Date: 10 February 2012
References: ESB-2012.0522 ESB-2012.1093 ESB-2012.1207
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0152
BIND Ghost Domain Names
10 February 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIND
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2012-1033
Original Bulletin:
https://www.isc.org/software/bind/advisories/cve-2012-1033
Comment: ISC has determined that this is not an issue which needs an immediate
patch. The issue is being reviewed at the protocol level and will be
addressed there. Implementing DNSSEC is the safest mitigation measure.
- --------------------------BEGIN INCLUDED TEXT--------------------
Ghost Domain Names: Revoked Yet Still Resolvable
After completing our analysis of the DNS exploit reported by Professor Haixin
Duan of Tsinghua University, ISC has determined that the behavior he describes,
while verifiable, is due to design issues in the DNS protocol. No immediate
steps are planned to address the issue. Further information concerning the
implications of the reported vulnerability can be found in the complete problem
description below.
CVE: CVE-2012-1033
Document Version: 2.0
Posting date: 07 Feb 2012
Program Impacted: BIND
Versions affected: All versions of BIND 9
Severity: High
Exploitable: remotely
Description:
On February 7th, in anticipation of a paper being presented by Professor
Haixin Duan, ISC issued a security announcement for CVE-2012-1033. We moved
quickly to make an announcement in advance of Professor Duan's paper,
scheduled to be presented at the Network and Distributed System Security
Symposium the following day, because we wanted to ensure that we were not
withholding any information with potential security implications for our
users.
Our initial disclosure stated that we were assessing the implications of this
vulnerability. After completing our analysis, we wish to share our
conclusions:
- The behavior in question arises from a side-effect of design decisions in
the DNS protocol. It is not caused by a bug in BIND or other affected
software. BIND and other software affected by this behavior are so affected
because of the inherent, longstanding design of the DNS protocol.
- To the best of our current knowledge, the extent of the exposure for
users of BIND or other affected software is this: every resource record in the
Domain Name System hierarchy has a time-to-live (TTL) value associated with
it, intended to control how long the information in the resource record can be
kept in cache by a non-authoritative server. Dr. Duan's paper discloses a
method whereby information can be prolonged in the cache beyond the period
supposedly allowed by the TTL value, causing affected resolvers to potentially
return incorrect answers. It does not allow arbitrary insertion, removal, or
alteration of resource record data.
- ISC does not have current plans to release new versions of BIND with
alterations to caching policy in response to this disclosure. We intend to do
further analysis and to work with the IETF, the internet infrastructure
community, and our customers to determine how to address the problem while
remaining protocol-compliant. Relevant improvements to the protocol have been
previously proposed by Paul Vixie [1] and ISC will continue to work for
adoption of those or other protocol-level solutions.
- While the behavior in question is clearly not intended by design and may
be exploitable in highly specific circumstances, unsecured DNS is not designed
to be relied on for security. ISC continues to recommend that organizations
with security needs who are reliant on the Domain Name System proceed with
adoption of DNSSEC; DNSSEC is the best known method of mitigating this issue.
(Original Description:Tsinghua University researchers discovered " a
vulnerability affecting the large majority of popular DNS implementations
which allows a malicious domain name to stay resolvable long after it has been
removed from the upper level servers." The issue, which is in all versions of
BIND 9 to our knowledge, "exploits a vulnerability in DNS cache update policy,
which prevents effective domain name revocation. Attackers could cause a
malicious domain name to be continuously resolvable even after the delegated
data has been deleted from the domain registry and after the TTL associated
with entry supposedly expires." (quoted sections are from the Tsinghua
University research document))
CVSS Score: 5
CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
For more information on the Common Vulnerability Scoring System and to obtain
your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Workarounds:
If you are aware that you have cached bad records, clearing the cache will
remove them but is not an effective or practical preventative approach.
Active exploits:
No known active exploits, but the paper describing the issue is
public and has been presented in public forums. The Ghost Names exploit might
assist cyber-criminal activity.
Solution:
On further review, ISC has determined that this is not an issue which needs an
immediate patch. The issue is being reviewed at the protocol level and will be
addressed there. Implementing DNSSEC is the safest mitigation measure.
Acknowledgment:
ISC would like to thank the research team who found this exploit:
Jian Jiang, Network Research Center, Tsinghua University
jiang-j08@mails.tsinghua.edu.cn
Haixin Duan, Network Research Center, Tsinghua University
duanhx@tsinghua.edu.cn
Jianping Wu, Network Research Center, Tsinghua University
jianping@cernet.edu.cn
Kang Li, Department of Computer Science, University of Georgia
kangli@cs.uga.edu
Jun Li, University of Oregon Carlos III University of Madrid, Institute IMDEA
Networks lijun@cs.uoregon.edu
Jinjin Liang, Network Research Center Tsinghua University
liangjj09@mails.tsinghua.edu.cn
Nicholas Weaver, International Computer Science Institute (ICSI)
nweaver@icsi.berkeley.edu
The exploit was presented at the NDSS conference: "Ghost Domain Names: Revoked
Yet Still Resolvable"
http://www.internetsociety.org/events/ndss-symposium-2012/symposium-program/feb08
Document Revision History:
1.0 -Notified Phase I, II & III (7 February, 2012)
2.0 -Updated Description, Summary, Workaround, Related Docs (8 February, 2012)
Related Document:
[1] "Improvements to DNS Resolvers for Resiliency, Robustness, and
Responsiveness", 2010, P. Vixie, R. Joffe, and F. Neves
[2] Dr. Duan's paper presented February 8th: The Ghost Names exploit might
assist cyber-criminal activity
References:
- - Do you have Questions? Questions regarding this advisory should go to
security-officer@isc.org.
- - ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
https://www.isc.org/security-vulnerability-disclosure-policy Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice and
none should be implied. ISC expressly excludes and disclaims any warranties
regarding this notice or materials referred to in this notice, including,
without limitation, any implied warranty of merchantability, fitness for a
particular purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this notice is at
your own risk. ISC may change this notice at any time.
A stand-alone copy or paraphrase of the text of this document that omits the
document URL is an uncontrolled copy. Uncontrolled copies may lack important
information, be out of date, or contain factual errors.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTzS4y+4yVqjM2NGpAQKHkg/9GbuUr8r7wEc6WbkGaA2Wcu1C4GcUwoZ3
HXGfOpTrR4wA1McZ0d3bV6kfZeVx3h6c4Ur5yBkr1jTSl+lLVdIeKlcCMfLHR2x3
yQllo8h+taXdOglpsOsor2EfCtMXxwP/Wb9eYsHUSo89HI9nh9Aa+xKY9DyTPpDr
kfPLI0+yb1IgiEgbzzKA3pcTdFQRtEAyOKxmbzp6g693EeA/oD8quk6+186Pm1j7
Mmb8c6TZrWyzwqA3kB5iuVNUTaMJ/ORuM6F/K5vDhuIKnhZ1BY22d2x7yVosUOwU
e4rggPHENPSpV2cuZTJJgQyy5brWVjZ+kewXTv3nh/MUYtHv7vWRaAcCNOdjeHxy
pK82VhDsHYfhWs0VTpSicDunkIaQO/ur88jF0v4CrUdAo1gQgVkuGGXvqSwACcQP
1fELGwszc92N9Yf58VcKVKrJ5xfZYpKHskTJUo9OFpBFdsNtFSc4BjNNIRAjzL5Q
f2A7AcrcGSI5XiboxonRgvu6xFG8s9IhX/xITdHNpOcJCkmBqciYunuTnUvXDnpW
k8K2BuPic21I029Aq81m6dr6bLIh0Er3P361yrH19YqdgskusAD9UN8p/mkSAbzG
NXL1laDMBf3eiflJumIJ9THWq1+gWzYY44J34cDorELpCMu2Bf/+vSlmFzm2FrQi
g2EYhSNYLPA=
=0PCE
-----END PGP SIGNATURE-----
|