Date: 02 May 2006
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0309 -- [Win][UNIX/Linux][Cisco][Solaris]
Vulnerability Issues in Implementations of the DNS Protocol
2 May 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: DNS
Publisher: NISCC
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
Original Bulletin:
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
Comment: According to the vendor statement in the original bulletin, the
following products are vulnerable at the time of release:
* DeleGate 9.0.5 (DEVELOPMENT) and prior
* DeleGate 8.11.5 (STABLE) and prior
* Juniper Networks JUNOSe versions prior to 5-3-5p0-2, 6-0-3p0-6,
6-0-4, - 6-1-3p0-1, 7-0-1p0-7, 7-0-2, 7-1-0p0-1 and 7-1-1.
* MyDNS versions prior to 1.1.0
* pdnsd versions prior to 1.2.4
* BIND
Other vendor's DNS products may be affected. For up to date
information on vulnerable products, please see the original
bulletin referenced above.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Briefing Notice - 307/06 dated 25.04.06 Time: 13:00
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- - ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------
Title
=====
NISCC - Vulnerability Issues in Implementations of the DNS Protocol
Detail
======
NISCC Vulnerability Advisory 144154/NISCC/DNS
Vulnerability Issues in Implementations of the DNS Protocol
Version Information
- - -------------------
Advisory Reference 144154/NISCC/DNS
Release Date 25 April 2006
Last Revision 25 April 2006
Version Number 1.0
Acknowledgement
- - ---------------
The DNS Test Tool was created by the Oulu University Secure Programming Group
(OUSPG) from the University of Oulu in Finland.
What is affected?
- - -----------------
The vulnerabilities described in this advisory affect implementations of the
Domain Name System (DNS) protocol. Many vendors include support for this protocol
in their products and may be impacted to varying degrees, if at all.
Please note that the information contained within this advisory is subject to
changes. All subscribers are therefore advised to regularly check the NISCC
website (http://www.niscc.gov.uk) for
updates to this notice.
Impact
- - ------
If exploited, these vulnerabilities could cause a variety of outcomes including,
for example, a Denial-of-Service (DoS) condition. In most cases, they can expose
memory corruption, stack corruption or other types of fatal error conditions. Some
of these conditions may expose the protocol to typical buffer overflow exploits,
allowing arbitrary code to execute or the system to be modified.
Severity
- - --------
The severity of this vulnerability varies by vendor. Please see the 'Vendor
Information' section below for further information. Alternatively, contact your
vendor for product specific information.
Summary
- - -------
During 2002 the Oulu University Secure Programming Group (OUSPG) discovered a number
of implementation specific vulnerabilities in the Simple Network Management Protocol
(SNMP). Further work has been done to identify implementation specific
vulnerabilities in related protocols that are used in critical infrastructure. The
DNS protocol, which is the primary naming system used on the Internet, was studied
as part of this program of work.
DNS is an Internet service that translates domain names into Internet Protocol (IP)
addresses and vice versa. Because domain names are alphabetic, they're easier to
remember, however the Internet is really based on IP addresses; therefore every time
a domain name is requested, a DNS service must translate the name into the
corresponding IP address.
OUSPG has developed a PROTOS DNS Test Suite for DNS implementations and employed it
to validate their findings against a number of products from different vendors.
NISCC has contacted multiple vendors whose products support the DNS protocol and
provided them with the test tool to allow them to test their implementations. NISCC
believes that most of the relevant vendors who provide support for the DNS protocol
have been covered by this advisory.
[Please note that revisions to this advisory will not be notified by email. All
subscribers are advised to regularly check the NISCC website
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.]
Details
- - -------
DNS is a system that stores information associated with domain names in a distributed
database on networks, such as the Internet. The domain name system associates many
types of information with domain names, but most importantly, it provides the IP
address associated with the domain name. It also lists mail exchange servers accepting
e-mail for each domain.
The OUSPG DNS Test Suite covers a limited set of information security and robustness
related implementation errors for the DNS protocol.
The factors behind choosing DNS included:
* DNS is a fundamental infrastructure of the Internet, and most Internet applications
are dependent on it.
* DNS implementations are commonly ubiquitous, present in servers, end-user equipment
such as personal computers and mobile phones, and in routers and firewalls. Therefore
DNS may be a potential attack vector in a variety of scenarios against a variety of
systems and infrastructure components.
* There are no free, publicly available robustness test suites to evaluate DNS
implementations.
The material contained in the test suite covers basic queries, dynamic updates, basic
responses and zone transfers. However please be aware that the test material does not
cover cache poisoning or address spoofing vulnerabilities.
There are three sets of test materials available with the tool; these are specifically
designed for the following scenarios:
1. The Query Material -> [queries, dynamic DNS updates] -> DNS server
2. The Response Material -> [query replies] -> DNS server
3. The Response Material -> [query replies] -> DNS stub resolver (client)
4. The Zone Transfer Material -> [zone transfers] -> secondary DNS server
The test material simulates hostile input to the DNS implementation by sending invalid
and/or abnormal packets. Therefore by applying the OUSPG DNS Test Suite to a variety of
products, several vulnerabilities can be revealed that can have varying effects.
Mitigation
- - ----------
Patch all affected implementations.
Solution
- - --------
Please refer to the 'Vendor Information' section of this advisory for platform specific
remediation.
Vendor Information
- - ------------------
A complete list of vendor responses to this vulnerability is available on our website.
Please visit the website at http://www.niscc.gov.uk/niscc/vulnAdv-en.html in order to view
the latest vendor statements.
Credits
- - -------
The NISCC Vulnerability Management Team would like to thank OUSPG for producing the DNS
Test Tool.
The NISCC Vulnerability Management Team would also like to thank the vendors for their
co-operation in handling this vulnerability and to JPCERT/CC for co-ordinating this issue
in Japan.
Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:
Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line
Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00
Fax +44 (0)870 487 0749
Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG
We encourage those who wish to communicate via email to make use of our PGP key. This is
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.
Please note that UK government protectively marked material should not be sent to the email
address above.
If you wish to be added to our email distribution list please email your request to
uniras@niscc.gov.uk.
What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure Security Co-ordination
Centre, please visit http://www.niscc.gov.uk.
Reference to any specific commercial product, process, or service by trade name, trademark
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or
favouring by NISCC. The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions contained within
this advisory. In particular, they shall not be liable for any loss or damage whatsoever,
arising from or in connection with the usage of information contained within this notice.
C 2006 Crown Copyright
<End of NISCC Vulnerability Advisory>
- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of the NISCC Vulnerability
Management Team for the information contained in this Briefing.
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the site of the
original source to ensure that you receive the most current information concerning
that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQCVAwUBRE3y3Ypao72zK539AQH3IgP/YgGzMtszLRM2BxrUaCvAiGWQjqM89+FH
HZJPrdgqtI6GUyG3m9AIY3kukFXn6SS5uZS4OFHvwhaQJb/i4mBZHGSGCo3wLBW6
9qOgsyWt3x8G5+XizQFD6+dd721IehkWfYPpSmybkwDFd/qiBjqyKzrGX+EXgAtM
ewT0U6j58t0=
=IrZP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRFbSaCh9+71yA2DNAQIYsAP/ZqBxAaD35eypEa6IswTES2ZVPa9FWkKI
2KTa7uDmlcmbnxcUqjU4eg9/jSeYJ+7jJOjwbpD9y6eqKM1qxQjLstK0BUQGc8tf
RwTvAoH0Nx6eafjB71oZhm0VfZND9P71DCQdfenZRGhlTK5G7jKTC2SEk3la73qR
S9wB5dsUdAM=
=5TTZ
-----END PGP SIGNATURE-----
|