Cache-Poisoning Vulnerability In Multiple DNS Servers (Updated)

Cache-Poisoning Vulnerability In Multiple DNS Servers (Updated)




                                                   JPCERT-AT-2008-0014
                                                             JPCERT/CC
                                            2008-07-24 (First edition)
                                                  2008-07-31 (Updated)


                  <<< JPCERT/CC Alert 2008-07-24 >>>

        Cache-Poisoning Vulnerability In Multiple DNS Servers

             http://www.jpcert.or.jp/at/2008/at080014.txt

I. Overview

  Note: JPCERT-AT-2008-0013 has been updated in response to changes in
the situation such as attack tools being published.

  The DNS protocol and multiple DNS servers contain a vulnerability
that allows cache-poisoning attacks. A remote attacker could use this
vulnerability and pollute a DNS cache server with forged DNS
information.

  Although details of this vulnerability was supposed to be announced
by a security researcher in August 2008, attack techniques were made
public on July 22, 2008, earlier than originally scheduled. Then,
attack tools targeting this vulnerability were made public on July 24,
2008.

  Because of this, attacks targeting this vulnerability are more
likely to occur within several days. Administrators should
immediately apply corrected software provided by the vendors.


II. Products Affected

  This vulnerability affects multiple DNS servers.

  Major products affected are as follows:
  - ISC BIND (including BIND 8) 
  - Microsoft DNS servers
  - Multiple Cisco products
  - Multiple Juniper products (including Netscreen products)
  - YAMAHA RT series
  - Part of FURUKAWA ELECTRIC FITELnet series

  For more information, refer to each company#&39;s announcement from the
following JVN website:

    JVNVU#800113
    Multiple DNS implementations vulnerable to cache poisoning
    http://jvn.jp/cert/JVNVU800113/index.html

  Note that products not included in the JVN may also be affected.
When using a DNS server not mentioned above, contact its vendor.


III. Solution

  Update the products to the corrected software provided by the
vendors. This randomizes query source ports and significantly reduces
the risk of a cache-poisoning vulnerability.

  Note 1: 
  When BIND is used in distributions such as Debian GNU/Linux and
    Fedora, named.conf may have been configured as follows, which
    fixes the source port of DNS queries:

    query-source    port 53;
    query-source-v6 port 53;

  In this case, the countermeasure to the cache-poisoning
vulnerability is not sufficient until this configuration is changed
after updating BIND. For information on how to change the
configuration, refer to the vendors#&39; websites.

  Note 2:
  Once the configuration is changed, source ports for queries from a
    DNS server become randomized. This could cause a firewall to
    restrict communication from the DNS server. Administrators are
    recommended to check the firewall settings before changing the
    configuration.

  Note 3: 
  When a DNS server is installed inside a gateway device such as a
    router, the NAT/NAPT function may reduce source port randomness
    and eliminate the effect of the patches. It is recommended to
    check the NAT/NAPT function of gateway devices and reconsider the
    DNS server installation environment such as a DNS server in a DMZ.


IV. References

    JVNVU#800113
    Multiple DNS implementations vulnerable to cache poisoning
    http://jvn.jp/cert/JVNVU800113/index.html

    US-CERT Vulnerability Note VU#800113
    Multiple DNS implementations vulnerable to cache poisoning
    http://www.kb.cert.org/vuls/id/800113

    ISC - CERT VU#800113 DNS Cache Poisoning Issue
    http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php

    (Critical) Cache-Poisoning Vulnerability In Multiple DNS Software
      (Follow-up)
    http://jprs.jp/tech/security/multiple-dns-vuln-cache-poisoning-update.html

    Multiple Vendors Vulnerable to DNS Cache Poisoning
    http://www.isskk.co.jp/support/techinfo/general/DNS_cachepoison_298.html	

    DNS Cache Poisoning Overview and Countermeasures (Regarding the 
      DNS Vulnerability)
    http://www.nttv6.net/files/DKA-20080723.pdf

    Computer Security Research - McAfee Avert Labs Blog
    http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/


  If you have any information you could provide regarding this alert, 
please contact us.

__________

Revision history
2008-07-24 First edition
2008-07-31 Revised typos

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600  FAX: 03-3518-4602
http://www.jpcert.or.jp/
Top
Privacy Policy
TOP

About JPCERT/CC

Incident Response

Vulnerability Handling

Control System Security

Documents

Published information

APCERT

What's new !!

Related organizations

Cache-Poisoning Vulnerability In Multiple DNS Servers (Updated)
