It is the spring of 2010, not the summer of 2008, but in vulnerability management things sometimes happen with some delay. After publishing the first post, I went for my usual daily browsage of the various infosec news sites. There were the news about Adobe having now more vulnerabilities in their products than Microsoft, there was some talk about another new instant messaging worm, but what really blew me away was an advisory published yesterday by Core.
The Microsoft SMTP Service and the Microsoft Exchange Server have been severely vulnerable to the DNS poisoning attacks until the April 13th, 2010.
Microsoft released the patch 981832 on that Tuesday. The patch actually fixed multiple issues although only two of them got documented. The Microsoft Security Bulletin MS10-024 states that the patch fixes the vulnerabilities documented in CVE-2010-0024 and CVE-2010-0025. Especially the CVE-2010-0024 was interesting. Unpatched Microsoft SMTP component in multiple Microsoft server versions "does not properly parse MX records, which allows remote DNS servers to cause a denial of service (service outage) via a crafted response to a DNS MX record query" according to the CVE. Hmm.
It is a curious patch. Does the Microsoft SMTP component really parse the DNS responses independently? How does it exactly resolve the unknown domain names?
Mister Nicolás Economou from Core got into investigating the issue a bit further. He found out some very interesting things. The Microsoft SMTP component indeed does resolve the unknown domain names and parse the DNS responses independently. It does not use the DNS service offered by the Windows operating systems. Nicolás reversed engineered different versions of the Microsoft SMTP component and found out that the DNS resolver feature in the SMTP component DID NOT randomize the DNS message ID (TXID) in their queries, but instead only incremented it by one for each subsequent query sent, but in a sense that did not even matter, since Nicolás also verified that the Microsoft SMTP component DID NOT verify the TXID of the received DNS responses. Apparently any DNS response coming to the correct port and containing an MX record of any pending query got accepted as the definitive one prior to the MS10-024. Hmm.
I wonder how does the Microsoft SMTP service cache the DNS entries?
The DNS resolver of the Microsoft SMTP component clearly got forgotten during the summer of 2008 when Dan Kaminskys research triggered the (previously unseen?) mass patching for DNS cache poisoning vulnerabilities. Microsoft fixed the Windows DNS resolver with the Microsoft Security Bulletin MS08-037. Microsoft did admit to Core that in addition to fixing the documented two vulnerabilities the MS10-024 also added heavier source port randomization for the DNS queries sent out, but classified them as "defense-in-depth changes".
The two undocumented vulnerabilities Nicolás Economou discovered got documented in CVE-2010-1689 and CVE-2010-1690. I very much agree with Nicolás and Core that the posthumously documented vulnerabilities fixed with MS10-024 greatly increase the criticality of the patch. It is definitely beyond Important. I would say it is in the infamous Your Servers Are Under Attack category now. In case you have not yet, install this one fast.
May 5, 2010
Hijacking Emails with Microsoft SMTP Service
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment