Check Point Advisories

Microsoft DNS Server Validation Spoofing Weakness (MS09-008; CVE-2009-0233; CVE-2009-0234)

Check Point Reference: CPAI-2009-036
Date Published: 10 Mar 2009
Severity: High
Last Updated: Monday 07 December, 2015
Source:
Industry Reference:CVE-2009-0233
CVE-2009-0234
Protection Provided by:

Security Gateway
R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description Multiple spoofing vulnerabilities have been reported in Windows DNS server. These vulnerabilities could allow a remote attacker to spoof responses and insert records into the DNS server's cache. The DNS caching resolver service saves the responses to DNS queries so that the DNS server is not repeatedly queried for the same information. A remote attacker may exploit these issues to create DNS cache poisoning. The vulnerabilities are due to an error in the Windows DNS server that fails to re-use cached responses when receiving specifically crafted duplicate queries, thereby reducing entropy and allowing greater predictability of subsequent transaction IDs used by the DNS server. A remote attacker may exploit this issue by sending specific queries to a vulnerable DNS server and at the same time respond back in a manner that allows the attacker to insert false or misleading DNS data. By poisoning a DNS server, a remote attacker could direct users to malicious sites or prevent them from accessing web sites of their choice.

Protection Overview

This protection will detect and block multiple requests with the same domain name sent to the vulnerable server.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

  1. In the IPS tab, click Protections and find the Microsoft DNS Server Validation Spoofing Weakness (MS09-008) protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  DNS Enforcement Violation.
Attack Information:  Microsoft DNS server query validation weakness (MS09-008)

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK