CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
EPSS
Percentile
99.8%
The remote host has a Windows DNS server and/or a Windows WINS server installed.
Multiple vulnerabilities in the way that Windows DNS servers cache and validate queries as well as the way that Windows DNS servers and Windows WINS servers handle WPAD and ISATAP registration may allow remote attackers to redirect network traffic intended for systems on the Internet to the attackerβs own systems.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(35824);
script_version("1.28");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");
script_cve_id(
"CVE-2009-0093",
"CVE-2009-0094",
"CVE-2009-0233",
"CVE-2009-0234"
);
script_bugtraq_id(33982, 33988, 33989, 34013);
script_xref(name:"IAVA", value:"2009-A-0018-S");
script_xref(name:"MSFT", value:"MS09-008");
script_xref(name:"MSKB", value:"961063");
script_xref(name:"MSKB", value:"961064");
script_xref(name:"CERT", value:"319331");
script_name(english:"MS09-008: Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)");
script_summary(english:"Determines the presence of update 962238");
script_set_attribute(attribute:"synopsis", value:"The remote host is vulnerable to DNS and/or WINS spoofing attacks.");
script_set_attribute(attribute:"description", value:
"The remote host has a Windows DNS server and/or a Windows WINS server
installed.
Multiple vulnerabilities in the way that Windows DNS servers cache and
validate queries as well as the way that Windows DNS servers and Windows
WINS servers handle WPAD and ISATAP registration may allow remote
attackers to redirect network traffic intended for systems on the
Internet to the attacker's own systems.");
# https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-008
script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?c6b3fa4a");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, 2003 and
2008.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/10");
script_set_attribute(attribute:"patch_publication_date", value:"2009/03/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, 'Host/patch_management_checks');
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS09-008';
kbs = make_list("961063", "961064");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(win2k:'4,5', win2003:'1,2', vista:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (!get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/DNS/DisplayName")) exit(0, "The host is not operate as a DNS server.");
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Vista" >< productname) exit(0, "The host is running "+productname+" and hence is not affected.");
rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");
share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
# Windows Server 2008
#
# nb: CVE-2009-0094 (WPAD WINS Server Registration Vulnerability) doesn't apply to 2008.
hotfix_is_vulnerable(os:"6.0", sp:1, file:"Dns.exe", version:"6.0.6001.22375", min_version:"6.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:"961063") ||
hotfix_is_vulnerable(os:"6.0", sp:1, file:"Dns.exe", version:"6.0.6001.18214", dir:"\system32", bulletin:bulletin, kb:"961063") ||
# Windows Server 2003
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Dns.exe", version:"5.2.3790.4460", dir:"\System32", bulletin:bulletin, kb:"961063") ||
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Wins.exe", version:"5.2.3790.4446", dir:"\System32", bulletin:bulletin, kb:"961064") ||
hotfix_is_vulnerable(os:"5.2", sp:1, file:"Dns.exe", version:"5.2.3790.3295", dir:"\System32", bulletin:bulletin, kb:"961063") ||
hotfix_is_vulnerable(os:"5.2", sp:1, file:"Wins.exe", version:"5.2.3790.3281", dir:"\System32", bulletin:bulletin, kb:"961064") ||
# Windows 2000
hotfix_is_vulnerable(os:"5.0", file:"Dns.exe", version:"5.0.2195.7260", dir:"\System32", bulletin:bulletin, kb:"961063") ||
hotfix_is_vulnerable(os:"5.0", file:"Wins.exe", version:"5.0.2195.7241", dir:"\System32", bulletin:bulletin, kb:"961064")
)
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_warning();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}