Title

Microsoft DNS Resolution Remote Code Execution Vulnerability (Cat I impact)

Discussion

Microsoft has reported multiple vulnerabilities that affects the way Microsoft Windows Domain Name System (DNS) client service handles malicious Link-local Multicast Name Resolution (LLMNR) queries. LLMNR is a new protocol that provides an additional method to resolve the names of neighboring computers. To exploit the vulnerability, an attacker would require access to the network to send malicious LLMNR broadcast queries to the target systems or run a malicious application that would exploit the vulnerability. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the context of the NetworkService or elevate the attacker's privileges to the NetworkService account and compromise the affected system. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. DNS Query Vulnerability - CVE-2011-0657 A remote code execution vulnerability exists in the way that the DNS client service handles specially crafted LLMNR queries. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the NetworkService account.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-030 (2509553). Vulnerable Applications/Systems: Windows XP SP3 Windows XP Professional x64 SP2 Windows 2003 SP2 (x86, x64 & Itanium) Windows Vista SP1 and SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86*, x64* and Itanium) Windows 7 and Windows 7 SP1(x86 and x64) Windows Server 2008 R2 and Windows Server 2008 R2 SP1 (x64* and Itanium) *Server Core installation affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Dnsapi.dll Windows XP - 5.1.2600.6089 Windows XP Pro x64 / 2003 - 5.2.3790.4840 Windows Vista SP1 / 2008 - 6.0.6001.18611 or 22866 Windows Vista SP2 / 2008 - 6.0.6002.18416 or 22600 Windows 7 / 2008 R2 - 6.1.7600.16772 or 20914 Windows 7 / 2008 R2 SP1 - 6.1.7601.17570 or 21673

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-26514

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.