Status Tracking Note TRTA08-190B

Multiple DNS implementations vulnerable to cache poisoning

Overview

Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. Effective attack techniques against these vulnerabilities have been demonstrated.
Event Information


Date (UTC)Description
2008-08-24 ICANN
Domain Name Security Paper Released
ICANN's strategic and operating plans call for ICANN to be operationally ready to deploy DNSSEC at the root level and work with relevant stakeholders to determine how this should be implemented.
2008-08-22 Office of Management and Budget
M-08-23: Securing the Federal Government's Domain Name System Infrastructure (Submission of Draft Agency Plans Due by September 5, 2008)
This memorandum describes existing and new policies for deploying Domain Name System Security (DNSSEC) to all Federal information systems by December 2009. DNSSEC provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet.
2008-08-08 SecurityFocus
Successfully poisoned the latest BIND with fully randomized ports!
Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447)
Exploit required to send more than 130 thousand of requests for the fake records like 131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry for the poisoned_dns.blah.com.
#Cid: attack_client.c
2008-08-06 20:45 Hewlett-Packard
HPSBUX02351: SSRT080058 rev.3 - HP-UX Running BIND, Remote DNS Cache Poisoning
2008-08-06 ICANN
ICANN Highlights Domain Name System Vulnerability; Releases Tools
To detect whether a particular zone is vulnerable, ICANN has produced a tool that can check a particular domain:
2008-08-06
Why So Serious
2008-08-02 11:12 SANS Internet Storm Center
BIND: -P2 patches are released
As expected, the Internet Systems Consortium released patches today addressing stability and performance issues some of those having significant load on their systems were struggling with.
2008-08-01 23:54 Internet Systems Consortium (ISC)
bind-9.4.2-P2.tar.gz
ISC BIND patch
2008-08-01 23:54 Internet Systems Consortium (ISC)
bind-9.5.0-P2.tar.gz
ISC BIND patch
2008-08-01 23:53 Internet Systems Consortium (ISC)
bind-9.3.5-P2.tar.gz
ISC BIND patch
2008-08-01 15:33 SecurityFocus
DNS Multiple Race Exploiting Tool
Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447)
#Cid: dns_mre-v1.0.tar.gz
#Tested: Windows 2003 server
2008-07-30 21:20 SANS Internet Storm Center
DNS Cache Poisoning Issue Update
Ok, we have a confirmed instance where the DNS cache poisoning vulnerability was used to compromise a DNS server belonging to AT&T. This PCWorld article covers the incident. The original article makes it sound as though the Metasploit site was 'owned' by this incident when really the issue was that the AT&T DNS server was compromised and was providing erroneous IP addresses to incoming queries. This updated PCWorld article clarifies the first one.
2008-07-29 Metasploit Project
DNS Attacks in the Wild
In a recent conversation with Robert McMillan (IDG), I described a in-the-wild attack against one of AT&T's DNS cache servers, specifically one that was configured as an upstream forwarder for an internal DNS machine at BreakingPoint Systems. The attackers had replaced the cache entry for www.google.com with a web page that loaded advertisements hidden inside an iframe.
2008-07-25 19:45 SANS Internet Storm Center
Recursive DNS Cache Auditing Resource
For those with a need, research described in Jose Avila's Recursive DNS Cache Auditing presentation is backed by the ONZRA security research tool CacheAudit v.01, see the Research folder at ONZRA for the CacheAudit download.
2008-07-25 17:23 Microsoft
Microsoft Security Advisory (956187): Increased Threat for DNS Spoofing Vulnerability
DNS Insufficient Socket Entropy Vulnerability (MS08-037, CVE-2008-1447)
2008-07-25 14:12 SANS Internet Storm Center
DNS bug - observations
As indicated in earlier diary entries, an authoritative server sees queries from recursive servers for nonexistent names if their domain is being targeted by the latest DNS attack. They can't do much: all they can do is report them.
2008-07-25 12:32 SANS Internet Storm Center
DNS developments
Security Blogs and E_News outlets are giving extended coverage of the DNS vulnerability exploit releases and we're receiving a few reports of attacks.
2008-07-25 06:47 SANS Internet Storm Center
DNS cache poisoning vulnerability details confirmed (Version: 2)
A couple of the handlers tuned into the Blackhat "webinar" today. The topic was Kaminsky's DNS vulnerability. Here are some quick notes...
2008-07-25 01:15 JPCERT/CC
JPCERT-AT-2008-0013: Cache-Poisoning Vulnerability In Multiple DNS Servers
2008-07-25 SecurityFocus
BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c)
Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447)
#Cid: kaminsky-attack.c
2008-07-24 15:33 SecurityFocus
BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py)
Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447)
#Cid: dns-recurs-poisoning.py
2008-07-24 14:00 US-CERT
DNS Cache Poisoning Public Exploit Code Available
US-CERT Current Activity
US-CERT is aware of publicly available exploit code for a cache poisoning vulnerability in common DNS implementations. Exploitation of this vulnerability may allow an attacker to cause a nameserver's clients to contact the incorrect, and possibly malicious hosts for particular services. As a result, web traffic, email and other important network data could be redirected to systems under the attacker's control.
2008-07-24 10:06 JPCERT/CC
JPCERT-AT-2008-0014: Cache-Poisoning Vulnerability In Multiple DNS Servers
2008-07-24 03:56 SecurityFocus
CAU-EX-2008-0003: BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit for Domains (meta)
Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447)
#Cid: bailiwicked_domain.rb
#Tested: BIND 9.4.1
#Tested: BIND 9.4.2
2008-07-24
Details
2008-07-23 22:53 SecurityFocus
CAU-EX-2008-0002: BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (meta)
Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447)
#Cid: baliwicked_host.rb
#Tested: BIND 9.4.1
#Tested: BIND 9.4.2
2008-07-23 19:48 McAfee
"The-Cat-is-Out-of-The-Bag" DNS Bug
Computer Security Research - McAfee Avert Labs Blog
There has been a lot of hush-hush recently regarding a DNS security issue finding by Dan Kaminsky. Industry wide coordinated effort led by Dan ensured that patches were released by multiple vendors. Even though the technical details of the issue were not yet made public by Dan, an inadvertent leak by Matasano Security blog seems to have given out a lot of the information regarding the issue.
2008-07-23 18:13 US-CERT
NAT/PAT Affects DNS Cache Poisoning Mitigation
US-CERT Current Activity
US-CERT released a Current Activity entry and a Vulnerability Note on July 8, 2008 regarding deficiencies in DNS implementations. These deficiencies could leave an affected system vulnerable to cache poisoning. Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch systems or apply workarounds immediately.
A number of patches implement source port randomization in the name server as a way to reduce the practicality of cache poisoning attacks. Administrators should be aware that in infrastructures where nameservers exist behind Network Address Translation (NAT) and Port Address Translation (PAT) devices, port randomization in the nameserver may be overwritten by the NAT/PAT device and a sequential port address could be allocated. This may weaken the protection offered by source port randomization in the nameserver.
2008-07-23 JPCERT/CC
JPCERT-AT-2008-0013: Cache-Poisoning Vulnerability In Multiple DNS Servers
2008-07-22 11:50 US-CERT
DNS Implementations Vulnerable to Cache Poisoning
US-CERT Current Activity
Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately.
2008-07-21 19:34 Matasano Security blog
Reliable DNS Forgery in 2008: Kaminsky's Discovery
2008-07-19 11:29 Hewlett-Packard
HPSBUX02351: SSRT080058 rev.2 - HP-UX Running BIND, Remote DNS Cache Poisoning
2008-07-17 02:21 Hewlett-Packard
HPSBUX02351: SSRT080058 rev.1 - HP-UX Running BIND, Remote DNS Cache Poisoning
2008-07-17 IBM Internet Security Systems
Multiple Vendors Vulnerable to DNS Cache Poisoning
DNS Insufficient Socket Entropy Vulnerability (CVE-2008-1447)
Multiple vendor DNS protocol implementations could allow a remote attacker to poison the DNS cache. Patches that resolve the vulnerability on the DNS may be rendered ineffective if the DNS is behind a NAT device that does not randomize ports.
2008-07-16 18:26 DNS-OARC
Web-based DNS Randomness Test
This page exists to help you learn if your ISP's nameservers are vulnerable to this type of attack. If you click on the button below, we will test the randomness of your ISP DNS resolver.
2008-07-14 23:53 IBM Internet Security Systems
More on DNS Cache Poisoning and Network Address Translation
This blog post is a followup to an earlier note I posted about the effect of different NAT devices on the recent DNS vulnerability patches. A reader named Huzeyfe ONAL wrote in to let me know that he had tested his OpenBSD machine running pf and found that each UDP session seemed to be assigned a different, random port. Several references online seem to confim this. This provides another example of a secure NAT strategy, besides the one employed by Linux.
2008-07-13 19:10 FreeBSD
FreeBSD-SA-08:06.bind: DNS cache poisoning
The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization.
2008-07-10 22:56 IBM Internet Security Systems
(UPDATED) DNS Cache Poisoning and Network Address Translation
On July 8th a number of DNS software vendors published security updates which improve the randomness of UDP source port assignments to protect against DNS Cache Poisoning. The following day someone called imipack posted an interesting observation to the Full Disclosure mailing list. He noticed that the UDP source ports for DNS transactions coming from a patched server were still sequential when placed behind a firewall performing Network Address Translation.
2008-07-09 14:00 Full-disclosure
DNS and Checkpoint
I've had a report from someone with clue (and tcpdump) that a properly functioning DNS resolver that correctly uses randomised source ports magically becomes vulnerable once the traffic's passed through a Checkpoint firewall.
2008-07-09 04:35 JPCERT/CC
JPCERT-AT-2008-0013: Cache-Poisoning Vulnerability In Multiple DNS Servers
2008-07-08 23:09 SANS Internet Storm Center
Multiple Vendors DNS Spoofing Vulnerability (Version: 4)
Overview of the July 2008 Microsoft patches and their status.
2008-07-08 20:49 US-CERT
TA08-190B: Microsoft Updates for Multiple Vulnerabilities
Via US-CERT Mailing List
2008-07-08 20:08 Microsoft
MS08-JUL: Microsoft Security Bulletin Summary for July 2008
Included in this advisory are updates for newly discovered vulnerabilities.
2008-07-08 19:37 US-CERT
DNS Implementations Vulnerable to Cache Poisoning
US-CERT Current Activity
US-CERT is aware of deficiencies in the DNS protocol. Implementations of this protocol may leave the affected system vulnerable to DNS cache poisoning attacks. If an attacker can successfully conduct a cache poisoning attack, they may be able to cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. This may allow an attacker to obtain sensitive information or mislead users into believing they are visiting a legitimate website.
2008-07-08 18:00 Cisco
cisco-sa-20080708-dns: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches.
2008-07-08 06:10 Internet Systems Consortium (ISC)
ISC BIND patch release
2008-07-08 Internet Systems Consortium (ISC)
ISC acts quickly to shield BIND user base
Internet Systems Consortium (ISC) released several fixes for BIND9 in response to the United States Computer Emergency Readiness Team (US-CERT) Vulnerability notice number 800113 regarding a DNS Cache Poisoning Issue. The basis for the vulnerability is inherent in the DNS protocol and not a flaw specific to BIND9, the leading software implementation of the DNS protocol written and distributed by ISC.
2008-07-04 05:56 Internet Systems Consortium (ISC)
bind-9.5.1b1.tar.gz
ISC BIND patch
2008-07-04 05:55 Internet Systems Consortium (ISC)
bind-9.4.3b2.tar.gz
ISC BIND patch
2008-05-28 22:54 Internet Systems Consortium (ISC)
bind-9.3.5-P1.tar.gz
ISC BIND patch
2008-05-28 21:03 Internet Systems Consortium (ISC)
bind-9.5.0-P1.tar.gz
ISC BIND patch
2008-05-28 19:40 Internet Systems Consortium (ISC)
bind-9.4.2-P1.tar.gz
ISC BIND patch

Reference

Date first published (UTC): 2008-07-20T10:29+00:00
Date last updated (UTC): 2008-08-31T04:54+00:00
Valid HTML 4.01!