Massive patch coming for DNS vulnerability
- By William Jackson
- Jul 08, 2008
Major vendors of Domain Name System (DNS) servers are making an unprecedented coordinated release of patches for what is being called a fundamental flaw in DNS, a core component of the Internet.
Most vendors are releasing the patches today, with the rest doing so soon, said Dan Kaminsky, director of penetration testing at IOActive Inc. He discovered the vulnerability about six months ago.
Automatic updates will handle patching on most servers, but it is critical for all organizations to identify DNS servers in their networks and make sure that the proper patches are applied, Kaminsky said.
According to a bulletin from the U.S. Computer Emergency Readiness Team (US-CERT), the vulnerability (VU#800113) could allow cache poisoning and misdirection of Web requests, sending users to unknown Web sites.
Web poisoning exploits are well-known, but because the new vulnerability lies in the basic design of the protocol, it is potentially more dangerous than previous problems. If the vulnerability is exploited, 'you would have the Internet, but it wouldn't be the Internet you expect,' Kaminsky said.
There are no indications that anyone has developed a way to exploit the vulnerability, he added.
DNS is a hierarchical system that translates written names, such as URLs and e-mail addresses, into IP addresses. That function makes DNS essential to almost all uses of the Internet. Because the vulnerability is in the basic design of the protocol, it is found in nearly all its implementations.
Kaminsky said he discovered the bug by accident. 'I wasn't looking for this at all,' he added.
A group of 16 security researchers met on Microsoft's campus in March to coordinate a response.
'Because of the fundamental nature of the vulnerability, it is in all of our implementations, and we agreed that that only way we could do this was by a coordinated release across all platforms,' Kaminsky said today at a news conference announcing the patch release.
Vendors agreed to issue patches in July and wait a month before releasing details of the vulnerability.
Some vendors made early releases of the patches available to large Internet service providers, such as Comcast, which have already begun patching their infrastructures.
By withholding details and using a patch that does not directly fix the vulnerability, the researchers hope to make it as difficult as possible for hackers to find the vulnerability.
'Reverse engineering is not impossible,' Kaminsky said. 'But we hope it will not be done quickly. Things are well under control. We have bought you as much time as possible.'
It is now up to administrators to ensure that all their servers are patched.
Although details of the vulnerability have not been released, Kaminsky said it involves a weakness in the transaction ID used in DNS queries. Currently, replies to a DNS query have to contain the proper transaction ID, which is chosen randomly from 65,000 values.
'For undisclosed reasons, 65,000 is just not enough,' Kaminsky said. 'We needed more randomization.'
It is being obtained from a source-port ID, another random identifier in the packet. After patching, replies to DNS queries will require not only the proper transaction ID but also the proper source-port ID.
'We are making a system that was somewhat random more random,' Kaminsky said.
'The use of randomized source ports can be used to gain approximately 16 additional bits of randomness in the data that an attacker must guess,' according to US-CERT.
Art Manion, lead vulnerability analyst at US-CERT, said a number of government agencies participated in the response to the vulnerability.
Although patches are being released today, Kaminsky said, installation will not necessarily happen immediately because DNS is such a fundamental part of the Internet.
'It is very important to get DNS patched correctly,' he said. 'If you screw up the deployment of a fix, a lot of people get a sudden outage.'
Some cases will require more than patching. Administrators might have to reconfigure server firewalls that allow the use of only a limited number of ports to accommodate the higher level of randomization. Many servers are running older versions of the Berkeley Internet Name Domain (BIND) server, probably the most commonly used DNS software. The latest version is BIND 9; BIND 8 is no longer supported, but about 6 percent of servers scanned in a recent global survey were still running it. Those servers will have to update to Version 9.
Joao Damas, senior program manager at the Internet Systems Consortium whose responsibilities include BIND, said Yahoo has agreed to migrate its infrastructure to Version 9.
Kaminsky is scheduled to release details of the vulnerability next month at the Black Hat Briefings security conference in Las Vegas.
William Jackson is a Maryland-based freelance writer.