Check Point Advisories

Microsoft WINS Server WPAD Registration Spoofing (MS09-008; CVE-2009-0094)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-034
Date Published:	10 Mar 2009
Severity:	High
Last Updated:	Thursday 10 May, 2012
Source:
Industry Reference:	CVE-2009-0094
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	The Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. A WPAD registration spoofing vulnerability has been reported in Microsoft WINS servers. The vulnerability is due to an error in the Windows WINS server that fails to correctly validate who can register WPAD entries on the server. By default a WINS server will allow any user to create a registration in the WINS database for WPAD if the name registration does not already exist. A remote attacker may exploit this issue by registering WPAD in the WINS database and point it to an IP address of his choice; it would allow the attacker to conduct a man in the middle attack against any browsers configured to use WPAD to discover proxy server settings.

Protection Overview

This protection will detect and block attempts to register vulnerable names in the WINS database.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft WINS Server WPAD Registration Spoofing (MS09-008) protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Windows SMB Protection Violation.
Attack Information: Microsoft WINS server WPAD registration spoofing (MS09-008)