Application security, Incident Response, Malware, Network Security, Patch/Configuration Management, Phishing, TDR, Vulnerability Management

Multiple vendors cooperate to issue DNS design flaw fix

A massive domain name system (DNS) design vulnerability that could permit cache poisoning – effectively allowing an attacker to direct users to the website of his choosing – is set to be fixed by an unprecedented synchronized series of multivendor patches.

The bug, discovered accidentally by researcher and DNS expert Dan Kaminsky, relates to deficiencies in the DNS protocol, a critical component of internet infrastructure that translates domain names into IP addresses and vice versa, essentially acting as the web's phone book.

Kaminsky, director of penetration testing at IOActive, declined during a conference call on Tuesday to release specifics, noting that he plans to fully detail the flaw Aug. 6 and 7 at the Black Hat conference in Las Vegas.

But it is known that successful exploitation could result in a DNS name server's clients reaching the wrong, and potentially malicious, web address, according to a US-CERT advisory issued Tuesday. The vulnerability is not publicly known, so there have been no reports of attacks.

What makes the vulnerability particularly dangerous is that it is a fundamental design flaw in DNS and not related to a specific implementation or product, Kaminsky said.

“That's how it was re-implemented in software package after software package,” Kaminsky, director of penetration testing at IOActive, said. “The same bug will show up in vendor after vendor after vendor. This one flaw that I found affected not just Microsoft, not just ISC Bind, not just Cisco, but everybody.”

That means providers of DNS servers and clients all must issue patches. About 80 vendors are expected to issue a fix, according to US-CERT. Microsoft's patch came on Tuesday as part of its monthly security update. Cisco, Sun Microsystems and ISC Bind are expected to follow soon.

Kaminsky said most – but not all – companies can receive the updates automatically. But he suggests organizations identify recursive servers that may be vulnerable to the attack so they can ensure they are getting the proper fix.

He added that he hopes internet service providers issue patches within the next month or so. According to experts on the call, Comcast has already remediated the problem.

The patches extend the randomness of the source port in the DNS server, from 16 bits of randomness to as much as 30, which significantly limits the chance of attack, Kaminsky said.

Experts on the conference call said the vulnerability could lend itself to spammers and virus writers, those seeking to unleash potentially devastating phishing attacks.

“This is something that absolutely affects everyone who uses the internet today,” Rich Mogull, founder of security consultancy Securosis, said on the call.

Jerry Dixon, former director of the National Cyber Security Division at the U.S. Department of Homeland Security, praised Kaminsky for responsibly disclosing the vulnerability.

Kaminsky, in fact, led a group of 16 researchers who discussed the problem and developed a response plan March 31 on the Microsoft campus in Redmond, Wash.

Jeff Moss, founder and director of the Black Hat conference, said Kaminsky's response in discovering the bug “restored his faith” in the research community.

“I don't even want to ask Dan how much money he would've gotten for this bug if he decided to sell, but I'm sure it's in the hundreds of thousands of dollars,” Moss said. “I'm definitely buying Dan a beer.”

Kaminsky said he is looking forward to revealing details at Black Hat. But he admitted he stumbled upon the bug by sheer luck.

“I was looking at something that had nothing even to do with security,” said Kaminsky, who during RSA this year, revealed a major DNS router vulnerability. “I will tell the tale in 30 days.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.