Login  |  Register  |  Contact

Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released

Today, CERT is issuing an advisory for a massive multivendor patch to resolve a major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients). Dan Kaminsky discovered the flaw early this year and has been working with a large group of vendors on a coordinated patch.

The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediately reveal the vulnerability and reverse engineering isn't directly possible.

Dan asked for some assistance in getting the word out and was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day.

Dan, and the vendors, did an amazing job with this one. We've also attached the official CERT release and an Executive Overview document discussing the issue.

Executive Overview (pdf)

CERT Advisory (link)

Update: Dan just released a "DNS Checker" on his site Doxpara.com to see if you are vulnerable to the issue. Network Security Podcast, Episode 111, July 8, 2008

And here's the text of the Executive Overview:

Fixes Released for Massive Internet Security Issue

On July 8th, technology vendors from across the industry will simultaneously release patches for their products to close a major vulnerability in the underpinnings of the Internet. While most home users will be automatically updated, it's important for all businesses to immediately update their networks. This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations.

Earlier this year, professional security research Dan Kaminsky discovered a major issue in how Internet addresses are managed (Domain Name System, or DNS). This issue was in the design of DNS and not limited to any single product. DNS is used by every computer on the Internet to know where to find other computers. Using this issue, an attacker could easily take over portions of the Internet and redirect users to arbitrary, and malicious, locations. For example, an attacker could target an Internet Service Provider (ISP), replacing the entire web -- all search engines, social networks, banks, and other sites -- with their own malicious content. Against corporate environments, an attacker could disrupt or monitor operations by rerouting network traffic traffic, capturing emails and other sensitive business data. Mr. Kaminsky immediately reported the issue to major authorities, including the United States Computer Emergency Response Team (part of the Department of Homeland Security), and began working on a coordinated fix. Engineers from major technology vendors around the world converged on the Microsoft campus in March to coordinate their response. All of the vendors began repairing their products and agreed that a synchronized release, on a single day, would minimize the risk that malicious individuals could figure out the vulnerability before all vendors were able to offer secure versions of their products. The vulnerability is a complex issue, and there is no evidence to suggest that anyone with malicious intent knows how it works.

The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses. Unfortunately, due to the scope of this update it's highly likely that the vulnerability will become public within weeks of the coordinated release. As such, all individuals and organizations should apply the patches offered by their vendors as rapidly as possible.

Since not every system can be patched automatically, and to provide security vendors and other organizations with the knowledge they need to detect and prevent attacks on systems that haven't been updated, Mr. Kaminsky will publish the details of the vulnerability at a security conference on August 6th. It is expected by this point the details of the vulnerability will be independently discovered, potentially by malicious individuals, and it's important to make the specific details public for our collective defense. We hope that by delaying full disclosure, organizations will have time to protect their most important systems, including testing and change management for the updates. Mr. Kaminsky has also developed a tool to help people determine if they are at risk from "upstream" name servers, such as their Internet Service Provider, and will be making this publicly available.

Home users with their systems set to automatically update will be protected without any additional action. Vendor patches for software implementing DNS are being issued from major software manufacturers, but some extremely out of date systems may need to updated to current versions before the patches are applied. Executives need to work with their information technology teams to ensure the problem is promptly addressed.

There is absolutely no reason to panic; there is no evidence of current malicious activity using this flaw, but it is important everyone follow their vendor's guidelines to protect themselves and their organizations.

—Rich

Posted at Tuesday 8th July 2008 4:28 am Filed under: dan kaminskydnsgeeknon-geekvulnerabilitiesvulnerability

Previous entry: Mozilla Project In Open Document Format | | Next entry: Dark Reading Column: Attack Of The Consumers (And Those Pesky iPhones)

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Securosis: Large Scale DNS Vulnerabilty | Infosecu  on  07/08  at  12:46 AM

[...] SBN member Securosis (one of my favorite security sites, and a must read) has posted a tremendous podcast, as well as supporting documentation related to a recently discovered DNS [...]

By Liquidmatrix Security Digest » Kaminsky Brea  on  07/08  at  12:58 AM

[...] on this story over on Rich Mogull’s [...]

By mind  on  07/08  at  01:14 AM

uhh, full disclosure maybe?

What is compromised? What are the attack vectors?

Sorry, "important ... to immediately update their networks" doesn’‘t cut it. Should I kill named immediately? If I’‘m waiting for apt repositories? Or does this only allow arbitrary remapping of addresses, which isn’‘t as urgent given that anything important should be using tls.

By john.jones.name  on  07/08  at  01:17 AM

well done for such a coordinated patch process

regards

John Jones

By rmogull  on  07/08  at  01:17 AM

Dan will release the details at Black Hat- for now, port randomization will make exploitation impractical. That’s what most of the fixes are doing.

By Shamgar  on  07/08  at  01:43 AM

Or you could just run djbdns which already randomizes ports.

By windexh8er  on  07/08  at  01:48 AM

So, here’s my take.  Dan’s find will spark much debate around the inherent suck of DNS today.  Everyone will talk about it for a week (bloggers / podcasters start your engines) and then the inevitable…  Nothing will happen.  Sure, the vendors will scramble to patch.  But, name resolution as a whole will continue to be insecure and craptastic.  :)

I think I have a good idea of what’s up based on Rich’s comment.  *sigh*

By Dan Kaminsky descobre nova falha em protocolo DNS  on  07/08  at  01:55 AM

[...] vulnerabilidade de segurança que pode ser considerada como grave afecta praticamente todos servidores DNS, por ser uma falha de [...]

By Matillo  on  07/08  at  02:00 AM

Anyone know if this is related to the recent ICANN/IANA DNS compromise?

By windexh8er  on  07/08  at  02:01 AM

I have to call Rich on this one…

"Reverse engineering the vulnerability by looking at the patch will not be easy with this one," he said."—quoted from DR.

Really?  I’‘m not so sure.  Dan may be smart, but Tom Ptacek states the obvious that this isn’‘t a new threat.  Maybe a new spin on an old flaw.  But to say that there won’‘t be something on milw0rm in a few days would be betting against the odds I think.  Maybe a tad zealous?  I’‘d be willing to wager something on that at this point.  There’s lots-o-smart black hats out there.  I don’‘t think PoC code will be difficult—but that’s just my $0.02.

FUD?  I’‘d say—not exactly.  But maybe.  :)

By Marcin  on  07/08  at  02:49 AM

The advisory says more than enough information for anyone to understand how the attack works and anyone with the skills can come up with an exploit for it.

This is just another reason why we need DNSSEC.

By александр.moskalyuk.name » &  on  07/08  at  02:52 AM

[...] конференции всегда забиты, Дэн Камински, в свое время обнаружил весьма важную дыру в протоколе DNS, и сегодня Microsoft, Cisco [...]

By Zero Day mobile edition  on  07/08  at  02:59 AM

[...] Liquid Matrix guys also mention that Rich Mogull has more details on the flaw over at the Securosis blog, and that the Thomas Ptacek, of the Matasano crew, has some doubts about this flaw, as seen on [...]

By tekhammer  on  07/08  at  03:31 AM

Dan didn’‘t find shit. He read RFC3383 (http://www.ietf.org/rfc/rfc3833.txt) which was released 4 years ago.

By Duane  on  07/08  at  03:33 AM

DNSSec hasn’‘t done anything in 10 years, nor likely to in the next 10 years it’s just too complicated, not to mention needing to renew sigs all the time, and until the sigs time out, usually 30 days, people can run replay attacks on your data.

What we need is confidentiality as well as other aspects of cryptography, signing alone seems pointless and overly complicated to me, I’‘ve been drawing up an internet draft on this topic for other reasons, but it would solve so many.

http://www.e164.org/docs/draft-groth-dns-encryption-00.txt

By rmogull  on  07/08  at  04:26 AM

tekhammer- that’s not it. Earlier work is involved, but this is new and thus necessitated the coordinated patch. Dan will release the info at Black Hat and you can evaluate it again then.

By D.M.  on  07/08  at  04:47 AM

Microsoft let the cat out of the bag with MS08-020 - sorta predictable TXID numbers; there’s a really good article on phrack from not too long ago talking about attacks against tcp/ip ISN that are probably applicable to this.

I’‘m ignorant though - is this a dns cache poisoning issue or what? So you spoofed a TXID, what next?

By rmogull  on  07/08  at  04:53 AM

Ya- cache poisoning, but a new exploit method. That’s my understanding.

By Multi-Vendor patch addresses major DNS exploit at  on  07/08  at  06:14 AM

[...] IP addresses they live on. DNS Admins are urged to patch the systems in their charge, immediately . Securosis has the full story. Here’s a tool to test to see if you’re at risk to the Cache [...]

By DNS getting lots of attention today « Techdu  on  07/08  at  06:36 AM

[...] You can find some decent info in there, including some vendor notes.  Rich Mogull over at Securosis has a good write up and an interview with Dan that I recommend you listen [...]

By Just About  on  07/08  at  06:40 AM

All this do me naught at home.
When guys that try to do everything more CANONICAL and STRICT by RFCs or trying to update the protocol or close the flaws in a tecnical way like Mr. D. J. Bernstein and others.. BIG DADS or BIG BINDS or BIG MICROSOFTS just think about money.
When Shits happens theydoo a MOVIE like script to put everyone in a afraid way and the Own ass in LIGHT.
Be sctrict in RFC’s dont use the BUGBIND and clones. So after that the FLAWS that already exist in DNS Protocol and other protocols last decades will impact your business in a soft way. Not in a MOVIE SCRIPT WAY.
What can i think if this guys done this in a MICROSOFT CAMPUS?
nothing.
Who know twhat they are speaking and what flaw (BUG) it is understand what iam speaking.
STOP BE SILLY, STOP USE THINGS DONE BY MONEY MAKERS..
START TO THINK LIKE A ENGINER, OR A NETWORK REAL DEVELOPER. THat all troubles come with the right kind of height and trouble..
This is a circus… a kidd, this news seems like a release of a new product than a REALLY CONCERT..
Just to keep everyone informed, In BRazil, last week, a ALL the TELEFONICA NETWORK ( put down a entyre state, and almost all internet conection, phone and cell phone), was one of most big TROUBLES a company have around globe,, ( look around this, Telefonica internet brazil). Just because thisMONEY MAKERS do this shits and news like that…

By Jet  on  07/08  at  08:09 AM

Isn’‘t this is the same as the "BIND 9 DNS Cache Poisoning" at http://www.securiteam.com/securitynews/5VP0L0UM0A.html (July 2007 by Amit Klein)?

I believe the detail of this vulnerability will be almost the same.

By Steve O  on  07/08  at  10:32 AM

Too bad Microsoft’s fix hoses ZoneAlarm. Well, if you can’‘t get on the Internet, you can’‘t get into trouble.

By spaz  on  07/08  at  11:55 AM

He should have fully disclosed the details about the vulnerability. In a few days or so almost every blackhat with a brain will know about the vulnerability and exploit it. The victims would be left clueless wondering wtf happened and not knowing how to fix it, or even perhaps what happened because it was kept under wraps.

My 0.02, FWIW.

By Kecoak Elektronik Indonesia » Blog Archive &  on  07/08  at  11:55 AM

[...] the complete story from here.         Read More           Post a [...]

Page 1 of 5 pages  1 2 3 >  Last »

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: