• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Nasty WINS Messages Hijack Windows Servers

May 10, 2011 By Corey Nachreiner

Severity: High

10 May, 2011

Summary:

  • These vulnerabilities affect: Windows Server 2003 and 2008
  • How an attacker exploits them: By sending specially crafted WINS packets
  • Impact: An attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a Critical vulnerability that affects Windows Server 2003 and 2008.

The flaw lies within the Windows Internet Name Service (WINS), which is essentially Microsoft’s version of the NetBIOS Name Service (NBNS) — a service that allows you to give computers human friendly names (kind of like a
DNS for your local network computers).

According to Microsoft, the WINS service suffers from a memory corruption flaw due to its inability to handle specially crafted WINS messages. By sending such WINS packets, an attacker can leverage this flaw to force your WINS server to execute code with SYSTEM privileges, thus gaining full control of the server.

However, two factors significantly mitigate the scope of this flaw:

  1. Windows Server does not install the WINS service by default. You are only vulnerable if you have installed it yourself. However, almost every network administrator installs the WINS service on at least one server; usually one that’s critical to the organization’s network.
  2. Firewalls, like our XTM appliances block the WINS service by default. WINS uses TCP and UDP port 42. Administrators should never allow this port through their firewall. This limits the WINS attack to primarily an internal risk. That said, certain malware, such as worms or bot clients, often leverage these sorts of local Windows networking flaws to propagate throughout the rest of your local network.

Despite its mitigating factors, this WINS vulnerability does pose a critical risk to Windows servers. You should download, test, and deploy the proper updates as soon as possible.

Solution Path:

Microsoft has released patches to fix this vulnerability. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-035:

  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)

For All WatchGuard Users:

By default, WatchGuard appliances block the WINS service (TCP/UDP 42), and will prevent Internet-based attackers from leveraging this flaw against your servers. As long as you haven’t specifically allowed WINS through your firewall, you remain safe against external attacks. That said, if malware does somehow sneak into your network, it often leverages this sort of Windows networking flaw to propagate throughout the rest of your network. Therefore, we still recommend you patch as soon as you can.

Status:

Microsoft has released patches correcting this flaw.

References:

  • Microsoft Security Bulletin MS11-034

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at [email protected].
More alerts and articles: Log into the LiveSecurity Archive.

Share This:

Related

Filed Under: Security Bytes Tagged With: code execution, Microsoft, Updates and patches, WINS

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use