If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
Here's a complimentary alert to the others I have recently posted in here, explaining another Internet/network vulnerability. DNS is an integral part of networking [the Internet is a network], networking doesn't occur without it, yet its inherent qualities and features are also its vulnerability. Make sure to look at the links and references. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-190B Multiple DNS implementations vulnerable to cache poisoning Original release date: July 08, 2008 Last revised: -- Source: US-CERT Systems Affected Systems implementing: * Caching DNS resolvers * DNS stub resolvers Affected systems include both client and server systems, and any other networked systems that include this functionality. Overview Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. Effective attack techniques against these vulnerabilities have been demonstrated. I. Description DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. The general concept has been known for some time, and a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning have previously been identified and described in public literature. Examples of these vulnerabilities can be found in Vulnerability Note VU#800113. Recent research into these and other related vulnerabilities has produced extremely effective exploitation methods to achieve cache poisoning. Tools and techniques have been developed that can reliably poison a domain of the attacker's choosing on most current implementations. As a result, the consensus of DNS software implementers is to implement source port randomization in their resolvers as a mitigation. US-CERT is tracking this issue as VU#800113. This reference number corresponds to CVE-2008-1447. II. Impact An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control. III. Solution Apply a patch from your vendor Patches have been released by a number of vendors to implement source port randomization in the nameserver. This change significantly reduces the practicality of cache poisoning attacks. Please see the Systems Affected section of Vulnerability Note VU#800113 for additional details for specific vendors. As mentioned above, stub resolvers are also vulnerable to these attacks. Stub resolvers that will issue queries in response to attacker behavior, and may receive packets from an attacker, should be patched. System administrators should be alert for patches to client operating systems that implement port randomization in the stub resolver. Workarounds Restrict access Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion. Note that restricting access will still allow attackers with access to authorized hosts to exploit this vulnerability. Filter traffic at network perimeters Because the ability to spoof IP addresses is necessary to conduct these attacks, administrators should take care to filter spoofed addresses at the network perimeter. IETF Request for Comments (RFC) documents RFC 2827, RFC 3704, and RFC 3013 describe best current practices (BCPs) for implementing this defense. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. Run a local DNS cache In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems. This should be done in conjunction with the network segmentation and filtering strategies mentioned above. Disable recursion Disable recursion on any nameserver responding to DNS requests made by untrusted systems. Implement source port randomization Vendors that implement DNS software are encouraged to review IETF Internet Draft, "Measures for making DNS more resilient against forged answers," for additional information about implementing mitigations in their products. This document is a work in progress and may change prior to its publication as an RFC, if it is approved. IV. References * US-CERT Vulnerability Note VU#800113 - http://www.kb.cert.org/vuls/id/800113 * US-CERT Vulnerability Note VU#484649 - http://www.kb.cert.org/vuls/id/484649 * US-CERT Vulnerability Note VU#252735 - http://www.kb.cert.org/vuls/id/252735 * US-CERT Vulnerability Note VU#927905 - http://www.kb.cert.org/vuls/id/927905 * US-CERT Vulnerability Note VU#457875 - http://www.kb.cert.org/vuls/id/457875 * Internet Draft: Measures for making DNS more resilient against forged answers - http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience * RFC 3833 - http://tools.ietf.org/html/rfc3833 * RFC 2827 - http://tools.ietf.org/html/rfc2827 * RFC 3704 - http://tools.ietf.org/html/rfc3704 * RFC 3013 - http://tools.ietf.org/html/rfc3013 * Microsoft Security Bulletin MS08-037 - http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx * Internet Systems Consortium BIND Vulnerabilities - http://www.isc.org/sw/bind/bind-security.php __________________________________________________ __________________ US-CERT thanks Dan Kaminsky of IOActive and Paul Vixie of Internet Systems Consortium (ISC) for notifying us about this problem and for helping us to construct this advisory. __________________________________________________ __________________ The most recent version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA08-190B.html __________________________________________________ __________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA08-190B Feedback VU#800113" in the subject. __________________________________________________ __________________ For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html. __________________________________________________ __________________ Produced 2008 by US-CERT, a government organization. Terms of use: http://www.us-cert.gov/legal.html __________________________________________________ __________________ Revision History July 8, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSHPRlXIHljM+H4irAQLzsgf/SHKWDnJ+/OI42x+gbgKTXCjKffPOYicl Sruqe4kCR3k0OuEZS90VsvhaSuiWV1GvASbwLDGTjfh1Q7jZU3 g4GMY/DEcZXerF vGC/NiOuaoWfjLkQsOkJKIReKqcDZEOVQD7PIIxVYYZJn8u99X/JSGQ/KMe8h5x+ CzBVepk06FvRnT3+y21YECnMRoTzxTmqbLqm1lH9OnyRZ+ORoE 4QBUJvN69EB4fO 15JF+y8ZKcGJaczMM+mdNOfaQcQAHZ1B8zTQlBfm1L35gtjnjh vZAwHtde/E0sl6 vGaDtbGJ/IPRS5b5y/mXReOl1ExrMb0VyWneM3Ddcdo7X5iB892AUg== =22We -----END PGP SIGNATURE----- |
#2
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" meb@not
put finger to keyboard and composed: An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control. To find out if the DNS server you use is vulnerable, click the "Check My DNS" button at this URL: http://www.doxpara.com/ BTW, I was directed to the above site by the following Murdoch publication, so I'm reasonably confident that it's safe ;-) http://www.news.com.au/technology/st...014108,00.html - Franc Zabkar -- Please remove one 'i' from my address when replying by email. |
#3
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
Franc Zabkar wrote in
: On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" meb@not put finger to keyboard and composed: An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control. To find out if the DNS server you use is vulnerable, click the "Check My DNS" button at this URL: http://www.doxpara.com/ BTW, I was directed to the above site by the following Murdoch publication, so I'm reasonably confident that it's safe ;-) http://www.news.com.au/technology/st...2,23992662-501 4108,00.html - Franc Zabkar I tried this and got a "your name server appears vulnerable message." However I noticed that the ip address in the message did not match the address for my DNS server in winipcfg. Is this normal that these two addresses would differ? |
#4
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
On Wed, 09 Jul 2008 15:55:09 -0700, smith put finger
to keyboard and composed: Franc Zabkar wrote in : To find out if the DNS server you use is vulnerable, click the "Check My DNS" button at this URL: http://www.doxpara.com/ I tried this and got a "your name server appears vulnerable message." However I noticed that the ip address in the message did not match the address for my DNS server in winipcfg. Is this normal that these two addresses would differ? I don't know, but in my case I've configured my router to use DNS Relay. This means that winipcfg shows my router's LAN IP as the DNS server address, and any DNS requests sent to it are relayed to one of two DNS servers whose addresses the router has learned from my ISP via PPP. Is it possible that your router is configured like mine, ie is your DNS IP, as reported by winipcfg, a LAN or WAN IP? - Franc Zabkar -- Please remove one 'i' from my address when replying by email. |
#5
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
Franc Zabkar wrote in
: On Wed, 09 Jul 2008 15:55:09 -0700, smith put finger to keyboard and composed: Franc Zabkar wrote in m: To find out if the DNS server you use is vulnerable, click the "Check My DNS" button at this URL: http://www.doxpara.com/ I tried this and got a "your name server appears vulnerable message." However I noticed that the ip address in the message did not match the address for my DNS server in winipcfg. Is this normal that these two addresses would differ? I don't know, but in my case I've configured my router to use DNS Relay. This means that winipcfg shows my router's LAN IP as the DNS server address, and any DNS requests sent to it are relayed to one of two DNS servers whose addresses the router has learned from my ISP via PPP. Is it possible that your router is configured like mine, ie is your DNS IP, as reported by winipcfg, a LAN or WAN IP? - Franc Zabkar Beats me. I don't have a router that I know of. I plug my computer directly into a cable modem, and heaven only knows what the cable company does. I intended to get one but have never got around to it. I always assumed that the winipcfg address was the cable company's real dns server. |
#6
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnera
I am going to jump in at this point and ask which router is best. I do not
want a router with wireless capabilities. This router will be strictly wired only for security reasons, since I do not want to broadcast any signal that someone could detect. Thanks in advance for your opinion. "smith" wrote: Franc Zabkar wrote in : On Wed, 09 Jul 2008 15:55:09 -0700, smith put finger to keyboard and composed: Franc Zabkar wrote in m: To find out if the DNS server you use is vulnerable, click the "Check My DNS" button at this URL: http://www.doxpara.com/ I tried this and got a "your name server appears vulnerable message." However I noticed that the ip address in the message did not match the address for my DNS server in winipcfg. Is this normal that these two addresses would differ? I don't know, but in my case I've configured my router to use DNS Relay. This means that winipcfg shows my router's LAN IP as the DNS server address, and any DNS requests sent to it are relayed to one of two DNS servers whose addresses the router has learned from my ISP via PPP. Is it possible that your router is configured like mine, ie is your DNS IP, as reported by winipcfg, a LAN or WAN IP? - Franc Zabkar Beats me. I don't have a router that I know of. I plug my computer directly into a cable modem, and heaven only knows what the cable company does. I intended to get one but have never got around to it. I always assumed that the winipcfg address was the cable company's real dns server. |
#7
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
On Thu, 10 Jul 2008 01:39:44 -0700, smith put finger
to keyboard and composed: Franc Zabkar wrote in : On Wed, 09 Jul 2008 15:55:09 -0700, smith put finger to keyboard and composed: Franc Zabkar wrote in : To find out if the DNS server you use is vulnerable, click the "Check My DNS" button at this URL: http://www.doxpara.com/ I tried this and got a "your name server appears vulnerable message." However I noticed that the ip address in the message did not match the address for my DNS server in winipcfg. Is this normal that these two addresses would differ? I don't know, but in my case I've configured my router to use DNS Relay. This means that winipcfg shows my router's LAN IP as the DNS server address, and any DNS requests sent to it are relayed to one of two DNS servers whose addresses the router has learned from my ISP via PPP. Is it possible that your router is configured like mine, ie is your DNS IP, as reported by winipcfg, a LAN or WAN IP? - Franc Zabkar Beats me. I don't have a router that I know of. I plug my computer directly into a cable modem, and heaven only knows what the cable company does. I intended to get one but have never got around to it. I always assumed that the winipcfg address was the cable company's real dns server. Type your DNS address into the search box at this URL: http://ws.arin.net/whois If you get something like this ... OrgName: Internet Assigned Numbers Authority OrgID: IANA .... then it's a LAN address. Otherwise it's the WAN address of an external DNS server. - Franc Zabkar -- Please remove one 'i' from my address when replying by email. |
#9
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
ADDENDUM
In at , MEB contemplated and posted: | In at , | Vince contemplated and posted: || On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" meb@not || wrote: || ||III. Solution || ||Apply a patch from your vendor || || There's nothing like reading multiple articles on something you know || absolutely nothing about to make you feel dumber than a box of rocks. || || So . . . no patch will ever be forthcoming from Microsoft for || Windows 9x, as it's well beyond its end of life. Is Win9x vulnerable || to this problem? | | WEEEEELLL, no exactly true, there will be no patch from Microsoft, | but that certainly doesn't mean 9X is left defenseless. | | Might try MSFN and other un-official sites for a patch IF you need | one, however, the issue affects your ISP more than you initially, and | the sites you visit e.g., Apache, IIS, Server 2003/2008, Solaris, | etc., will be receiving the patches. 9X will be vulnerable via the | DNS activity pending whatever work-arounds/fixes are provided, though | HOW your DNS is handled will determine the effect and extent of your | vulnerability. For instance: AOL just issued a work-around/patch, | whether this is the final fix or not is unknown at this point. | | -- | MEB Of course the above does not mean that unsavory/malicious sites or their linked ADS and other links, can not be used against ANY system. So, as usual, you must make a effort to address the issue locally, first by your activities, and with whatever you think you need. If you're paranoid or wish more security [which some label paranoia], there are/were DNS and web server/proxy services/applications for 9X which would intercept these activities, and your HOSTS, firewall, script/scripting, and TCP/IP setup can, once again, be used to help negate the issue. *NOTE:* This isn't something new to the hacker/cracker world, the reason its now of deeper concern is the extended use on the Internet and against business and commercial sites [which of course then affects the Internet user]. By Spacefox, Secure Sphere Crew - January 23rd, 2002 http://www.securesphere.net/download...s/dnsspoof.htm http://www.google.com/search?hl=en&q...oogle+Sea rch -- MEB http://peoplescounsel.orgfree.com -- _________ |
#10
|
|||
|
|||
US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
Always knew you were an idiot.
-- Gary S. Terhune MS-MVP Shell/User http://grystmill.com "smith" wrote in message ... Franc Zabkar wrote in : On Wed, 09 Jul 2008 15:55:09 -0700, smith put finger to keyboard and composed: Franc Zabkar wrote in : To find out if the DNS server you use is vulnerable, click the "Check My DNS" button at this URL: http://www.doxpara.com/ I tried this and got a "your name server appears vulnerable message." However I noticed that the ip address in the message did not match the address for my DNS server in winipcfg. Is this normal that these two addresses would differ? I don't know, but in my case I've configured my router to use DNS Relay. This means that winipcfg shows my router's LAN IP as the DNS server address, and any DNS requests sent to it are relayed to one of two DNS servers whose addresses the router has learned from my ISP via PPP. Is it possible that your router is configured like mine, ie is your DNS IP, as reported by winipcfg, a LAN or WAN IP? - Franc Zabkar Beats me. I don't have a router that I know of. I plug my computer directly into a cable modem, and heaven only knows what the cable company does. I intended to get one but have never got around to it. I always assumed that the winipcfg address was the cable company's real dns server. |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
US-CERT TA08-189A -- Microsoft Office Snapshot Viewer ActiveX Vulnerability | MEB[_2_] | General | 0 | July 9th 08 12:57 AM |
US CERT - Security Alert TA08-162C -- Apple Quicktime Updates for Multiple Vulnerabilities | MEB[_2_] | General | 7 | June 19th 08 01:19 AM |
US CERT - Security Alert TA08-162A -- SNMPv3 Authentication Bypass Vulnerability | MEB[_2_] | General | 0 | June 11th 08 07:17 AM |
Win98 NOT vulnerable to WMF? | GregRo | General | 5 | January 14th 06 07:21 PM |
Win98 vulnerable to .wmf malware? | PA Bear | General | 36 | January 7th 06 08:03 PM |