit the WinHTTP spoofing vulnerability. No update is required to address this issue. IPS-1 detects and blocks attempts to hijack DNS servers via response id/port guessing.

Scrambling
A host that initiates a DNS query assigns a Query ID number to each request. Given the ID number and source port, an attacker can send a spoofed reply that contains false information on behalf of the name server to which the request was initially sent. This enables the redirection of hosts to fake web sites that can be used to collect private user information. The protection can be applied either to all traffic or to specific servers.
By enabling this protection, SmartDefense will protect the corporate DNS server from cache poisoning by scrambling the source port and query ID number of each DNS request.

Drop Inbound Requests (in IPS: Inbound DNS Requests)
An organizational name server may be subject to queries regarding zones that are not associated with the organizations domain. If this type of request is enabled, the DNS server will waste its resources on Internet queries that are not related to the organizations network. SmartDefense protection can prevent unauthorized inbound queries whose content is not a part of the name servers predefined zone. SmartDefense enables the creation of a list of DNS servers for which inbound requests for external domain information are rejected.
By enabling this protection, SmartDefense will prevent unauthorized inbound queries whose content is not a part of the name servers predefined zone. SmartDefense enables the creation of a list of DNS servers for which inbound requests for external domain information are rejected. Please note that in order for the protection to work properly, domains must be defined and assigned to the configured DNS servers.

Mismatched Replies
A mismatched reply occurs when a DNS response does not match any previous request. When a large number of mismatched replies occurs over a specific period of time, it can be assumed that the network has been corrupted. To protect against this, SmartDefense employs a threshold to detect mismatched replies. When the threshold limit is reached, the incidents of mismatched replies are logged and an alert is issued.
By enabling this protection, SmartDefense will employs a threshold to protect the network from Cache Poisoning. The threshold detects mismatched replies when more than a specific amount occurs over a specific amount of time.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > DNS > Cache Poisoning.
2. In the right pane, double-click the following protections:

Scrambling
Inbound DNS Requests
Mismatched Replies

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

When Scrambling is enabled:
Attack Name: Invalid DNS
Attack Information: Out-of-state DNS reply

When Drop Inbound Requests is enabled:
Attack Name: Invalid DNS
Attack Information: Unauthorized domain request

When Mismatched Replies is enabled:
Attack Name: Invalid DNS
Attack Information: Mismatched Replies

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > DNS > Cache Poisoning.
2. Select the following protections:

Scrambling
Drop Inbound Requests
Mismatched Replies

3. In the configuration pane, under Settings > Mode, check Active.
4. The Scrambling and the Drop Inbound Requests protections can be applied either to all traffic or to specific servers.
5. Install policy on all modules.

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > DNS > Cache Poisoning.
2. Select the following protections:

Scrambling
Drop Inbound Requests
Mismatched Replies

3. The Scrambling and the Drop Inbound Requests protections can be applied either to all traffic or to specific servers.
4. Install policy on all modules.

VPN-1 VSX NGX R65

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > DNS > Cache Poisoning.
3. Select the following protections:

Scrambling
Drop Inbound Requests
Mismatched Replies

4. The Scrambling and the Drop Inbound Requests protections can be applied either to all traffic or to specific servers.
5. Install security policy on all modules.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > DNS, and select the DNS Hijack Attack protection group
3.a. Click Attempted DNS Hijacking (IPS-1 NGX R65 only).
b. Click Successful DNS Hijacking (IPS-1 NGX R65 only).
c. Click Vulnerable DNS Resolver (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: DNS Hijack Attempt
Description: Attempted DNS Hijacking
Successful DNS Hijacking
Vulnerable DNS Resolver

Legal Notice for Threat Center Advisories