DNS vulnerability gets massive patch – FUD spreading as masses panic

by Steve Ragan - Jul 9 2008, 19:20

Seven vendors release patches to address DNS Poisoning vulnerability. (IMG:J.Anderson)

Quick! Everybody panic! No, not really. In case you missed it yesterday, there was a major patch released. No, not the normal Tuesday stuff from Microsoft, a patch to fix a flaw within the Domain Name System (DNS). The flaw leaves DNS open to DNS Poisoning attacks. While serious, there is no need to go and loot the Apple store, so put the 3G phone down. Simply patch your servers, if needed, and you will be ok. UPDATE: As some comments have mentioned, the Microsoft based patch for this issue crippled some users with ZoneAlarm. Users of ZoneAlarm Free, Pro, AntiVirus, Anti-Spyware, and Security Suite. Users who applied Microsoft Update KB951748 and used ZoneAlarm found themselves offline. Check Point, the makers of ZoneAlarm, offers some advice to correct the issue.1. Move Internet Zone slider to Medium
Navigate to the "ZoneAlarm Firewall" panel, Click on the "Overview" tab, Move the "Internet Zone" slider to medium.2. Uninstall Microsoft Update KB951748
Instructions for this are here: http://tinyurl.com/6ceewk
“Internet flaw could let hackers take over the web” is the headline by one news report, and there are others equally FUD laced. DNS Poisoning is nothing new; there are several examples of the same flaw that this recent update addresses, dating as far back as 1997. In 2007, a similar issue, in both Windows DNS and BIND 9, was reported and patched; however, not with this type of hype.For example, Amit Klein reported that, “BIND 9 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted...” – BIND 9 DNS Cache Poisoning March-June 2007 (http://www.trusteer.com/bind9dns)“Microsoft DNS server generates predictable DNS transaction IDs. If the server is configured to allow recursive queries it is possible to insert fake records in the DNS cache (DNS cache poisoning) by guessing the next transaction ID that the server will use and sending a spoofed DNS reply to the server.” – Alla Bezroutchko, Predictable DNS transaction IDs in Microsoft DNS Server May 2007“By observing these values of DNS queries over a period of time, the following patterns were noted: The DNS transaction ID always begins at 1 and is incremented by 1 for each subsequent DNS query; and the UDP source port of the query, which becomes the UDP destination port of the response, remains static for the entirety of a session from startup to shutdown.” – Ian Green reporting on research he did in 2005 for GSEC. (See recent ISC Diary Entry)Notice how all of those are similar? Each one has a common thread, transaction IDs are predictable. Now, look at the CERT advisory from July 8, 2008.“The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations.”Reading all of the documentation that CERT provides, even they tell you that this issue has been around for awhile now and is well-known to the security community. CERT has some suggestions to help with the DNS issue. The best one is the simple one, if your vendor has a patch for BIND, apply it. Microsoft released theirs yesterday (MS08-037). So who offers vulnerable DNS? CERT has a running list, most of them are unknown, but the confirmed vulnerable vendors are Cisco, ISC, Juniper Networks, Microsoft, Nominum, Red Hat, and Sun Microsystems.Ok, with Cisco and Microsoft in the list you have a good deal of potentially vulnerable networks; add the others, and the numbers will only increase. However, does this mean the world will end now? No, all this means is that network engineers and administrators get to come in overnight and apply patches. Each of the vendors confirmed to be vulnerable to the issue, all seven of them, released patches at the same time.If you want to keep track of the vendor list go here:
http://www.kb.cert.org/vuls/id/800113The official CERT advisory is here:
http://www.us-cert.gov/cas/techalerts/TA08-190B.htmlMicrosoft
http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspxISC:
http://www.isc.org/index.pl?/sw/bind/bind-security.phpCisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtmlRed Hat:
https://rhn.redhat.com/errata/RHSA-2008-0533.html

Comment on this Story

Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter

Comment on this Story

Note our older Talkback system is still running below. We hope to import existing comments into the new system shortly. Guest posting is still allowed, however, you can now login with any number of social network accounts.

Talkback

Add your comment (no registration required)

page: 1

Buck WheatJul 9th, 2008 - 22:14:57

Great patch! Ask anyone running ZoneAlarm. While removing the so-called 'fix', repeat today's mantra: 'Gates loves me. Ballmer loves me. I am a whole person.'

Report this comment

donppusaJul 9th, 2008 - 22:23:05

Yep....it wiped me out too. had to remove it to get back on the internet.

Report this comment

SteveJul 9th, 2008 - 22:38:08

I would not recommend that businesses underestimate this vulnerability. See tinyurl.com/57g8xu

Report this comment

Steve R - TTHJul 10th, 2008 - 00:01:31

@Steve
No, no one should discount any security issue, even low priority ones are serious. However, my point is that the press and mainstream blog owners blew this way out of proportion. So you are correct with your blog post and points here in the comments.

Transaction IDs have been predictable for years, why is it that this is such a huge deal now? I mean give me a break, “Internet flaw could let hackers take over the web” is the winner for the FUD driven headline of the month.

I also, while not mentioning it in the article, take offense to the press assuming that most IT workers would fail to realize that DNS issues can lead to problems, and were too stupid not to notice if a vendor released a patch.

The real story is that this was one of the few times, rare even, that vendors from all platforms released patches that deal with exactly the same issue. Nothing more or less.

My advice and opinion stands. If your vendor releases a patch, no matter what it is for, if it is even remotely security related apply it.

Report this comment

JamesJul 27th, 2008 - 10:32:21

There is a reson this flaw is being taken more seriously than last year's: It's more dangerous. (Also, Kaminsky announced it in a way guaranteed to draw maximum attention to it) I'd say 11 seconds to poison a DNS cache with this exploit (according to Paul Vixie in an email to NANOG) as opposed to the days it would've taken previously is worth sitting up and taking notice of.

Report this comment

page: 1

Add your comment (no registration required)

Security

DNS vulnerability gets massive patch – FUD spreading as masses panic

Comment on this Story

Talkback

Latest

Latest Articles on Monsters&Critics

In The Tech Herald

Site

The Fine Print