Blog

Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released

By Rich

Today, CERT is issuing an advisory for a massive multivendor patch to resolve a major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients). Dan Kaminsky discovered the flaw early this year and has been working with a large group of vendors on a coordinated patch.

The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediately reveal the vulnerability and reverse engineering isn’t directly possible.

Dan asked for some assistance in getting the word out and was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day.

Dan, and the vendors, did an amazing job with this one. We’ve also attached the official CERT release and an Executive Overview document discussing the issue.

Executive Overview (pdf)

CERT Advisory (link)

Update: Dan just released a “DNS Checker” on his site Doxpara.com to see if you are vulnerable to the issue. Network Security Podcast, Episode 111, July 8, 2008

And here’s the text of the Executive Overview:

Fixes Released for Massive Internet Security Issue

On July 8th, technology vendors from across the industry will simultaneously release patches for their products to close a major vulnerability in the underpinnings of the Internet. While most home users will be automatically updated, it’s important for all businesses to immediately update their networks. This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations.

Earlier this year, professional security research Dan Kaminsky discovered a major issue in how Internet addresses are managed (Domain Name System, or DNS). This issue was in the design of DNS and not limited to any single product. DNS is used by every computer on the Internet to know where to find other computers. Using this issue, an attacker could easily take over portions of the Internet and redirect users to arbitrary, and malicious, locations. For example, an attacker could target an Internet Service Provider (ISP), replacing the entire web – all search engines, social networks, banks, and other sites – with their own malicious content. Against corporate environments, an attacker could disrupt or monitor operations by rerouting network traffic traffic, capturing emails and other sensitive business data. Mr. Kaminsky immediately reported the issue to major authorities, including the United States Computer Emergency Response Team (part of the Department of Homeland Security), and began working on a coordinated fix. Engineers from major technology vendors around the world converged on the Microsoft campus in March to coordinate their response. All of the vendors began repairing their products and agreed that a synchronized release, on a single day, would minimize the risk that malicious individuals could figure out the vulnerability before all vendors were able to offer secure versions of their products. The vulnerability is a complex issue, and there is no evidence to suggest that anyone with malicious intent knows how it works.

The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses. Unfortunately, due to the scope of this update it’s highly likely that the vulnerability will become public within weeks of the coordinated release. As such, all individuals and organizations should apply the patches offered by their vendors as rapidly as possible.

Since not every system can be patched automatically, and to provide security vendors and other organizations with the knowledge they need to detect and prevent attacks on systems that haven’t been updated, Mr. Kaminsky will publish the details of the vulnerability at a security conference on August 6th. It is expected by this point the details of the vulnerability will be independently discovered, potentially by malicious individuals, and it’s important to make the specific details public for our collective defense. We hope that by delaying full disclosure, organizations will have time to protect their most important systems, including testing and change management for the updates. Mr. Kaminsky has also developed a tool to help people determine if they are at risk from “upstream” name servers, such as their Internet Service Provider, and will be making this publicly available.

Home users with their systems set to automatically update will be protected without any additional action. Vendor patches for software implementing DNS are being issued from major software manufacturers, but some extremely out of date systems may need to updated to current versions before the patches are applied. Executives need to work with their information technology teams to ensure the problem is promptly addressed.

There is absolutely no reason to panic; there is no evidence of current malicious activity using this flaw, but it is important everyone follow their vendor’s guidelines to protect themselves and their organizations.

No Related Posts
Comments

[...] Ever since last year, I always get a little nervous when Dan Kaminsky starts asking me certain questions over Twitter. Last time it was the DNS vulnerability, and this time is was something not as big, yet still extremely cool. [...]

By


Microsoft let the cat out of the bag with MS08-020 - sorta predictable TXID numbers; there’s a really good article on phrack from not <a href=“http://www.fixresimler.com” title=“resım” rel=“nofollow”>resimler</a> too long ago talking about attacks against tcp/ip ISN that are probably applicable to this.

By jessica


[...] The bottom line is that without DNSSEC, no website or email is safe from a potential traffic hijacking. Internet security researcher Dan Kaminsky proved it can be done in just a few seconds. [...]

By DNSSEC FUD Buster #2 - DNSSEC is not necessary? &r


[...] One more good news about reliance is that they have fixed the very serious dns vulnerability in their dns servers.  Read about and test ur dns server here Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released | securosis.com [...]

By One Good News about Reliance Wi-Max


[...] was recently found a flaw in the design of DNS. More accurately, DNS was designed back in the day when there were no "bad guys" on the [...]

By Has anybody else noticed DNS IP lookup is taking a


[...] Dan Kaminsky’s DNS flaw is a case of a protocol flaw.  Correct implementations of the protocol had a catastrophic security flaw.  I recommend you read Kaminsky’s thoughts written after the aftermath of the flaw had run its course. [...]

By Glass Box Voting » Blog Archive » Open


Actual topic. Writing is worthy of attention.

By jhon


[...] (Black Hat), mientras todos los reflectores se enfocaban en Dan Kaminsky y su desubrimiento de una falla en los servidores DNS de cacheo, que de acuerdo a los medios pudo haber significado el fin de Internet (sobre ese tema posteare [...]

By Windows Vista es tan inseguro como sus predecesore


[...] man because he recently brought this issue up and successfully managed to sell it as discovery (see Securosis.com). The truth, however is, that Daniel J. Bernstein, author of the djbdns (aka: TinyDNS)  DNS Server [...]

By DNS Poisoning | Secure Biz


lol@haters

"Few people can be happy unless they hate some other person, nation, or creed."  - Bertrand Russel

the reason Dan didnt immediately spill all about the bug he found is that he didnt want the bad guys out there scrambling on their feet looking to bite on the opportunity.he waited for the patch for the bug released and then give out the whole story.

read again the article provided on rmogull’s comment if haters still mad at him.

By 2ach


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.