Date: 09 July 2008
References: ESB-2008.0754 ESB-2008.0804 ESB-2008.0671 ESB-2008.0672 ESB-2008.0673 ESB-2008.0674 ESB-2008.0680 ESB-2008.0684 ESB-2008.0693 AA-2008.0157
ESB-2008.0715 AA-2008.0161 AL-2008.0082 AL-2008.0083 ESB-2008.0738 ESB-2008.0739 ESB-2008.0741 ESB-2008.0754 ESB-2008.0769 AU-2008.0017 ESB-2008.0787
ESB-2008.0789 ESB-2008.0804 ESB-2008.0857 AA-2008.0189 AA-2008.0192 AA-2008.0194 ESB-2009.0105 ESB-2009.0116 AA-2009.0101
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0080 -- AUSCERT ALERT
[Win][UNIX/Linux][Juniper][Cisco]
Multiple DNS implementations vulnerable to cache poisoning
9 July 2008
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Windows 2000 Server DNS
Microsoft Windows Server 2003 DNS
Microsoft Windows Server 2008 DNS
BIND 9.3 prior to 9.3.5-P1
BIND 9.4 prior to 9.4.2-P1
BIND 9.5 prior to 9.5.0-P1
Cisco IOS Software
Cisco Network Registrar
Cisco Application and Content Networking System
Cisco Global Site Selector Used in Combination with
Cisco Network Registrar
Juniper Firewalls with ScreenOS
Juniper J-Series Routers with JUNOS built prior to
May 23, 2008
Juniper switching products with JUNOS buitl prior to
May 23, 2008
Solaris 8 BIND 8.2.4 and prior
Solaris 9 BIND 8.3.3 and prior
Solaris 10 BIND 9.3.4-P1 and prior
Nominum versions prior to 3.0.4.0
Vantio versions prior to 3.3.1.0
Publisher: US-CERT
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Juniper
Cisco
Impact: Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2008-1447
Original Bulletin: http://www.us-cert.gov/cas/techalerts/TA08-190B.html
Comment: Products not mentioned should check with their vendors if they are
vulnerable.
Regarding the ISC BIND implementations, older versions of BIND 8 and
BIND 9 will not be patched as they are EOL.
Revision History: July 9 2008: Added specific revision numbers for BIND
July 9 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA08-190B
Multiple DNS implementations vulnerable to cache poisoning
Original release date: July 08, 2008
Last revised: --
Source: US-CERT
Systems Affected
Systems implementing:
* Caching DNS resolvers
* DNS stub resolvers
Affected systems include both client and server systems, and any other
networked systems that include this functionality.
Overview
Deficiencies in the DNS protocol and common DNS implementations facilitate
DNS cache poisoning attacks. Effective attack techniques against these
vulnerabilities have been demonstrated.
I. Description
DNS cache poisoning (sometimes referred to as cache pollution) is an attack
technique that allows an attacker to introduce forged DNS information into
the cache of a caching nameserver. The general concept has been known for
some time, and a number of inherent deficiencies in the DNS protocol and
defects in common DNS implementations that facilitate DNS cache poisoning
have previously been identified and described in public literature. Examples
of these vulnerabilities can be found in Vulnerability Note VU#800113.
Recent research into these and other related vulnerabilities has produced
extremely effective exploitation methods to achieve cache poisoning. Tools
and techniques have been developed that can reliably poison a domain of the
attacker's choosing on most current implementations. As a result, the
consensus of DNS software implementers is to implement source port
randomization in their resolvers as a mitigation.
US-CERT is tracking this issue as VU#800113. This reference number
corresponds to CVE-2008-1447.
II. Impact
An attacker with the ability to conduct a successful cache poisoning attack
can cause a nameserver's clients to contact the incorrect, and possibly
malicious, hosts for particular services. Consequently, web traffic, email,
and other important network data can be redirected to systems under the
attacker's control.
III. Solution
Apply a patch from your vendor
Patches have been released by a number of vendors to implement source port
randomization in the nameserver. This change significantly reduces the
practicality of cache poisoning attacks. Please see the Systems Affected
section of Vulnerability Note VU#800113 for additional details for specific
vendors.
As mentioned above, stub resolvers are also vulnerable to these attacks.
Stub resolvers that will issue queries in response to attacker behavior, and
may receive packets from an attacker, should be patched. System
administrators should be alert for patches to client operating systems that
implement port randomization in the stub resolver.
Workarounds
Restrict access
Administrators, particularly those who are unable to apply a patch, can
limit exposure to this vulnerability by restricting sources that can ask for
recursion. Note that restricting access will still allow attackers with
access to authorized hosts to exploit this vulnerability.
Filter traffic at network perimeters
Because the ability to spoof IP addresses is necessary to conduct these
attacks, administrators should take care to filter spoofed addresses at the
network perimeter. IETF Request for Comments (RFC) documents RFC 2827, RFC
3704, and RFC 3013 describe best current practices (BCPs) for implementing
this defense. It is important to understand your network's configuration and
service requirements before deciding what changes are appropriate.
Run a local DNS cache
In lieu of strong port randomization characteristics in a stub resolver,
administrators can protect their systems by using local caching full-service
resolvers, both on the client systems and on servers that are topologically
close on the network to the client systems. This should be done in
conjunction with the network segmentation and filtering strategies mentioned
above.
Disable recursion
Disable recursion on any nameserver responding to DNS requests made by
untrusted systems.
Implement source port randomization
Vendors that implement DNS software are encouraged to review IETF Internet
Draft, "Measures for making DNS more resilient against forged answers," for
additional information about implementing mitigations in their products.
This document is a work in progress and may change prior to its publication
as an RFC, if it is approved.
IV. References
* US-CERT Vulnerability Note VU#800113 -
<http://www.kb.cert.org/vuls/id/800113>
* US-CERT Vulnerability Note VU#484649 -
<http://www.kb.cert.org/vuls/id/484649>
* US-CERT Vulnerability Note VU#252735 -
<http://www.kb.cert.org/vuls/id/252735>
* US-CERT Vulnerability Note VU#927905 -
<http://www.kb.cert.org/vuls/id/927905>
* US-CERT Vulnerability Note VU#457875 -
<http://www.kb.cert.org/vuls/id/457875>
* Internet Draft: Measures for making DNS more resilient against forged
answers -
<http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience>
* RFC 3833 - <http://tools.ietf.org/html/rfc3833>
* RFC 2827 - <http://tools.ietf.org/html/rfc2827>
* RFC 3704 - <http://tools.ietf.org/html/rfc3704>
* RFC 3013 - <http://tools.ietf.org/html/rfc3013>
* Microsoft Security Bulletin MS08-037 -
<http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx>
* Internet Systems Consortium BIND Vulnerabilities -
<http://www.isc.org/sw/bind/bind-security.php>
____________________________________________________________________
US-CERT thanks Dan Kaminsky of IOActive and Paul Vixie of Internet Systems
Consortium (ISC) for notifying us about this problem and for helping us to
construct this advisory.
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-190B.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-190B Feedback VU#800113" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
July 8, 2008: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSHPRlXIHljM+H4irAQLzsgf/SHKWDnJ+/OI42x+gbgKTXCjKffPOYicl
Sruqe4kCR3k0OuEZS90VsvhaSuiWV1GvASbwLDGTjfh1Q7jZU3g4GMY/DEcZXerF
vGC/NiOuaoWfjLkQsOkJKIReKqcDZEOVQD7PIIxVYYZJn8u99X/JSGQ/KMe8h5x+
CzBVepk06FvRnT3+y21YECnMRoTzxTmqbLqm1lH9OnyRZ+ORoE4QBUJvN69EB4fO
15JF+y8ZKcGJaczMM+mdNOfaQcQAHZ1B8zTQlBfm1L35gtjnjhvZAwHtde/E0sl6
vGaDtbGJ/IPRS5b5y/mXReOl1ExrMb0VyWneM3Ddcdo7X5iB892AUg==
=22We
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSHRqqSh9+71yA2DNAQICVQP8CtMmVyiX41ZH1/IKu/tmlx2gWUZIpIJZ
bNDfaTRadAJcRHrvKGvncdJ93kPP5IusnwXGhceA0UKCOdbgKDEPIl/jM6td3Tdx
XqZC1yW6Ke0cmIFoPIR++kzx1V4yz1q1fLf4y68eH+M/FwvApsmGW2McnM/fUGQy
znFMLre4hSY=
=WHMY
-----END PGP SIGNATURE-----
|