Although a Metasploit module has been released, and other code is available on exploit sites such as Milw0rm, attacks are few because the DNS server is generally not publicly facing, according to Ken Dunham, director of the Rapid Response Team at VeriSign iDefense.
Dunham said in a Saturday email that intranets have the greatest risk of exploitation.
"It is feasible that a bot may [spread through an intranet] to exploit vulnerable computers within the network to help it spread," he said.
"For example, a bot may be programmed to spread through the recent ANI exploit to infect clients with bots and then use the zombie to exploit DNS RPS against the local domain controller to gain complete control over the entire network."
Craig Schmugar, threat research manager at McAfee Avert Labs, told SCMagazine.com that the vulnerability is a more considerable threat now that exploits have been released.
"The biggest concern is really the multi-purpose box, where by design, you have RPC traffic going through the DNS service. The workarounds, if they’re feasible, should be employed.
"Usually the person administering the box isn’t the person administering the firewalls, so it’s a good time to make sure that the firewall policies haven’t changed unexpectedly," he said.
"[The exploit release] speeds things up – I would say that did kick things up a notch – and things are more critical than they were at the end of last week."
Microsoft updated its advisory on Sunday, noting that attackers can access the vulnerability over port 445 if they have valid login credentials.
Christopher Budd, Microsoft security program manager, said on the Security Response Center blog on Sunday that administrators should employ workarounds as soon as possible, including blocking TCP and UDP port 445 and all unsolicited traffic on ports greater than 1024.
Microsoft issued an advisory on Thursday detailing targeted attacks exploiting the vulnerability.
Researcher Kyle Haugsness of the US SANS Internet Storm Center said last week that the organisation had confirmed two victims — both of them universities in the United States.
The vulnerability is caused by a boundary error in an RPC (remote procedure call) interface, according to Secunia, which ranked the flaw as highly critical.
US-CERT released an advisory today saying the organization is aware of public exploit code and recommends administrators disable RPC interface and block or restrict access to RPS at the network perimeter.
Exploits for Windows Server DNS flaw released
By Frank Washkuch on Apr 17, 2007 6:45AM