DNS vulnerability update: Patch now!

 

Connecting state and local government leaders

The security blog for Matasano Security mistakenly published some of the details of the DNS vulnerability, creating the possibility that exploits soon could be developed.

XXXSPLITXXX-

The stakes have increased in the cat-and-mouse game between
hackers and information technology administrators who are trying to
patch Domain Name System (DNS) servers for a recently announced
vulnerability.


The security blog for Matasano mistakenly published some of the
details of the DNS vulnerability July 21, creating the possibility
that exploits could soon be developed. Although the entry was
quickly removed, the information had already been disseminated,
making it even more critical that vulnerable servers be patched
right away.


Dan Kaminsky, director of penetration testing at IOActive Inc.,
discovered the vulnerability about six months ago, but because of
its seriousness, it was kept under tight wraps until the DNS vendor
community could develop patches. The vulnerability was announced
July 8 as part of an unprecedented multivendor patch release.


Details of the vulnerability were to be withheld until Kaminsky
released them Aug. 6 at the Black Hat Briefings security conference
in Las Vegas. The delay would give administrators 30 days to get
critical patches installed.


“Reverse engineering is not impossible,” Kaminsky
said during the initial announcement. “But we hope it will
not be done quickly. Things are well under control. We have bought
you as much time as possible.”


But that time was cut in half with Monday’s exposure.


“We dropped the ball here,” wrote Thomas Ptacek, a
principal at Matasano, in an online apology.


Kaminsky responded eloquently to the exposure in his own
blog later in the day: “Patch. Today. Now. Yes, stay
late.”


DNS is a hierarchical system that translates written names, such
as URLs and e-mail addresses, into IP addresses. That function
makes it crucial to almost all uses of the Internet. According to
the U.S. Computer Emergency Readiness Team, the vulnerability could
allow cache poisoning and misdirection of Web requests, sending
users to unknown and possibly malicious Web sites. Cache poisoning
is not a new threat, but because the recently discovered
vulnerability is in the basic design of DNS, it is found in nearly
all implementations of the protocols, making it more serious than
many previous problems.


If the vulnerability were exploited, “you would have the
Internet, but it wouldn’t be the Internet you expect,”
Kaminsky said.


The exposure of the vulnerability’s details happened when
a security researcher posted a speculation about it in his
blog.


“Shortly afterward, when the story began getting traction,
a post appeared on our blog about that hypothesis,” verifying
it, Ptacek wrote in his explanation. “It was posted in error.
We regret that it ran. We removed it from the blog as soon as we
saw it. Unfortunately, it takes only seconds for Internet
publications to spread.”


Ptacek said he had known the details of Kaminsky’s
findings and was holding them until next month’s scheduled
release.


“We chose to have a story locked and loaded for that
presentation or for any other confirmed public disclosure,”
he wrote. That was the story that was posted on the blog. “On
a personal level, I regret this as well.”


Ptacek emphasized the importance of getting patches installed
quickly. “This is a serious problem, it merits immediate
attention, and the extra attention it’s receiving today may
increase the threat,” he wrote. “The Internet needs to
patch this problem ASAP.”


Patching is not necessarily a simple matter. Name servers have
to be located and the versions and status of their software
confirmed before they can be fixed, and administrators need to test
patches before installing them to ensure that they do not create
additional problems. Some problems have been reported with patches
released by Microsoft, for example.


“It is very important to get DNS patched correctly,”
Kaminsky said. “If you screw up the deployment of a fix, a
lot of people get a sudden outage.”


In some cases, more than patching will be required. The patches
that have been released add randomization to transaction IDs used
to authenticate queries to name servers, using a random source port
ID. Firewalls that limit the number of ports that can be used might
have to be reconfigured to allow the higher level of
randomization.


In addition, many servers are running older versions of the
Berkeley Internet Name Domain (BIND) server, which is probably the
most commonly used DNS software. The latest version is BIND 9. BIND
8 no longer is supported, but about 6 percent of servers scanned in
a recent global survey were still running it. Those servers will
have to update to Version 9.


For those who do not have time to update their servers and for
organizations with Internet service providers that have not patched
their servers, OpenDNS will accept forwarded queries. OpenDNS is a
free DNS resolution service for homes and business, with two
recursive name server addresses for public use that provide an
alternative to using an ISP’s servers. Its servers are
patched, and it has agreed to accept traffic from other
organizations.


“Yes, forward to OpenDNS if you have to,” Kaminsky
said. “They’re ready for your traffic.”



Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be. This flaw apparently allows Web surfers to be spoofed, directing them to fake Web sites to gain passwords and load malware on their computers.


The flaw was first revealed by Dan Kaminsky, a researcher at security firm IOActive Inc., although Kaminsky largely withheld the technical details of the exploit.


In a Friday morning press conference, Kaminsky said that many of the patches released by various IT vendors and security firms reacting to his bug discovery (reported by CNet News.com) are at best temporary fixes to a more pervasive problem. Kaminsky added that he would be disclosing further findings at the Black Hat security conference in Las Vegas next month.


Kaminski argued that there should be a blackout date on discourse and research about the vulnerability until then. In contrast, IT security gadfly Halvar Flake, who is also CEO and head of research at Sabre Security, outlined a hypothesis for the DNS flaw in his blog and disagreed with the blackout.


"Let's assume that the DNS problem is sufficiently complicated that an average person that has some background in security, but little idea of protocols or DNS, would take N days to figure out what is problem is. So clearly, the assumption behind the 'discussion blackout' is that no evil person will figure it out before the end of the N days [blackout]," Flake wrote.


Flake's proposed method of finding the vulnerability came about when he ran tests that involved sending spoofed protocol transfer requests to a nameserver, a gate-keeping function for IP language, which converts text domain names into numeric IP addresses. Through this process, an attacker sets up a Web page with tags that are routed to a corrupt nameserver. When a user visits that Web page, the browser may be fooled into associating a legitimate name server with the page.


The DNS vector should be considered a pervasive threat to enterprise systems.


The U.S. Computer Emergency Readiness Team, about two weeks ago -- around the time of Kaminsky's initial announcement -- issued an advisory describing the issue. It listed more than 80 vendors whose products are affected by the vulnerability, including names like Microsoft, Cisco Systems, Sun Microsystems Inc. and Red Hat, among others.


Having a reliable DNS cache exploit in place increases the probability that a hacker can redirect an unsuspecting Web surfer to a malicious Web site, an attack called "phishing."


"Phishing attacks were already on the rise against the increasing number of hosted enterprises services," said Andrew Storms, director of security at San Francisco-based IT security firm nCircle. "I don't think we've seen the last of these problems. The temporary solutions are to immediately patch your system in the meantime because the risk to corporate networks is one of the more serious risks enterprises face."


NEXT STORY: Gordano Messaging Suite

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.