Microsoft Security Advisory 935964 - Vuln in RPC on Windows DNS Server

(imported topic written by tim_tsai)

Microsoft released Security Advisory 935964 last Friday to warn customers about a publicly known vulnerability in the Domain Name System (DNS) Server Service. Microsoft is strongly advising customers to deploy the registry key workaround as soon as possible. BigFix has released Fixlet messages to the “Enterprise Security” site that implements Microsoft’s suggested registry key workaround to “disable remote management over RPC capability for DNS Servers.”

The Fixlet messages detect Windows 2000 Server SP4 and Windows Server 2003 SP1/SP2 machines that have the DNS Server service installed but do not have the “RpcProtocol” registry value set to restrict the DNS RPC interface to LPC-only. The Fixlet message action allows the BES operator to deploy the registry change. The action will also restart the DNS Server service if it is currently running so the change will take effect immediately.

Note that after the DNS RPC interface has been restricted to LPC-only, a corresponding “restore” Fixlet message is available to revert “RpcProtocol” to its original value, or remove it if it didn’t previously exist.

Fixlet Messages:

ID 93596401: “935964: Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution“

ID 93596402: “935964: Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - Restore“

ID 93596405: “935964: Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution – Windows Server 2003 (x64)“

ID 93596406: “935964: Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution – Restore – Windows Server 2003 (x64)“

For more information, see the following Microsoft web pages:

Microsoft Security Advisory 935964: http://www.microsoft.com/technet/security/advisory/935964.mspx

Microsoft Security Response Center (MSRC) blog entries:

April 13th: http://blogs.technet.com/msrc/archive/2007/04/13/more-information-on-microsoft-security-advisory-935964.aspx

April 15th: http://blogs.technet.com/msrc/archive/2007/04/15/situation-update-on-microsoft-security-advisory.aspx

April 16th: http://blogs.technet.com/msrc/archive/2007/04/16/monday-update-on-microsoft-security-advisory-935964.aspx

April 17th: http://blogs.technet.com/msrc/archive/2007/04/17/update-on-microsoft-security-advisory-935964.aspx

April 19th: http://blogs.technet.com/msrc/archive/2007/04/19/update-and-clarifications-in-microsoft-security-advisory-935964.aspx