Severity: High
10 May, 2011
Summary:
- These vulnerabilities affect: Windows Server 2003 and 2008
- How an attacker exploits them: By sending specially crafted WINS packets
- Impact: An attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.
Exposure:
As part of today’s Patch Day, Microsoft released a security bulletin describing a Critical vulnerability that affects Windows Server 2003 and 2008.
The flaw lies within the Windows Internet Name Service (WINS), which is essentially Microsoft’s version of the NetBIOS Name Service (NBNS) — a service that allows you to give computers human friendly names (kind of like a
DNS for your local network computers).
According to Microsoft, the WINS service suffers from a memory corruption flaw due to its inability to handle specially crafted WINS messages. By sending such WINS packets, an attacker can leverage this flaw to force your WINS server to execute code with SYSTEM privileges, thus gaining full control of the server.
However, two factors significantly mitigate the scope of this flaw:
- Windows Server does not install the WINS service by default. You are only vulnerable if you have installed it yourself. However, almost every network administrator installs the WINS service on at least one server; usually one that’s critical to the organization’s network.
- Firewalls, like our XTM appliances block the WINS service by default. WINS uses TCP and UDP port 42. Administrators should never allow this port through their firewall. This limits the WINS attack to primarily an internal risk. That said, certain malware, such as worms or bot clients, often leverage these sorts of local Windows networking flaws to propagate throughout the rest of your local network.
Despite its mitigating factors, this WINS vulnerability does pose a critical risk to Windows servers. You should download, test, and deploy the proper updates as soon as possible.
Solution Path:
Microsoft has released patches to fix this vulnerability. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 Itanium (w/SP2)
For All WatchGuard Users:
By default, WatchGuard appliances block the WINS service (TCP/UDP 42), and will prevent Internet-based attackers from leveraging this flaw against your servers. As long as you haven’t specifically allowed WINS through your firewall, you remain safe against external attacks. That said, if malware does somehow sneak into your network, it often leverages this sort of Windows networking flaw to propagate throughout the rest of your network. Therefore, we still recommend you patch as soon as you can.
Status:
Microsoft has released patches correcting this flaw.
References:
- Microsoft Security Bulletin MS11-034
This alert was researched and written by Corey Nachreiner, CISSP.
What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.