Companies and ISPs still not patched against Kaminsky DNS vulnerability

by Steve Ragan - Jul 25 2008, 20:37

By now everyone in the security world knows who Dan Kaminsky is and what he discovered. Kaminsky's discovery of DNS flaws is the biggest security story of the month, and it will likely see even more coverage now that full details of his discovery have been made public, and both concept and exploit code are also available.

However, there was more than enough time to patch the DNS systems. Cisco, Microsoft, ISC, and other major vendors have already released patches. Why then are major ISPs and larger companies not patching?

Dr. Neal Krawetz, one of the more well-known researchers in the security field, started the testing on Monday, running several ISP DNS servers through the vulnerability test. Yesterday, he updated the results, and there are ISPs continuing to report either FAIR or POOR on the tests. Verizon, for example, is listed as FAIR ,while Wave Broadband, BTInternet, Sprint, and BellSouth each report POOR as of July 24. The ranking of anything but GOOD on the test means there are remaining issues, and the chance of further exploitation.

However, ISPs are not the only ones to have not patched as quickly as they perhaps should have. Apple Inc., the second largest vendor on the planet for business and consumer systems, uses BIND from ISC. Rich Mogull, on the TidBits Mac news site, reports that:

“Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date.”

What is Apple doing, one might ask? Why is it not patching? Apple did not respond to The Tech Herald's e-mail requests for comment on both of those questions.

But why all the fuss for patching? This time it isn’t hype, exploits that take advantage of Kaminsky’s DNS vulnerability have been ported into Metasploit. While Metasploit is used by professionals, it is no secret that some of the online criminal element uses it too. The blunt fact here is that there is no excuse for not having a patch in place, no excuse at all. ISPs like Time Warner did not patch instantly, but it at least deployed a patch across its network. There are reports and comments that others are doing the same. However, as the Krawetz list shows, they are being slow to patch.

CERT.at posted a report that said almost 60% of the Austrian recursive name servers have not yet been patched. At the same time, this is typical of other countries as well.

According to running commentary on ZDNet, Billy Rios and Nate McFeters took a look at the two modules that exploit the vulnerability, saying that: “The most obvious, the exploit just got worse. Now the code will use spoofed replies to hijack the name server entries for a target domain, allowing control over an entire domain, whereas the original hijacked an individual host. For example, before, we could hijack www.myaddress.com, now we can hijack all of myaddress.com.”

Bottom line, the one statement that almost all security researchers and experts are repeating is "patch now". Advice that will take only a few minutes to follow.

Around the Web