By now, admins running Microsoft Windows servers in their environments should already have removed the use of WINS, but if they haven’t, now is the perfect time to give it the bullet for once and for all.
According to Fortinet’s Honggang Ren, a vulnerability exists in the proprietary Microsoft Windows Internet Name Service (WINS) Server that isn’t going to be fixed. This is because the people over at Redmond don’t want it to be used at all. Customers should have replaced WINS with DNS.
WINS is a legacy name resolution service that was used to map computer NetBIOS names to IP addresses. These days, the same functionality is offered by DNS and internal code has long since been updated to include this method of resolving computers.
In his blog, Ren writes that a remote memory corruption can be triggered by sending the server malformed WINS packets and exists in Windows server versions 2008, 2012 and 2016.
The vulnerability exists due to the incorrect handling of multiple WINS-Replication sessions. If specially crafted packets are sent to the WINS server, it will crash. Therefore, an attacker can create a remote denial of service attack.
According to Ren, Fortiguard Labs, who discovered the vulnerability, reported it to Microsoft back in December 2016. It took Microsoft 6 months to issue a response. They said: “a fix would require a complete overhaul of the code to be considered comprehensive. The functionality provided by WINS was replaced by DNS and Microsoft has advised customers to migrate away from it.”