curve Training Events SANS PortalCreate Account curve
SysAdmin, Audit, Network, Security Computer Security Training The Most Trusted Source For Computer Security Training     
line
spacer
SANS Store Reading Room Internet Storm Center GIAC Certification SANS Technology Institute Vendor Opportunities
spacer
. Free Webcasts
February 21, 2006: WhatWorks in Intrusion Detection Systems: Monitoring Unique Traffic with Retail Decisions
February 22, 2006: What is The Real Threat to SCADA Systems?
line
line About SANS line Contact SANS line What's New line F.A.Q. line PGP Key/Local Copy line spacerSurveys line Webcasts line
line line line
spacer spacer Electronic Newsletters line WhatWorks line Research Projects line spacerResources line Press Room line Sample Policies line Top 20 List spacer spacer
spacer spacer spacer

The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus

Version 6.01 November 28, 2005 Copyright (C) 2005, SANS Institute
Questions / comments may be directed to top20@sans.org.
To link to the Top 20 List, use the SANS Top 20 List logo at www.sans.org/top20/top20logo03.gif

DimensionsData_Top20_ad1
PDF | Printer Friendly Version >>
Related Resources
Top 20 In The News
Top 20 Archive
Upcoming Conferences
Top 20 List v6 Update Log
  • 2005-11-22 - v6.0: Inital Release
  • 2005-11-28 - v6.01: Update on use of vulnerabilities/threats/risks. With thanks to Rich Bejtlich.
Top 20 Translations

Contact top20@sans.org to collaborate in the translation of the Top 20 to your own language.

NOTE: These translations are a volunteer effort. Our deep gratitude to the individuals and organizations that invested their time and work to help the community.

-----Jump To Index of Top 20 Vulnerabilities -----

Introduction

The SANS Top 20 Internet Security Vulnerabilities

Four years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top-20 lists that followed one, two, and three years later, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to worms like Blaster, Slammer, and Code Red have been on these lists.

This SANS Top-20 2005 is a marked deviation from the previous Top-20 lists. In addition to Windows and UNIX categories, we have also included Cross-Platform Applications and Networking Products. The change reflects the dynamic nature of the evolving threat landscape and the vulnerabilities that attackers target. Unlike the previous Top-20 lists, this list is not "cumulative" in nature. We have only listed critical vulnerabilities from the past year and a half or so. If you have not patched your systems for a length of time, it is highly recommended that you first patch the vulnerabilities listed in the Top-20 2004 list.

We have made a best effort to make this list meaningful for most organizations. Hence, the Top-20 2005 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute. A list of participants may be found at the end of this document.

The SANS Top-20 is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical vulnerabilities and more current or convenient methods of protection are identified, and we welcome your input along the way. This is a community consensus document -- your experience in fighting attackers and in eliminating the vulnerabilities can help others who come after you. Please send suggestions via e-mail to top20@sans.org.

Top Vulnerabilities in Windows Systems
Top Vulnerabilities in Cross-Platform Applications
Top Vulnerabilities in UNIX Systems
Top Vulnerabilities in Networking Products

Top Vulnerabilities in Windows Systems

W1. Windows Services

W1.1 Description

The family of Windows Operating systems supports a wide variety of services, networking methods and technologies. Many of these components are implemented as Service Control Programs (SCP) under the control of Service Control Manager (SCM), which runs as Services.exe. Vulnerabilities in these services that implement these Operating System functionalities are one of the most common avenues for exploitation.

Remotely exploitable buffer overflow vulnerabilities continue to be the number one issue that affects Windows services. Several of the core system services provide remote interfaces to client components through Remote Procedure Calls (RPC). They are mostly exposed through named pipe endpoints accessible through the Common Internet File System (CIFS) protocol, well known TCP/UDP ports and in certain cases ephemeral TCP/UDP ports. Windows also contains several services which implement network interfaces based on a variety of other protocols, including several Internet standards such as SMTP, NNTP etc. Many of these services can be exploited via anonymous sessions (i.e. sessions with null username and password) to execute arbitrary code with "SYSTEM" privileges.

Earlier versions of the operating system, especially Windows NT and Windows 2000, enabled many of these services by default for better out of the box experience. These non essential services increase the exploit surface significantly.

The critical vulnerabilities were reported in the following Windows Services within the past year:

Exploit code is available for most of these vulnerabilities and has been seen in the wild. Zotob worm and its variants exploited the buffer overflow in Plug and Play service. Note that the patches MS05-047 and MS05-027 replace MS05-039 and MS05-011 respectively.

W1.2 Operating Systems Affected

Windows NT Workstation and Server, Windows 2000 Workstation and Server, Windows XP Home and Professional, and Windows 2003 are all potentially vulnerable.

W1.3 CVE Entries

CVE-2005-2120, CVE-2005-2119, CVE-2005-1984, CVE-2005-1983, CVE-2005-1978, CVE-2005-1206, CVE-2005-0045, CVE-2005-0560, CVE-2005-0059, CVE-2005-0050, CVE-2004-0567, CVE-2004-1080, CVE-2004-0574, CVE-2004-0206, CVE-2004-0212

W1.4 How to Determine If You Are at Risk

  • Use any Vulnerability Scanner
  • You can also verify the presence of a patch by checking the registry key mentioned in the Registry Key Verification section of the corresponding security advisory. Additionally, it is advisable to also make sure the updated file versions mentioned in the advisory are installed on the system.
  • To check if your system is vulnerable to an issue in an optional service, you need to determine if the service is enabled. This can be done through the Service Manager interface, which can be invoked from the Start->Run menu by typing services.msc. The column "Start Type" shows if the service is configured for start or "disabled". The "Status" column in the UI shows if a service is currently running.

W1.5 How to Protect against the Windows Services Vulnerabilities

  • Keep the systems updated with all the latest patches and service packs. If possible enable Automatic Updates on all systems.
  • Use Intrusion Prevention/Detection Systems to prevent/detect attacks exploiting these vulnerabilities.
  • Determine if the vulnerability exists in a non essential component that can be removed. For example if your environment does not require message queuing services (CVE-2005-0059), it can be removed using control panel -> add remove programs -> windows components interface. Please take caution when determining this as it could break functionality if there is other software that depends on this.
  • In some cases, exposure to the vulnerability could be removed by disabling the corresponding service. For example License Logging Service (CVE-2005-0050) could be disabled in many environments. Type services.msc in the start->run menu to invoke the service manager interface. Locate the required service and right click after highlighting it. Invoke the properties option in the popup menu. The "Startup Type" of the service can be modified to disable the respective service.
  • In some cases, null session access to the vulnerable interface could be removed as a work-around. For example the spools vulnerability (CVE-2005-1984) could be mitigated on Windows 2000 by removing SPOOLSS from the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes. It is a good practice to review your current RestrictAnonymous settings and keep it as stringent as possible based on your environment. http://www.securityfocus.com/infocus/1352
  • Many of these vulnerabilities (CVE-2005-1984, CVE-2005-1983, CVE-2005-1206, CVE-2005-0045 etc) are found on interfaces offered through CIFS, and blocking ports 139 and 445 at the perimeter is essential for preventing remote attack scenarios. It is also a good practice to block inbound RPC requests from the Internet to ports above 1024 to block attacks to other RPC based vulnerabilities using firewalls. (Ex: Message Queue CVE-2005-0059).
  • XP SP2 and Windows 2003 SP1 comes with several security enhancements, including the Windows firewall. It is highly advisable to upgrade to these service packs and enable the Windows firewall.

W1.6 References

  1. Remote Code Execution in MSDTC and COM+ Services
    http://www.microsoft.com/technet/Security/bulletin/ms05-051.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=41#widely2
  2. Remote Code Execution in Print Spooler Service
    http://www.microsoft.com/technet/Security/bulletin/ms05-043.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=32#widely3
  3. Remote Code Execution in Plug and Play Service
    http://www.microsoft.com/technet/Security/bulletin/ms05-047.mspx
    http://www.microsoft.com/technet/Security/bulletin/ms05-039.mspx
    http://www.microsoft.com/security/incident/zotob.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=41#widely2
    http://www.sans.org/newsletters/risk/display.php?v=4&i=43#exploit1
    http://www.sans.org/newsletters/risk/display.php?v=4&i=32#widely1
    http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=47#305
  4. Remote Code Execution in Server Message Block Service
    http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx
    http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx
    http://www.qualys.com/research/alerts/view.php/2005-06-14
    http://www.sans.org/newsletters/risk/display.php?v=4&i=24#widely3
    http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely6
  5. Remote Code Execution in Exchange SMTP Service
    http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely1
    http://www.sans.org/newsletters/risk/display.php?v=4&i=16#exploit1
  6. Remote Code Execution in Message Queuing Service http://www.microsoft.com/technet/security/bulletin/ms05-017.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely2
    http://www.sans.org/newsletters/risk/display.php?v=4&i=19#exploit2
    http://www.sans.org/newsletters/risk/display.php?v=4&i=26#exploit2
  7. Remote Code Execution in License Logging Service
    http://www.microsoft.com/technet/security/bulletin/ms05-010.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely1
    http://www.sans.org/newsletters/risk/display.php?v=4&i=11#exploit1
  8. Remote Code Execution in WINS Service
    http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx
    http://www.sans.org/newsletters/risk/display.php?v=3&i=48#widely1
    http://www.sans.org/newsletters/risk/display.php?v=3&i=50#widely1
    http://www.sans.org/newsletters/risk/display.php?v=4&i=1#exploit1
    http://www.sans.org/newsletters/risk/display.php?v=4&i=2#exploit2
  9. Remote Code Execution in NNTP Service
    http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx
    http://www.sans.org/newsletters/risk/display.php?v=3&i=41#widely2
  10. Remote Code Execution in NetDDE Service
    http://www.microsoft.com/technet/security/bulletin/MS04-031.mspx
    http://www.sans.org/newsletters/risk/display.php?v=3&i=41#widely4
  11. Remote Code Execution in Task Scheduler
    http://www.microsoft.com/technet/security/bulletin/ms04-022.asp
    http://www.sans.org/newsletters/risk/display.php?v=3&i=28#widely1

W2. Internet Explorer

W2.1 Description

Microsoft Internet Explorer is the most popular browser used for web surfing and is installed by default on each Windows system. Internet Explorer contains multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious webpage or reads an email. Exploit code for many of the critical Internet Explorer flaws are publicly available.

These flaws have been widely exploited to install spyware, adware and other malware on users' systems. The spoofing flaws have been leveraged to conduct phishing attacks. In many cases, the vulnerabilities were 0-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed.

During the past year Microsoft has released multiple updates for Internet Explorer.

  1. Cumulative Security Update for Internet Explorer (MS05-052)
  2. Cumulative Security Update for Internet Explorer (MS05-038)
  3. JView Profile Remote Code Execution (MS05-037)
  4. Cumulative Security Update for Internet Explorer (MS05-025)
  5. Cumulative Security Update for Internet Explorer (MS05-020)
  6. Cumulative Security Update for Internet Explorer (MS05-014)
  7. Windows Shell Remote Code Execution (MS05-008)
  8. Cumulative Security Update for Internet Explorer (MS04-040)
  9. Cumulative Security Update for Internet Explorer (MS04-038)
  10. Cumulative Security Update for Internet Explorer (MS04-025)

Note that the latest cumulative update for Internet Explorer includes all the previous cumulative updates.

W2.2 Operating Systems Affected

Internet Explorer 5.x and 6.x running on Windows 98/ME/SE, Windows NT Workstation and Server, Windows 2000 Workstation and Server, Windows XP Home and Professional, and Windows 2003 are all potentially vulnerable.

W2.3 CVE Entries

CVE-2003-1048, CVE-2004-0216, CVE-2004-0549, CVE-2004-0566, CVE-2004-0727, CVE-2004-0841, CVE-2004-0842, CVE-2004-0843, CVE-2004-0844, CVE-2004-1050, CVE-2005-0053, CVE-2005-0054, CVE-2005-0055, CVE-2005-0056, CVE-2005-0553, CVE-2005-0554, CVE-2005-0555, CVE-2005-1211, CVE-2005-1988, CVE-2005-1989, CVE-2005-1990, CVE-2005-2087, CVE-2005-2127

W2.4 How to Determine If You Are at Risk

W2.5 How to Protect against These Vulnerabilities

  • If you are using Internet Explorer on your system, the best way to remain secure is to upgrade to Windows XP Service Pack 2. The improved operating system security and Windows Firewall will help mitigate risk. For those unable to use Windows XP with Service Pack 2, it is strongly recommended that another browser be used.
  • Keep the systems updated with all the latest patches and service packs. If possible enable Automatic Updates on all systems.
  • To prevent exploitation of remote code execution vulnerabilities at Administrator level, users' tools like Microsoft DropMyRights can be used to implement "least privileges" for Internet Explorer.
  • Many spyware programs are installed on a system as a Browser Helper Objects. A Browser Helper Object or BHO is a small program that runs automatically every time Internet Explorer starts and extends its functionalities. Browser Helper Objects can be detected by AV scanners. Another choice is to periodically review your BHOs using BHO-Daemon or Microsoft AntiSpyware.
  • Use Intrusion Prevention/Detection Systems and Anti-virus and Malware Detection Software to block malicious HTML script code.

W2.6 How to Secure Internet Explorer

To configure the Security settings for Internet Explorer:

  • Select Internet Options under the Tools menu.
  • Select the Security tab and then click Custom Level for the Internet zone.
    Most of the flaws in IE are exploited through Active Scripting or ActiveX Controls.
  • Under Scripting, select Disable for Allow paste operations via script to prevent content from being exposed from your clipboard.
    • Note: Disabling Active Scripting may cause some web sites not to work properly. ActiveX Controls are not as popular but are potentially more dangerous as they allow greater access to the system.
  • Select Disable for Download signed and unsigned ActiveX Controls. Also select Disable for Initialize and script ActiveX Controls not marked as safe.
  • Java applets typically have more capabilities than scripts. Under Microsoft VM, select High safety for Java permissions in order to properly sandbox the Java applet and prevent privileged access to your system.
  • Under Miscellaneous select Disable for Access to data sources across domains to avoid Cross-site scripting attacks.
  • Please also ensure that no un-trusted sites are in the Trusted sites or Local intranet zones as these zones have weaker security settings than the other zones

W2.7 References

Internet Explorer Security Updates

  1. http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=41#widely3
  2. http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=32#widely2
  3. http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=28#widely1
  4. http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=24#widely1
  5. http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely3
    http://www.sans.org/newsletters/risk/display.php?v=4&i=17#exploit2
  6. http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
    http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx
    http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely2
  7. http://www.microsoft.com/technet/security/bulletin/MS04-040.mspx
    http://www.sans.org/newsletters/risk/display.php?v=3&i=48#widely2
  8. http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx
    http://www.sans.org/newsletters/risk/display.php?v=3&i=41#widely1
  9. http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx
    http://www.sans.org/newsletters/risk/display.php?v=3&i=30#widely1

Internet Explorer 0-day Vulnerabilities (at the time of disclosure)

W3. Windows Libraries

W3.1 Description

Windows applications leverage a large number of system libraries often packaged in DLL files. These libraries are used for many common tasks such as HTML parsing, image format decoding, protocol decoding etc. Local as well as remotely accessible applications use these libraries. Thus, a critical vulnerability in a library usually impacts a range of applications from Microsoft and third-party vendors that rely on that library. Often the exploitation is possible via multiple attack vectors. For instance, the flaws in image processing libraries can be exploited via Internet Explorer, Office and image viewers. In most cases, the libraries are used by all flavors of Windows operating systems, which increases the number of systems available for attacks.

The critical libraries affected during past year:

  1. Windows Graphics Rendering Engine Remote Code Execution (MS05-053)
  2. Microsoft DirectShow Remote Code Execution (MS05-050)
  3. Microsoft Color Management Module Remote Code Execution (MS05-036)
  4. HTML Help Remote Code Execution (MS05-026, MS05-001, MS04-023)
  5. Web View Remote Code Execution (MS05-024)
  6. Windows Shell Remote Command Execution (MS05-049, MS05-016, MS04-037, MS04-024)
  7. Windows Hyperlink Object Library Remote Code Execution (MS05-015)
  8. PNG Image Processing Remote Code Execution (MS05-009)
  9. Cursor and Icon Processing Remote Code Execution (MS05-002)
  10. Windows Compressed Folder Remote Code Execution (MS04-034)
  11. JPEG Processing Remote Code Execution(MS04-028)

For most of these vulnerabilities, exploit code is publicly available. Attacks exploiting these vulnerabilities have been seen in the wild. An example of a large-scale attack reported involved exploiting the Cursor and Icon Handling flaws to install malware on users' systems. Trojan Phel.A was reported to exploit the flaw in the HTML Help Library. Note that for some libraries such as HTML Help and Windows Shell, a newer update includes the older updates. Hence, only the latest update needs to be applied for yet unpatched systems.

W3.2 Operating Systems Affected

Windows NT 4, Windows 2000, Windows XP, Windows 2003

W3.3 CVE Entries

CVE-2003-1041, CVE-2004-0201, CVE-2004-0200, CVE-2004-0214, CVE-2004-0420, CVE-2004-0575, CVE-2004-0597, CVE-2004-1043, CVE-2004-1049, CVE-2004-1244, CVE-2005-0057, CVE-2005-0063, CVE-2005-1191, CVE-2005-1208, CVE-2005-1219, CVE-2005-2117, CVE-2005-2118, CVE-2005-2122, CVE-2005-2123, CVE-2005-2124, CVE-2005-2128

W3.4 How to Determine If You Are Vulnerable

These flaws can usually be best resolved by patching, since work-arounds are complicated due to multiple attack vectors. One can use Vulnerability Scanners to check if the appropriate update has been installed.

W3.5 How to Protect against Windows Libraries' Vulnerabilities

  • Ensure that your Windows system has all the latest security patches installed.
  • Block the ports 135-139/tcp, 445/tcp and other ports used by Windows systems at the network perimeter. This prevents a remote attacker from exploiting the vulnerabilities via shared file systems.
  • Use TCP/IP Filtering available in both Windows 2000 and XP, or the Internet Connection Firewall in Windows XP systems to block inbound access to the affected ports. Using a properly configured personal/network firewall will also solve the problem.
  • Due to a large number of attack vectors, Intrusion Prevention/Detection Systems as well as Anti-virus and Malware Detection Software are very helpful in protecting from these vulnerabilities.
  • If you are running third-party applications on customized Windows 2000/XP platforms, please ensure that an appropriate patch from the vendor has been applied.
  • Follow the principle of "Least Privilege" to limit worms and Trojans from getting a foothold on any systems. Further details about limiting access to certain registry keys, executables and directories are available in the NSA guides at http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1.
  • Use system hardening guidelines (such as those from CISecurity) to make systems more resistant to remote and local attacks.

W3.6 References

Microsoft Graphics Rendering Engine Remote Code Execution
Microsoft DirectShow Remote Code Execution
Microsoft Color Management Module Remote Code Execution
HTML Help Remote Code Execution
Web View Remote Code Execution
Windows Shell Remote Command Execution
Windows Hyperlink Object Library Remote Code Execution
PNG Image Processing Remote Code Execution
Cursor and Icon Processing Remote Code Execution
Windows Compressed Folder Remote Code Execution
JPEG Processing Remote Code Execution

W4. Microsoft Office and Outlook Express

W4.1 Description

Microsoft Office is the most widely used email and productivity suite worldwide. The applications include Outlook, Word, Powerpoint, Excel, Visio, Frontpage, Access etc. Note that Outlook Express, a basic email client, is installed on all versions of Microsoft Windows starting with Windows 95. Vulnerabilities in these products can be exploited via following attack vectors:

  • The attacker sends the malicious Office document in an email message. Viruses can exploit this attack vector.
  • The attacker hosts the document on a web server or shared folder, and entices a user to browse the webpage or the shared folder. Note that Internet Explorer automatically opens Office documents. Hence, browsing the malicious webpage or folder is sufficient for the vulnerability exploitation.
  • The attacker runs a server such as News server that sends malicious responses to trigger a buffer overflow in email clients.

The critical flaws that were reported last year in Office and Outlook Express are:

  1. Cumulative Security Update for Outlook Express (MS05-030)
  2. Microsoft OLE and COM Remote Code Execution (MS05-012)
  3. Microsoft Office XP Remote Code Execution (MS05-005)

Exploit code and technical details are publicly available for all these vulnerabilities. A flaw in the Office Access component is yet unpatched and reportedly being exploited by a Trojan.

W4.2 Operating Systems Affected

Windows NT Workstation and Server, Windows 2000 Workstation and Server, Windows XP Home and Professional, and Windows 2003 are all potentially vulnerable.

W4.3 CVE Entries

CVE-2004-0848, CVE-2005-0044, CVE-2005-1213

W4.4 How to Determine If You Are at Risk

The Office and Outlook Express installations running without the patch referenced in the Microsoft Bulletins listed above are vulnerable. The simplest way is to use a Vulnerability Scanner.

W4.5 How to Protect against These Vulnerabilities

  • Keep the systems updated with all the latest patches and service packs. If possible enable Automatic Updates on all systems.
  • Disable Internet Explorer feature of automatically opening Office documents.
  • Configure Outlook and Outlook Express with enhanced
  • Use Intrusion Prevention/Detection Systems and Anti-virus and Malware Detection Software to prevent malicious server responses and documents from reaching the end users.

W4.6 References

Microsoft Office XP Buffer Overflow
Microsoft OLE and COM Remote Code Execution
Cumulative Security Update for Outlook Express
Office Access Buffer Overflow (yet unpatched)

W5. Windows Configuration Weaknesses

W5.1 Description

The configuration weaknesses in Windows systems are still being exploited by newer families of bots and worms. These weaknesses typically fall under the following categories.

Weak passwords on Windows accounts or network shares

In the last couple of years the weak authentication scheme in Windows has made it to the "Top 10" windows vulnerabilities. LAN Manager (LM) hashes are known to be weak and are replaced by various versions of NTLM (NTLM AND NTLMv2) authentication. Although most current Windows environments have no need for LAN Manager (LM) support, Microsoft Windows locally stores legacy LM password hashes (also known as LANMAN hashes) by default on Windows NT, 2000 and XP systems (but not in Windows 2003).

Since LM uses a much weaker encryption scheme than more current Microsoft approaches (NTLM and NTLMv2), LM passwords can be broken in a relatively short period of time by a determined attacker. Even passwords that otherwise would be considered "strong" can be cracked by brute-force in under a week on current hardware. A hacker can either try known defaults, or check for common passwords or use a brute force attack also called a "dictionary" attack to guess the password of users' accounts. Tools like THC's Hydra can be used to remotely crack passwords. LophtCrack and John the Ripper are other well known password cracking or auditing programs.

Many families of worms or BOT Zombies like GaoBot, PhatBot and AgoBot spread through network shares that have weak passwords. These worms use a list of hardcoded passwords in an attempt to match the victim's password, enabling them to spread.

Default Configuration/Passwords for Servers

When installing Microsoft Data Engine (MSDE) or Microsoft SQL Server Desktop (MSDE2000), the default SQL Administrator account or "sa" account has a default blank password and uses SQL authetication. MSDE ships as a component of several applications such as Microsoft Office 2000 and other third party applications. This blank or Null password leaves it vulnerable to a worm. For instance, worms like Voyager Alpha Force, SQL Spida and Cblade use the above vulnerability.

IIS Servers by default have settings that make them vulnerable to attacks. Some accounts that are created by default at installation like IUSR_computername account have write access privileges even for anonymous users. Permissions on such accounts should be modified for restricted access.

IIS services such as FTP, NNTP or SMTP are enabled by default and are a ripe source of attacks. These IIS services should be disabled.

W5.2 Operating Systems Affected

Windows NT, Windows 2000, Windows XP and Windows 2003

W5.3 How to Protect against These Vulnerabilities

  • Enforce strong password policy by accepting passwords that have a minimum number of characters (12 or higher if possible). Use tools like L0phtcrack or John The Ripper to audit accounts with weak passwords.
  • Prevent Windows from storing the LM hash in Active Directory or SAM database by following the instructions posted by Microsoft.
  • Tweak the registry to restrict Anonymous access to network shares.
  • Modify default configuration settings on IIS servers and MS-SQL servers.

W5.4 References

GaoBot Information
Brute force scanning against MS SQL server accounts; Are you paranoid enough?
Unsecured SQL Server with Blank (NULL) SA Password Leaves Vulnerability to a Worm
CERT Vulnerability Note
IIS 6.0 Security Best Practices
How to use the RestrictAnonymous registry value in Windows 2000

Top Vulnerabilities in Cross-Platform Applications

C1. Backup Software

C1.1 Description

Backup software is a valuable asset for any organization. The software typically runs on a large number of systems in an enterprise. In recent years with the growth in data size, the trend has been to consolidate the backup function into few servers, or even a single server. The hosts requiring the backup service communicate with the backup server over the network. This may be a push where the client sends data to the server or a pull where the server connects to each client in turn, or a combination of both. During last year, a number of critical backup software vulnerabilities have been discovered. These vulnerabilities can be exploited to completely compromise systems running backup servers and/or backup clients. An attacker can leverage these flaws for an enterprise-wide compromise and obtain access to the sensitive backed-up data. Exploits have been publicly posted and several malicious bots are using the published exploit code.

C1.2 Operating Systems and Backup Software Affected

All operating systems running backup server or client software are potentially vulnerable to exploitation. The affected operating systems are mainly Windows and UNIX systems.

The following popular backup software packages are known to be affected by vulnerabilities

  • Symantec Veritas NetBackup/Backup Exec
  • Symantec Veritas Storage Exec
  • Computer Associates BrightStor ARCServe
  • EMC Legato Networker
  • Sun StorEdge Enterprise Backup Software (formerly Solstice Backup Software)
  • Arkeia Network Backup Software
  • BakBone Netvault Backup Software

C1.3 CVE Entries

CVE-2004-1172, CVE-2004-1389, CVE-2005-0260, CVE-2005-0349, CVE-2005-0357, CVE-2005-0358, CVE-2005-0491, CVE-2005-0496, CVE-2005-0581, CVE-2005-0582, CVE-2005-0583, CVE-2005-0771, CVE-2005-0772, CVE-2005-0773, CVE-2005-1009, CVE-2005-1019, CVE-2005-1018, CVE-2005-1272, CVE-2005-1547, CVE-2005-2051, CVE-2005-2079, CVE-2005-2080, CVE-2005-2535, CVE-2005-2611, CVE-2005-2715, CVE-2005-2996, CVE-2005-3116

C1.4 How to Determine If You Are Vulnerable

  • Use any Vulnerability Scanner to detect vulnerable backup software installations.
  • If you are using aforementioned backup software, it is recommended to update to the latest version. Monitor your backup software vendor site and subscribe to the patch notification system if they have one, and some of general security related sites such as US-CERT, CERT, SANS (Internet Storm Center) for new vulnerability announcements relating to your chosen backup software.
  • The typical ports used by backup software:
    Symantec Veritas Backup Exec
    TCP/10000 TCP/8099, TCP/6106
    A listing of ports used by Veritas backup daemons is available here.
    CA BrightStor ARCServe Backup Agent
    TCP/6050, UDP/6051, TCP/6070, TCP/41523, UDP/41524
    Sun and EMC Legato Networker
    TCP/7937-9936
    Arkeia Network Backup
    TCP/617
    BakBone Netvault Backup
    TCP/20031 and UDP/20031

C1.5 How to Protect against These Vulnerabilities

  • Ensure the latest vendor supplied software patches are installed on the clients and servers.
  • The ports being used by backup software should be firewalled from any untrusted network including the Internet.
  • Data should be encrypted when stored on backup media and while being transported across the network.
  • Host/Network based firewalls should be run to limit the accessibility of a systems backup software to ensure that only the appropriate backup hosts can communicate on the backup server ports
  • Segregate network to create a separate backup network VLAN.
  • Backup media should be stored, tracked and accounted like other IT assets to deter and detect theft or loss.
  • Backup media should be securely erased, or physically destroyed at the end of its useful life.

C1.6 References

Computer Associates Advisories
Symantec Veritas Advisories
EMC Legato and Sun Advisories
Arkeia Advisory
BakBone Advisory

C2. Anti-virus Software

C2.1 Description

Anti-virus software is seen as a required basic tool within the "defense-in-depth" toolbox to protect systems today. Anti-virus software is now installed on almost all desktops, servers and gateways on various platforms to combat virus outbreaks.

During the past year, there has been a shift in focus to exploit security products used by a large number of end users. This includes anti-virus and personal firewall software. The discovery of vulnerabilities in anti-virus software is not limited to just desktop and server platforms. Gateway solutions could also be affected. Compromising a gateway could potentially cause a much larger impact since the gateway is the outer layer of protection and the only protection against some threats in many small organizations.

Multiple buffer overflow vulnerabilities have been discovered in the anti-virus software provided by various vendors including Symantec, F-secure, Trend Micro, Mcafee, Computer Associates, ClamAV and Sophos. These vulnerabilities can be used to take a complete control of the user's system with limited or no user interaction.

Anti-virus software has also been found to be vulnerable to "evasion" attacks. By specially crafting a malicious file, for instance, an HTML file with an exe header, it may be possible to bypass anti-virus scanning. The evasion attacks can be exploited to increase the virus infection rate.

C2.2 Operating Systems Affected

Any system installed with anti-virus software or virus scan engine meant to scan malicious code could be affected. This includes solutions installed on desktops, servers and gateways. Any platform could be affected including all Microsoft Windows and Unix systems.

C2.3 CVE Entries

AhnLab
CVE-2005-3029, CVE-2005-3030
Avast!
CVE-2005-2384, CVE-2005-2385
AVIRA
CVE-2005-2957
BitDefender
CVE-2005-3154
ClamAV
CVE-2005-2450, CVE-2005-2920
Computer Associates
CVE-2005-1693
HAURI
CVE-2005-2720, CVE-2005-2670, CVE-2005-2041
F-Secure
CVE-2004-2405, CVE-2005-3664, CVE-2005-0350
Kaspersky
CVE-2005-3663, CVE-2005-3664, CVE-2005-3142
Mcafee
CVE-2005-0643, CVE-2005-0644
Sophos
CVE-2005-2768
Symantec
CVE-2005-0249
Trend Micro
CVE-2005-0533
ZoneAlarm
CVE-2005-1693

C2.4 How to Determine If You Are Vulnerable

If you are running any release of any anti-virus software that has not been updated to the latest version, you are likely to be affected.

C2.5 How to Protect against Anti-virus Software Vulnerabilities

  • Ensure that all of your antivirus software is regularly and automatically updated.
  • Regularly check your vendor website for upgrades, patches and security advisories. A list of anti-virus vendors is provided in the References below. Note that the list may not be exhaustive.
  • If you have deployed anti-virus software on gateway and desktops, it is recommended to use different anti-virus vendor solutions for gateway and desktop. In the event one is vulnerable, it will not result in a single point of failure.

C2.6 References

Below is a list of anti-virus vendors to check for upgrades, patches and security advisories.

Anti-virus Security Advisories
Anti-virus Evasion Issues
Other Anti-virus Resources

C3. PHP-based Applications

C3.1 Description

PHP is the most widely used scripting language for the web. According to some reports, 50% of the Apache servers world-wide have PHP installed. A large number of Content Management Systems (CMS), portals, Bulletin Boards, Discussion Forums are written in PHP. There has not been a single week during the last year that a problem was not reported in some software using PHP. The typical vulnerabilities that have been exploited during the past year are:

  1. Vulnerabilities in the PHP package itself. Exploit code is available for some of these vulnerabilities.
  2. Remote File include vulnerabilities in the applications using PHP. These are very common and easy to exploit. These flaws allow an attacker to run code of his choice on the vulnerable web server.
  3. Remote Command Execution vulnerabilities in the applications using PHP. These are easy to exploit and the discoverers typically post a proof of concept code on the Internet. Santy worm resulted from such a vulnerability in the popularly used bulletin board- phpBB.
  4. SQL Injection vulnerabilities in the applications using PHP. These are easy to exploit and are actively used to recover password hashes for administrators of the PHP applications.
  5. Remote Code Execution vulnerabilities in libraries implemented using PHP. For instance, PHP XML-RPC and Pear XML-RPC libraries are used by a number of software projects. Lupper worm is exploiting remote code execution vulnerabilities in these libraries.

The last three types of vulnerabilities result from lack of sanitization of user-supplied input. The availability of web scanning tools has automated the process of finding these vulnerabilities.

C3.2 Affected Software

Web servers that are not running the latest version of PHP package. If you are running other PHP software that is not at its latest version, the web server is most likely vulnerable.

C3.3 CVE Entries

CVE-2004-0594, CVE-2005-3389, CVE-2005-3390

Note: These do not include the large number of CVE entries associated with a PHP-based applications.

C3.4 How to Determine If You Are at Risk

Scanning the web servers periodically with Vulnerability Scanners is your best bet since the number of vulnerabilities in PHP applications reported every week can be difficult to keep track of, and especially if you are running a large number of PHP-based applications on your servers.

C3.5 How to Protect against PHP Vulnerabilities

  • Apply all vendor patches for PHP and PHP-based applications.
  • Frequent web scanning is recommended in environments where a large number of PHP applications are in use.
  • Use the following PHP Configuration that is safer:
    • register_globals (should be off)
    • allow_url_fopen (should be off)
    • magic_gpc_quotes (should be off for well written software, should be on for poorly written PHP 3 and PHP 4 scripts,)
    • safe_mode and open_basedir (should be enabled and correctly configured)
  • Configure Apache mod_security and mod_rewrite filters to block PHP attacks.
  • Use tools like Paros Proxy for conducting automated SQL Injection tests against your PHP applications.
  • Upgrade to PHP 5 as it will eliminate many latent PHP security issues.
  • Follow the "Least Privilege" principle for running PHP using tools like PHPsuExec, php_suexec orsuPHP from suPHP.
  • Use any Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.

C3.6 References:

PHP Vulnerabilities
Hardened PHP Project
OWASP Webpage (Contains tools and documents for testing Web Application Vulnerabilities)
PHP Security Features

C4. Database Software

C4.1 Description

Databases are a key element of many systems storing, searching or manipulating large amounts of data. They are found in virtually all businesses, financial, banking, customer relationship and system monitoring applications.

Due to the valuable information they store such as personal or financial details, the databases are often a target of attack. Since databases are extremely complex applications and are normally a collection of a number of programs, this results in a large number of attack vectors. The most common vulnerabilities in most database systems found today can be classified into:

  • Buffer overflows in processes that listen on well known TCP/UDP ports
  • SQL Injection via the web front end of the database
  • Databases running in default configuration with default usernames and passwords
  • Databases running with weak passwords for privileged accounts

There are many different database systems available. Some of the most common are Microsoft SQL Server (proprietary, runs on Windows), Oracle (proprietary, runs on many platforms), IBM DB2 (proprietary, runs on multiple platforms), MySQL and PostgreSQL (both open source and available on many platforms).

All modern relational database systems are port addressable, which means that anyone with readily available query tools can attempt to connect directly to the database, bypassing security mechanisms used by the operating system. For example, Microsoft SQL server can be accessed via TCP port 1433, Oracle via TCP port 1521, IBM DB2 via ports 523 and 50000 up, MySQL via TCP port 3306, and PostgreSQL via TCP port 5432.

During the past year, Oracle has issued cumulative updates that patch hundreds of vulnerabilities. Hence, even if all the vulnerabilities corrected via a cumulative patch are not of critical nature, the administrators are forced to apply the patches to correct a few critical issues.

Proof of concept exploits for many database flaws are readily available on the Internet.

C4.2 Operating Systems Affected

The open source databases are available on virtually every operating system in common use today. Most commercial DBMS also run on multiple platforms

C4.3 CVE Entries

These are the entries released since July 2004. Earlier vulnerabilities can be found in previous editions of the Top 20.

Oracle
CVE-2004-0637, CVE-2004-0638, CVE-2004-1338, CVE-2004-1363, CVE-2004-1364, CVE-2004-1365, CVE-2004-1366, CVE-2004-1369, CVE-2004-1370, CVE-2004-1371, CVE-2005-1495, CVE-2004-1774

Note: All CVEs from Oracle Cumulative Patch Updates have not been listed here.

MySQL
CVE-2004-0627, CVE-2004-0628, CVE-2004-0836, CVE-2005-0684, CVE-2005-1274, CVE-2005-2558
PostgreSQL
CVE-2005-0244, CVE-2005-0247
IBM DB2
CVE-2004-0795, CVE-2004-1372

C4.4 How to Determine If You Are Vulnerable

Because databases are often distributed as components of other applications, it is possible for a database to have been installed without administrators realizing it. Databases may therefore remain unpatched or in vulnerable default configurations. It is not sufficient to check a simple list of the applications that have been installed! This was graphically demonstrated when the SQL Slammer worm attacked the Microsoft Data Access Component (MDAC), which is included in many applications.

Perform a vulnerability scan on systems to determine whether DBMS software is available, accessible and vulnerable. You can use any vulnerability scanners or tools from database vendors such as MySQL Network Scanner, Microsoft SQL server tool.

C4.5 How to Protect Against Database Vulnerabilities

C4.6 References

SANS Reading Room on Database Security
Oracle
SANS Comprehensive Security Checklist for Oracle CIS Oracle Benchmark Tool Oracle security information can be found at
MySQL
SecurityFocus step-by-step guide to securing MySQL MySQL Security
PostgreSQL Security Guide
Microsoft SQL Security Guide
IBM DB2

C5. File Sharing Applications

C5.1 Description

Peer to Peer File Sharing Programs (P2P) are used by a rapidly growing user base. These applications are used to download and distribute data such as music, video, graphics, text, source code etc. P2P applications are also used legitimately for distribution of OpenSource/GPL binaries and ISO images of bootable Linux distributions. However, often times the data is either of a questionable nature or is copyrighted.

P2P programs operate through a distributed network of clients, sharing directories of files or entire hard drives of data. Clients participate by downloading files from other users, making their data available to others and coordinating file searches for other users.

Most of the P2P programs use a set of default ports but they can automatically or manually be set to use different ports if necessary to circumvent detection, firewalls, or egress filters. The trend seems to be moving towards the use of http wrappers and encryption to easily bypass corporate restrictions.

The main risks arising from P2P software are:

  • Remotely exploitable vulnerabilities in P2P applications that can be used to compromise P2P clients or servers.
  • Viruses and bots use P2P shared folders for spreading by copying malicious files into these folders with enticing filenames.
  • P2P software is generally bundled with spyware and adware software. This increases the spyware/adware infection in an organization.
  • Attackers can masquerade malicious files as legitimate music or video files. When the users download these files, their system can be infected and used as a "bot".
  • P2P shares typically have no passwords or weak passwords, a flaw that can be exploited to infect the share with malicious files.
  • An organization can be liable to lawsuits for copyright infringement.
  • P2P traffic can contribute substantially to overall bandwidth and make other mission-critical applications slower. This can be especially threatening to quality of service for voice and video traffic in an organization.

Exploit code is available for some of the buffer overflow vulnerabilities in the P2P software. According to Symantec's research, in the second half of 2004, 6% of internet attacks tried to exploit vulnerabilities in eDonkey and another 5% in Gnutella.

The number of threats using P2P, IM, IRC, and CIFS within Symantec's top 50 malicious code reports has increased by 39% over the previous six-month period.

C5.2 Operating Systems Affected

There are versions of P2P software available for all Windows operating systems currently in use, along with versions for Linux, UNIX and MacOS systems.

C5.3 CVE Entries

CVE-2004-1114, CVE-2004-1286, CVE-2004-1892, CVE-2004-2433, CVE-2005-0595, CVE-2005-1806

C5.4 How to Determine If You Are Vulnerable

Detecting P2P activity on the network can prove to be challenging.

  • It is possible to detect P2P software running on your network by monitoring traffic for common ports used by the software or by searching traffic for certain application layer strings commonly used by P2P software. Please see the end of this item for a listing of ports often used by P2P.
  • There are a number of applications and services that can assist in detection or prevention of P2P traffic. Some host based intrusion prevention software can prevent the installation or execution of P2P applications.
  • Network based Intrusion Detection/Prevention products can detect/prevent P2P traffic from entering or leaving the network or monitor the P2P traffic.
  • Monitoring your WAN connections with applications such as NTOP can also reveal P2P traffic.
  • You may also wish to scan network storage locations for content commonly downloaded by users, including *.mp3, *.wma, *.avi, *.mpg, *.mpeg, *.jpg, *.gif, *.zip, *.torrent, and *.exe.
  • Monitoring volumes for sudden decreases in free disk space can also be useful.
  • Scanners often have a plug-in to detect running P2P applications, and for Microsoft Windows machines, SMS can be used to scan for executables that are installed on workstations.

C5.5 How to Protect against P2P Software Vulnerabilities

  • Regular users should not be permitted to install software, especially peer to peer applications. To prevent regular users from installation of unauthorized software, it is recommended to deny Administrative level privileges for regular users. To prevent accidental installation of unauthorized software by Administrator level users, tools like Microsoft DropMyRights can be used for securing of any Web browsers and mail clients. In Active Directory environments, Software Restriction Group Policies can be used in order to block known types of binaries from execution.
  • Egress filtering should restrict access to any ports not required for business purposes, although as more P2P applications move to http, this will prove less effective.
  • Monitor your network for P2P traffic and address violations of policy through appropriate channels. That can be achieved by monitoring of firewall, IDS logs. Enterprise solutions are available for detection and blocking of unauthorized P2P and IM connections.
  • On individual workstation tools like Microsoft PortQry and Port Reporter can be used to monitor and log unusual network activity.
  • Use enterprise-wide anti-virus and antispyware products and ensure that updates are performed daily.
  • Use host-based firewalls in addition to perimeter firewalls. Windows XP and Windows 2003 include Windows firewall, which provides adequate protection if properly configured. A variety of third-party host based firewalls (ZoneAlarm, Sygate, Outpost) provide additional functionality and flexibility. Windows 2000, XP and 2003 systems can use IPSec policies in order to provide port filtering of unnecessary network traffic. In Active Directory environments, IPSec policies and Windows Firewall configuration (for Windows XP SP2 and Windows 2003 SP1) can be managed centrally through Group Policies.
  • Disable Simple file sharing feature of Windows XP, if not explicitly required: Start - Settings -Control Panel - Folder Options - Tab View - Disable (uncheck) setting Use Simple File Sharing - Apply - OK.
  • Monitor systems for presence of unknown executables and unauthorized modification of system files. Software products like Tripwire (there are commercial and open source versions of the product) can be used to detect changes in files.

Common protocols and ports used by peer-to-peer applications

P2P Service Default/primary port or port range, TCP Default/primary port or port range, UDP
BearShare 6346
Bittorrent 2181, 6881-6999
Blubster 41170-41350
eDonkey 4661-4662 5737
eDonkey2000 4661-4662 4665
eMule 4661-4662,4711 4665,4672
Gnutella 6346/6347 6346/6347
Grouper 8038 8038
Kazaa 1214 1214
Limewire 6346/6347 6346/6347
Morpheus 6346/6347 6346/6347
Shareaza 6346 6346
WinMx 6699 6257

C5.6 References

US DHS Information Bulletin "Unauthorized Peer-to-Peer (P2P) Programs on Government Computers"
http://www.dhs.gov/interweb/assetlibrary/IAIP_UnauthorizedP2PProgramsGovtComp_041905.pdf
Federal Law Enforcement Announces Operation D-Elite, Crackdown on P2P Piracy Network: First Criminal Enforcement Against BitTorrent Network Users
http://www.usdoj.gov/criminal/cybercrime/BitTorrent.htm
Cyber Security Tip ST05-007 - Risks of File-Sharing Technology
http://www.us-cert.gov/cas/tips/ST05-007.html
Risks of P2P File Sharing
http://www.ftc.gov/bcp/workshops/filesharing/presentations/hale.pdf
Symantec Internet Security Threat Report - Trends for July 04- December 04
Volume VII, Published March 2005
http://ses.symantec.com/pdf/ThreatReportVII.pdf
Securing Windows XP Professional in a Peer-to-Peer Networking Environment
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/sec_winxp_pro_p2p.mspx
Identifying P2P users using traffic analysis - Yiming Gong - 2005-07-21
http://www.securityfocus.com/infocus/1843
Sinit P2P Trojan Analysis
http://www.lurhq.com/sinit.html
How to block specific network protocols and ports by using IPSec (MS KB article 813878)
http://support.microsoft.com/kb/813878
Using Software Restriction Policies to Protect Against Unauthorized Software
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
Availability and description of the Port Reporter tool (MS KB article 837243)
http://support.microsoft.com/kb/837243
New features and functionality in PortQry version 2.0 (MS KB article 832919)
http://support.microsoft.com/default.aspx?kbid=832919
Log Parser 2.2
http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx
Browsing the Web and Reading E-mail Safely as an Administrator (DropMyRights)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
Peer-to-Peer (P2P) Security and QoS Frequently Asked Questions (CheckPoint)
http://secureknowledge.checkpoint.com/pub/sk/docs/public/firewall1/ng/pdf/p2p_faq.pdf

C6. DNS Software

C6.1 Description

The Domain Name System (DNS) is a critical Internet mechanism that primarily facilitates the conversion of globally unique host names into a corresponding globally unique Internet Protocol address using a distributed database scheme. The DNS relies on a confidence model developed in an era of mutual trust that is vastly different from today's generally hostile Internet. Because of the changed nature of the Internet, the DNS is prone to many types of transaction attacks that take advantage of that trust, including cache poisoning, domain hijacking, and man-in-the-middle redirection. During the past year, DNS cache poisoning vulnerabilities were exploited to redirect users to malicious domains to install malware on users' systems. Open recursive DNS servers are actively being used as DDoS reflectors providing a huge amplification factor.

C6.2 Affected Software

  • Symantec Gateway Security
  • Symantec Enterprise Firewall
  • Symantec VelociRaptor
  • DNSmasq DNS Server
  • Windows NT and Windows 2000 (prior to SP3) DNS servers in the default configuration
  • Windows DNS server forwarding requests to a BIND DNS server running version 4.x or 8.x
  • Windows DNS server forwarding requests to another vulnerable Windows DNS server

C6.3 CVE Entries

CVE-2005-0817, CVE-2005-0877

C6.4 How to Determine If You Are at Risk

All Internet users are at risk of having incorrect data being returned from DNS queries. If scanning the DNS servers under your control shows that the current version or patch(es) released by the appropriate DNS software vendor have not been inst