Educause Security Discussion mailing list archives
CRITICAL: Active exploitation of MS09-039 in the EDU sector
From: Doug Pearson <dodpears () REN-ISAC NET>
Date: Tue, 18 Aug 2009 16:54:48 -0400
Regarding: Active exploitation of MS09-039 in the EDU Sector August 18, 2009 ISSUE: On August 11, Microsoft announced Bulletin MS09-039. The two CRITICAL vulnerabilities reported in MS09-039 can allow unauthenticated remote code execution on a WINS server - simply by the transmission of a specially-crafted WINS replication packet. Versions of Windows Server 2000 and 2003 are vulnerable; refer to the MS09-039 bulletin[1]. Often WINS services will be located on the same machine as, and/or managed under the same administrator credentials, as an institutional or departmental Active Directory domain. A high risk exists that if WINS is compromised, an AD compromise is either a short step away, or already accomplished. A compromised AD server puts every machine and user in the domain at risk. The only sure way to completely recover from an AD compromise is to completely rebuild the AD, every machine in the domain, and have all users change all their passwords. The vulnerabilities are being actively exploited. We have received information from a handful of institutions reporting successful WINS compromises, one of which also involved compromise of a small AD domain. RESOLUTION: (1) Ensure MS09-039[1] security updates are installed on all known WINS servers. The Microsoft Baseline Security Analyzer may assist you in performing this task.[2][3] RISK MITIGATION: (1) Identify unknown WINS servers on your network by scanning for machines listening on port TCP/UDP 42. Nmap may assist you in performing this task.[4] (2) Use netflow monitoring for inbound and outbound TCP/UDP 42 to identify suspicious traffic, and potentially compromised machines. (3) Consider blocking TCP/UDP 42 at the border router or firewall. Be sure to understand any unintended consequences this may cause your institution. For example you would want to create exceptions for any external WINS replication partners. (4) Leverage host-based firewalls on WINS servers to restrict TCP/UDP 42 to WINS replication partners. WE RECOMMEND THAT YOU DON'T: (1) Do not solely rely on border router or firewall blocks, as successful WINS server compromises have been seen originating from inside the organization. REN-ISAC is monitoring and analyzing attacks in the EDU sector. If you've been attacked and have useful information to share, or if you've experienced a compromise, please let us know, at soc @ ren-isac . net If you have questions or concerns, please contact us. Regards, Doug Pearson Technical Director, REN-ISAC http://www.ren-isac.net 24x7 Watch Desk +1(317)278-6630 REN-ISAC membership: http://www.ren-isac.net/membership.html References: [1] MS09-039 http://www.microsoft.com/technet/security/bulletin/ms09-039.mspx [2] Microsoft Baseline Security Analyzer http://technet.microsoft.com/en-us/security/cc184924.aspx [3] How To: Use the Microsoft Baseline Security Analyzer http://msdn.microsoft.com/en-us/library/aa302360.aspx [4] Nmap ("Network Mapper") http://nmap.org/ -o0o-
Current thread:
- CRITICAL: Active exploitation of MS09-039 in the EDU sector Doug Pearson (Aug 18)