JPCERT-AT-2008-0013
JPCERT/CC
2008-07-09 (First edition)
2008-07-25 (Updated)
<<< JPCERT/CC Alert 2008-07-09 >>>
Cache-Poisoning Vulnerability In Multiple DNS Servers
http://www.jpcert.or.jp/at/2008/at080013.txt
*** Update: Added on July 25, 2008 *********************************
This alert has been updated in response to changes in the situation
such as attack tools being published, also outlined in the
JPCERT-AT-2008-0014.
JPCERT-AT-2008-0014
Cache-Poisoning Vulnerability In Multiple DNS Servers
http://www.jpcert.or.jp/at/2008/at080014.txt
********************************************************************
I. Overview
The DNS protocol and multiple DNS servers contain a vulnerability
that allows cache-poisoning attacks. A remote attacker could use this
vulnerability and pollute a DNS cache server with forged DNS
information.
Details of this vulnerability will be announced by an overseas
security researcher in August 2008.
*** Update: Added on July 23, 2008 ***********************************
On July 22, 2008, information of attack techniques against this
vulnerability was accidentally made public earlier than originally
scheduled. Because of this, attacks targeting this vulnerability are
more likely to occur within several days. Administrators should
immediately apply corrected software provided by the vendors.
**********************************************************************
II. Products Affected
This vulnerability affects multiple DNS servers.
Major products affected are as follows:
- ISC BIND (including BIND 8)
- Microsoft DNS servers
- Multiple Cisco products
- Multiple Juniper products (including Netscreen products)
For more information, refer to the advisories issued by the vendors.
Note that other products may also be affected. When using a DNS
server not mentioned above, contact its vendor.
III. Solution
Update the products to the corrected software provided by the
vendors.
*** Update: Added on July 11, 2008 ***********************************
When BIND is used in distributions such as Debian GNU/Linux and
Fedora, named.conf may have been configured as follows, which fixes
the source port of DNS queries:
query-source port 53;
query-source-v6 port 53;
In this case, the countermeasure to the cache-poisoning
vulnerability is not sufficient until this configuration is changed
after updating BIND. For information on how to change the
configuration, refer to the vendors' websites.
Once the configuration is changed, source ports for queries from a
DNS server become randomized. This could cause a firewall to restrict
communication from the DNS server. Administrators are recommended to
check the firewall settings before changing the configuration.
**********************************************************************
IV. References
US-CERT Technical Cyber Security Alert TA08-190B
Multiple DNS implementations vulnerable to cache poisoning
http://www.us-cert.gov/cas/techalerts/TA08-190B.html
US-CERT Vulnerability Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning
http://www.kb.cert.org/vuls/id/800113
ISC - CERT VU#800113 DNS Cache Poisoning Issue
http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
Microsoft MS08-037
Vulnerabilities in DNS Could Allow Spoofing (953230)
http://www.microsoft.com/technet/security/bulletin/MS08-037.mspx
Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS
Cache Poisoning Attacks
Advisory ID: cisco-sa-20080708-dns
http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml
*** Update: Added on July 9, 2008 ************************************
Japan Registry Services Co., Ltd. (JPRS)
Cache-Poisoning Vulnerability In Multiple DNS Software
http://jprs.jp/tech/security/multiple-dns-vuln-cache-poisoning.html
Japan Network Information Center (JPNIC)
Multiple DNS implementations cache-poisoning vulnerability
http://www.nic.ad.jp/ja/topics/2008/20080709-02.html
**********************************************************************
If you have any information you could provide regarding this alert,
please contact us.
__________
Revision history
2008-07-09 First edition
2008-07-09 Added the links to JPRS and JPNIC
2008-07-11 Added the countermeasure for some Linux distributions
2008-07-23 Added about the publication of the attack techniques
2008-07-25 Added the information on the updated alert
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600 FAX: 03-3518-4602
http://www.jpcert.or.jp/
Top