MediumIBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects a DNS cache poisoning attack where an attacker sends many DNS responses trying to guess the correct transaction ID for an outstanding query. The attack is initiated by an attacker sending a query to a DNS server, and then when the DNS server repeats the query upstream (to another DNS server), the attacker sends poison answers for the upstream query before the real answer arrives. For this particular signature, an attack response is one that matches a DNS query and has correct IP addresses and UDP port numbers, but has an incorrect DNS transaction ID. The signature triggers based upon pam.dns_cache_poison.answer.limit (default 40), pam.dns_cache_poison.question.limit (default 50), and pam.dns_cache_poison.age.limit (default 3 seconds). If the attacker guesses the transaction ID correctly, he can poison the DNS server's cache. After this signature triggers, all future packets associated with the attack will be dropped by default for sensors operating in inline mode.
This signature detects a DNS cache poisoning attack where an attacker sends many DNS responses trying to guess the correct transaction ID for an outstanding query. If the attacker guesses correctly, he can poison the DNS cache of the receiving server. After this signature detects an attack, all future packets associated with the attack will be dropped (this only applies to sensors operating in inline mode). The automatic drop response will occur when the signature is enabled, REGARDLESS of the blocking configuration of the signature.
This signature detects a DNS cache poisoning attack where an attacker sends many DNS responses trying to guess the correct transaction ID for an outstanding query. If the attacker guesses correctly, he can poison the DNS cache of the receiving server. After this signature detects an attack, all future packets associated with the attack will be dropped (this only applies to sensors operating in inline mode). The automatic drop response can be disabled by setting the tuning parameter 'pam.dns_cache_poison.drop' to 'false'.
IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: A false positive is possible if a single DNS query receives a very large number of legitimate answers. Multiple legitimate answers occur when a DNS query is fanned out upstream, but this activity normally does not rise to the level necessary to trigger this signature. If false positives are known to occur, change the parameter pam.dns_cache_poison.answer.limit to a higher value.
IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: A false negative is possible if the attacker guesses the correct DNS transaction ID of a specific question with very few attempts.
Medium
IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2120, BlackICE Server Protection: 3.6.cqr, Proventia Network MFS: XPU 27.110, Proventia Network IDS: XPU 27.110, Proventia-G 1.1 and earlier: XPU 27.110, BlackICE PC Protection: 3.6cqr, RealSecure Network: XPU 27.110, RealSecure Server Sensor: XPU 27.110, Proventia Desktop: 2120, Proventia Network IPS: XPU 27.110, Proventia Server IPS for Linux technology: 27.110, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows 2003 Server: SP1, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, HP Storage Management Appliance: 2.1
Protocol Signature
The Microsoft Windows DNS service in certain versions of Windows 2000 and Windows 2003 could allow a remote attacker to spoof DNS responses and obtain sensitive information. The DNS service fails to provide an adequate amount of entropy in randomization of transaction IDs when querying an upstream DNS server. An attacker could exploit this vulnerability to obtain sensitive information and modify the behavior of services running on a vulnerable system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-062. See References.
Microsoft Security Bulletin MS07-062
Vulnerability in DNS Could Allow Spoofing (941672)
http://www.microsoft.com/technet/security/Bulletin/MS07-062.mspx
BugTraq Mailing List, Tue Nov 13 2007 - 12:26:43 CST
After 6 months - fix available for Microsoft DNS cache poisoning attack
http://archives.neohapsis.com/archives/bugtraq/2007-11/0176.html
Full-Disclosure Mailing List, Wed Nov 14 2007 - 06:07:28 CST
Predictable DNS transaction IDs in Microsoft DNS Server
http://archives.neohapsis.com/archives/fulldisclosure/2007-11/0348.html
Nortel Web site
Nortel Response to Microsoft Security Bulletin MS07-062
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=667796
HPSBST02291 SSRT071498
Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-061 and MS07-062
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01287209&jumpid=reg_R1002_USEN
IBM Internet Security Systems X-Force Database
Multiple vendor socket entropy DNS spoofing
http://xforce.iss.net/xforce/xfdb/43334
ISS X-Force
Microsoft Windows DNS spoofing information disclosure
http://www.iss.net/security_center/static/36805.php
CVE
CVE-2007-3898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3898