Share
Seven vendors release patches to address DNS Poisoning vulnerability. (IMG:J.Anderson)
Quick! Everybody panic! No, not really. In case you missed it yesterday, there was a major patch released. No, not the normal Tuesday stuff from Microsoft, a patch to fix a flaw within the Domain Name System (DNS). The flaw leaves DNS open to DNS Poisoning attacks. While serious, there is no need to go and loot the Apple store, so put the 3G phone down. Simply patch your servers, if needed, and you will be ok.
UPDATE: As some comments have mentioned, the Microsoft based patch for this issue crippled some users with ZoneAlarm. Users of ZoneAlarm Free, Pro, AntiVirus, Anti-Spyware, and Security Suite. Users who applied Microsoft Update KB951748 and used ZoneAlarm found themselves offline. Check Point, the makers of ZoneAlarm, offers some advice to correct the issue.
1. Move Internet Zone slider to MediumNavigate to the "ZoneAlarm Firewall" panel, Click on the "Overview" tab, Move the "Internet Zone" slider to medium.
2. Uninstall Microsoft Update KB951748 Instructions for this are here: http://tinyurl.com/6ceewk
“Internet flaw could let hackers take over the web” is the headline by one news report, and there are others equally FUD laced. DNS Poisoning is nothing new; there are several examples of the same flaw that this recent update addresses, dating as far back as 1997. In 2007, a similar issue, in both Windows DNS and BIND 9, was reported and patched; however, not with this type of hype.
For example, Amit Klein reported that, “BIND 9 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted...” – BIND 9 DNS Cache Poisoning March-June 2007 (http://www.trusteer.com/bind9dns)
“Microsoft DNS server generates predictable DNS transaction IDs. If the server is configured to allow recursive queries it is possible to insert fake records in the DNS cache (DNS cache poisoning) by guessing the next transaction ID that the server will use and sending a spoofed DNS reply to the server.” – Alla Bezroutchko, Predictable DNS transaction IDs in Microsoft DNS Server May 2007
“By observing these values of DNS queries over a period of time, the following patterns were noted: The DNS transaction ID always begins at 1 and is incremented by 1 for each subsequent DNS query; and the UDP source port of the query, which becomes the UDP destination port of the response, remains static for the entirety of a session from startup to shutdown.” – Ian Green reporting on research he did in 2005 for GSEC. (See recent ISC Diary Entry)
Notice how all of those are similar? Each one has a common thread, transaction IDs are predictable. Now, look at the CERT advisory from July 8, 2008.
“The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations.”
Reading all of the documentation that CERT provides, even they tell you that this issue has been around for awhile now and is well-known to the security community. CERT has some suggestions to help with the DNS issue. The best one is the simple one, if your vendor has a patch for BIND, apply it. Microsoft released theirs yesterday (MS08-037). So who offers vulnerable DNS? CERT has a running list, most of them are unknown, but the confirmed vulnerable vendors are Cisco, ISC, Juniper Networks, Microsoft, Nominum, Red Hat, and Sun Microsystems.
Ok, with Cisco and Microsoft in the list you have a good deal of potentially vulnerable networks; add the others, and the numbers will only increase. However, does this mean the world will end now? No, all this means is that network engineers and administrators get to come in overnight and apply patches. Each of the vendors confirmed to be vulnerable to the issue, all seven of them, released patches at the same time.
If you want to keep track of the vendor list go here:http://www.kb.cert.org/vuls/id/800113
The official CERT advisory is here:http://www.us-cert.gov/cas/techalerts/TA08-190B.html
Microsofthttp://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
ISC:http://www.isc.org/index.pl?/sw/bind/bind-security.php
Cisco:http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
Red Hat:https://rhn.redhat.com/errata/RHSA-2008-0533.html
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story