Tuesday, July 8, 2008

Massive Patch Coming for DNS Vulnerability

Major vendors of domain name system (DNS) servers are making an unprecedented coordinated release of patches for what is being called a fundamental flaw in DNS, a core element of the Internet.

Patches are being released today by most vendors and will be released soon by all, said Dan Kaminsky, director of penetration testing for IOActive Inc., who discovered the vulnerability about six months ago.

Automatic updates will handle patching in most servers, but it is critical for all organizations to identify name servers in their networks and make sure that the proper patches are applied, Kaminsky said.


According to a bulletin from the U.S. Computer Emergency Readiness Team (U.S. CERT), the vulnerability (VU#800113) could allow cache poisoning and misdirection of Web requests, sending users to unknown Web sites.

Web poisoning exploits already are known, but because the new vulnerability is in the basic design of the protocol itself, it is potentially more dangerous that previous problems. If the vulnerability were exploited, "you would have the Internet, but it wouldn't be the Internet you expect," Kaminsky said.

There are no indications of an exploit for the vulnerability, he added.

DNS is a hierarchical system that translates written names such as those in URLs and e-mail addresses into IP addresses. This function makes it critical to almost all uses of the Internet. Because the vulnerability is in the basic design of the design of DNS, it is found in nearly all implementations of the protocols and the response has been coordinated.

Kaminsky said he found the bug by accident. "I wasn't looking for this at all."

A group of 16 security researchers met on the Microsoft campus in March to coordinate a response.

"Because of the fundamental nature of the vulnerability, it is in all of our implementations, and we agreed that that only way we could do this was by a coordinated release across all platforms," Kaminsky said in a news conference Tuesday announcing the release.

Vendors agreed to release patches in July and wait for a month before releasing details of the vulnerability.

Some vendors made early releases of the patches available to large Internet service providers such as Comcast, which already have begun patching their infrastructures.

By withholding details and using a patch that does not directly fix the vulnerability itself, the researchers hope to make it as difficult as possible for hackers to reverse-engineer and find the vulnerability.

"Reverse-engineering is not impossible," Kaminsky said. "But we hope it will not be done quickly. Things are well under control. We have bought you as much time as possible."

It now is up to administrators to ensure that all servers are patched.

Although details of the vulnerability have not been released, Kaminsky said it involves a weakness in the transaction ID used in DNS queries. Currently, replies to a DNS query have to contain the proper transaction ID, which is chosen randomly from 65,000 values.

"For undisclosed reasons, 65,000 is just not enough," Kaminsky said. "We needed more randomization."

That is being obtained from a source port ID, another random identifier in the packet. After patching, replies to DNS queries will require not only the proper transaction ID but also the proper source port ID. "We are making a system that was somewhat random more random," Kaminsky said.

"The use of randomized source ports can be used to gain approximately 16 additional bits of randomness in the data that an attacker must guess," U.S. CERT said.

Art Manion, lead vulnerability analyst for U.S. CERT, said a number of government agencies cooperated in the response to the vulnerability.

Although patches are being released today, Kaminsky said that installing patches will not necessarily happen immediately because DNS is such a fundamental part of the Internet.

"It is very important to get DNS patched correctly," according to Kaminsky. "If you screw up the deployment of a fix, a lot of people get a sudden outage."

In some cases, more than patching will be required. Firewalls in front of servers limiting the number of ports that can be used may have to be reconfigured to allow the higher level of randomization. Many servers are running older versions of the Berkeley Internet Name Domain (BIND) server, probably the most commonly used DNS software. The latest version is BIND 9; BIND 8 no longer is supported, but about 6 percent of servers scanned in a recent global survey still were running it. Those servers will have to update to version 9.

Joao Damas, senior program manager for ISC whose responsibilities include BIND, said Yahoo has agreed to migrate its infrastructure to BIND 9.

Kaminsky is scheduled to release details of the vulnerability at the Black Hat Briefings security conference being held next month in Las Vegas.


Microsoft Warns of ActiveX Exploit in Access
IE Is Least-Patched Browser, Report Says
Open source DNS server takes on BIND