Check Point Advisories

Microsoft DNS Server WPAD Registration Spoofing (MS09-008; CVE-2009-0093)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-032
Date Published:	10 Mar 2009
Severity:	High
Last Updated:	Tuesday 17 January, 2012
Source:
Industry Reference:	CVE-2009-0093
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	WPAD feature enables web clients to automatically detect proxy settings without user intervention. A Web Proxy Auto-Discovery (WPAD) registration spoofing vulnerability has been reported in Microsoft DNS servers. The vulnerability is due to an error in the Windows DNS server that fails to correctly validate who can register WPAD entries on the DNS server. By default a DNS server will allow any user to create a registration in the DNS database for WPAD if the name registration does not already exist. A remote attacker may exploit this issue by registering WPAD in the DNS database and point it to an IP address of his choice; it would allow the attacker to conduct a man in the middle attack against any browsers configured to use WPAD to discover proxy server settings.

Protection Overview

This protection will detect and block attempts to register vulnerable names in the DNS database.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft DNS Server WPAD Registration Spoofing (MS09-008) protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: DNS Enforcement Violation.
Attack Information: Microsoft DNS server WPAD registration spoofing (MS09-008)