We received a couple of e-mails over the weekend asking us why this vulnerability was significant. Most public DNS servers should not be listening on the RPC ports, after all. Indeed, networks obliging to basic secure perimeter design would only allow port 53 UDP/TCP to the authorative DNS servers, and definitely not the additional RPC ports required for exploitation.
However, there are at least two design scenarios that could prove an issue:
- The many Windows servers in use at dedicated hosters. In a large number of cases, these will be single box, do-it-all type hosting machines on the Windows 2003 Web Edition platform. They would be running FTP, HTTP and DNS services, but are usually not shielded by a separate firewall.
- Active directory servers hosted on the internal network are often combined with DNS functionality. These machines are usually less protected than DMZ DNS servers, and other functionality provisioned may require the RPC ports to be available (e.g. some authentication services). If your active directory server is compromised, the game is essentially over.
Also a small update on the Microsoft advisory:
- CVE-2007-1748 is now used to track the vulnerability;
- Microsoft added to their advisory that DNS server local administration and configuration may not work if the computer name is 15 characters of longer. They suggest using the FQDN (Fully Qualified Domain Name) of the host to ensure this works correctly.
Maarten Van Horenbeeck