Login  |  Register  |  Contact

Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released

Today, CERT is issuing an advisory for a massive multivendor patch to resolve a major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients). Dan Kaminsky discovered the flaw early this year and has been working with a large group of vendors on a coordinated patch.

The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediately reveal the vulnerability and reverse engineering isn't directly possible.

Dan asked for some assistance in getting the word out and was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day.

Dan, and the vendors, did an amazing job with this one. We've also attached the official CERT release and an Executive Overview document discussing the issue.

Executive Overview (pdf)

CERT Advisory (link)

Update: Dan just released a "DNS Checker" on his site Doxpara.com to see if you are vulnerable to the issue. Network Security Podcast, Episode 111, July 8, 2008

And here's the text of the Executive Overview:

Fixes Released for Massive Internet Security Issue

On July 8th, technology vendors from across the industry will simultaneously release patches for their products to close a major vulnerability in the underpinnings of the Internet. While most home users will be automatically updated, it's important for all businesses to immediately update their networks. This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations.

Earlier this year, professional security research Dan Kaminsky discovered a major issue in how Internet addresses are managed (Domain Name System, or DNS). This issue was in the design of DNS and not limited to any single product. DNS is used by every computer on the Internet to know where to find other computers. Using this issue, an attacker could easily take over portions of the Internet and redirect users to arbitrary, and malicious, locations. For example, an attacker could target an Internet Service Provider (ISP), replacing the entire web -- all search engines, social networks, banks, and other sites -- with their own malicious content. Against corporate environments, an attacker could disrupt or monitor operations by rerouting network traffic traffic, capturing emails and other sensitive business data. Mr. Kaminsky immediately reported the issue to major authorities, including the United States Computer Emergency Response Team (part of the Department of Homeland Security), and began working on a coordinated fix. Engineers from major technology vendors around the world converged on the Microsoft campus in March to coordinate their response. All of the vendors began repairing their products and agreed that a synchronized release, on a single day, would minimize the risk that malicious individuals could figure out the vulnerability before all vendors were able to offer secure versions of their products. The vulnerability is a complex issue, and there is no evidence to suggest that anyone with malicious intent knows how it works.

The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses. Unfortunately, due to the scope of this update it's highly likely that the vulnerability will become public within weeks of the coordinated release. As such, all individuals and organizations should apply the patches offered by their vendors as rapidly as possible.

Since not every system can be patched automatically, and to provide security vendors and other organizations with the knowledge they need to detect and prevent attacks on systems that haven't been updated, Mr. Kaminsky will publish the details of the vulnerability at a security conference on August 6th. It is expected by this point the details of the vulnerability will be independently discovered, potentially by malicious individuals, and it's important to make the specific details public for our collective defense. We hope that by delaying full disclosure, organizations will have time to protect their most important systems, including testing and change management for the updates. Mr. Kaminsky has also developed a tool to help people determine if they are at risk from "upstream" name servers, such as their Internet Service Provider, and will be making this publicly available.

Home users with their systems set to automatically update will be protected without any additional action. Vendor patches for software implementing DNS are being issued from major software manufacturers, but some extremely out of date systems may need to updated to current versions before the patches are applied. Executives need to work with their information technology teams to ensure the problem is promptly addressed.

There is absolutely no reason to panic; there is no evidence of current malicious activity using this flaw, but it is important everyone follow their vendor's guidelines to protect themselves and their organizations.

—Rich

Posted at Tuesday 8th July 2008 4:28 am Filed under: dan kaminskydnsgeeknon-geekvulnerabilitiesvulnerability

Previous entry: Mozilla Project In Open Document Format | | Next entry: Dark Reading Column: Attack Of The Consumers (And Those Pesky iPhones)

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By The Happy Space Invader  on  07/08  at  10:56 PM

所有您的DNS 屬於我們!

By Steve Pinkham  on  07/08  at  11:11 PM

rsp: It’s checking to see if your DNS resolver uses query port randomization, and the range it uses.
The patches for bind turn on query port randomization by default, and allow a larger range of source ports.
What Dan seems to be claiming is that he has found a more efficient attack against the already known problems in DNS that takes it from "known broken" status to "broken by your grandma" status.
Whether that’s true or he’s just popularizing attacks the security world has known about for 5 years or more, we won’‘t know until next month.

By DNS Fool » A Big Day for DNS Security  on  07/08  at  11:24 PM

[...] found a security vulnerability in the design of DNS itself.  Yea, let that sink in.  The problem was in the DNS protocol, not [...]

By WK  on  07/09  at  12:59 AM

Hello,

Very impressive coordination work… I guess we’‘re lucky the flaw has been found by a "good guy".

When reading all resources from Dan Kaminsky’s blog (is it really a blog? regardless of the url typed, the same page comes up…), I understand that almost all dsl/home routers are also impacted… and won’‘t be fixed, I’‘m afraid. Am I right ?

Thanks,
wk

By The Internet is Broke - Check your DNS server to s  on  07/09  at  01:10 AM

[...] has details up, and there’s a full-on interview between myself and Rich Mogull up on Securosis.  For the non-geeks in the audience, you might want to tune out here, but this is my personal blog [...]

By Steve Pinkham  on  07/09  at  01:18 AM

wk:
Probably home routers are vulnerable(if they run a caching resolver, recursive or not), but it’s probably not a problem.
The attack almost definitely requires the ability to force the resolver to create queries, and my guess is his new vulnerability creates many of them in a way that’s not obvious.
Forcing a single query is easy, but forcing many at an exact known time is very difficult, and I’‘m guessing that having someone on your home lan who could do that means you are already 0wned.
As far as we know and can guess, the vulnerability is primarily against shared caches at the business or ISP level.  Unfortunately we don’‘t know much, and I could be very impressed in a month. ;-)

By jj  on  07/09  at  02:36 AM

This update is well needed, but for the time and effort spent creating it, a warning dialog should have appeared before installing. AND IT SHOULD NOT LET IT BE DONE automatically! Unexperienced users surely freaked out when zone alarm wouldn’‘t let them connect to internet. And to whomever did figure out that changing security from high to medium in za would let them connect, bravo. But still, now my computer is forced to be not as secure…

By links for 2008-07-09 / taint.org: Justin Masons We  on  07/09  at  04:36 AM

[...] massive multi-vendor patch to DNS resolvers the bug appears to affect client-side resolvers, which can be cache-poisoned by malicious DNS servers using predictable TXIDs in DNS responses. current fix is to randomize ports when making queries? I think. more: http://www.kb.cert.org/vuls/id/800113 (tags: bind dns dan-kaminsky resolvers security holes exploits cache-poisoning) [...]

By More On The DNS Vulnerability | securosis.com  on  07/09  at  05:13 AM

[...] it’s been a crazy 36 hours since Dan Kaminsky released his information on the massive multivendor patch and DNS issue. I want to give a little background on how I’ve been involved (for full [...]

By Extra Pepperoni » reppep service interruptio  on  07/09  at  05:51 AM

[...] night, I started patching both Linux servers running reppep and associated domains, prompted by Rich’s BIND alert. At 12:33am, www.reppep.com finished installing approximately 255 CentOS patches (including BIND), [...]

By X  on  07/09  at  06:48 AM

Maybe it’s this patch that’s the real malware. Maybe this is a scam to get people to download the patch and then BOOM!

By Bruno Kerouanton » Vous avez fini de patcher  on  07/09  at  08:22 AM

[...] pour que la mayonnaise prenne il fallait ensuite communiquer sur ce souci. Le buzz, par le biais de Mogull, semble avoir bien fonctionné car tout le monde est au courant, à commencer par les grands média [...]

By Trinity Net » Blog Archive » Major DNS  on  07/09  at  09:44 AM

[...] someone to poison a DNS cache by anticipating the query id. You can read more about this issue here. The Ubuntu security report is here. I would strongly recommend that you upgrade your DNS servers [...]

By Chad’s News - An Important Windows Update or  on  07/09  at  10:20 AM

[...] http://securosis.com/…(via [...]

By WK  on  07/09  at  11:14 AM

Steve: thanks for the insight. I was assuming that the attack could come from the "outside". Then, I’‘m wondering why single computers need to be patched: only because the "local" Name information could be corrupted or… because it is a key element of the weakness?

X: I had the same thought… just imagine that the attack already occurred, that I though I read the news on BBC but it wasn’‘t actually on bbc.co.uk, that my windows auto-update thought it connected to Microsoft update server but installed a malware instead of a real patch, in one word, the real is fake… enough to become schizophrenic !

By July 8th  on  07/09  at  04:44 PM

[...] as it looks like a fairly important vulnerability.  Here’s a little more reading on the subject:  Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released | securosis.com One note: when I patched my Windows XP installation, I lost my internet connection immediately [...]

By Bīstama DNS ievainojamība | Pods.lv  on  07/10  at  12:09 AM

[...] vakar pamanīju, ka dažādos avotos tiek minēts par ļoti nopietnu DNS protokola ievainojamību, kas attiecas gan uz serveriem, gan var attiekties arī uz klientiem. Today, CERT is issuing an [...]

By The Switchboard is Under Enemy Control  on  07/10  at  04:26 AM

[...] (but are scheduled to be in about a month or so). There’s an article with more detail here, and a little applet to check whether or not you are vulnerable [...]

By Allen Baranov  on  07/10  at  07:25 PM

Steve,

Thanks for all the information provided, it was very interesting.

My understanding from what I’‘ve read of your information is that there are two protection mechanisms - source port and nonce.

Assuming that nonce can be taken out of the equation then it makes source port randomisation that much more important.

The question is - how has Dan Kaminsky managed to take nonce out of the equation?

By Steve Pinkham  on  07/10  at  08:14 PM

Allen:
There’s really only 4 (known) ways to get better cache poisoning results:
1) Create more query traffic from the resolver
2) Create more bogus poisoning responses
3) Delay or force dropping of the real response packet from the authoritative server, giving more time to inject your poisoning responses.
4) Break the random number generator used to produce the XIDs

From the information we have and the need for source port randomization, I think scenario 3 is the most likely. Scenario 1 is also possible.  Scenario 4 is unlikely given the cross platform nature of the claimed exploit, but BIND especially has been broken that way quite a few times in the past.
I have my own hunches about how to do this which I’‘ll be testing when I get a few spare cycles, but this post is the extent of the reverse engineering I’‘ll post publicly until Dan gets to talk about it next month. Let the black hats do their own work.

By KiTT  on  07/14  at  03:57 PM

Dan has brought NOTHING new to the table.  Simply made a name for himself by regurgitating the same old problems.  YES DNS is a vulnerable protocol, it has been for 10 years.  This is NOTHING new.  Amit Klein talked about this exactly 1 year ago.  Source port randomisation will sort things, so will better pseudo randomisation of the transaction IDs, ANY system admin could have told you this last year!  Well done Dan, you are the prince of yesterday’s news.

By WK  on  07/14  at  04:02 PM

@KiTT: ok, so there is nothing new. So nothing that all major providers (MS, Cisco, ...) issued jointly an update/patch on July 8th. Too bad this guys are not clever as you are, the would have spared money by doing nothing.

Or, are they clever?

By rmogull  on  07/14  at  07:35 PM

If you think this is all a silly game and Dan didn’‘t discover anything new, read this: http://www.circleid.com/posts/87143_dns_not_a_guessing_game/

This is as serious as it gets folks.

By Zero Day mobile edition  on  07/15  at  03:35 AM

[...] story has also received extensive coverage over at Securosis, where Rich Mogull has provided a podcast on the subject.  The Black Hat webcast details are [...]

By Napaka v samem jedru interneta - Zakladi interneta  on  07/17  at  02:38 PM

[...] securosis.com [...]

Page 3 of 5 pages  <  1 2 3 4 5 >

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: