JPCERT-AT-2008-0014
JPCERT/CC
2008-07-24 (First edition)
2008-07-31 (Updated)
<<< JPCERT/CC Alert 2008-07-24 >>>
Cache-Poisoning Vulnerability In Multiple DNS Servers
http://www.jpcert.or.jp/at/2008/at080014.txt
I. Overview
Note: JPCERT-AT-2008-0013 has been updated in response to changes in
the situation such as attack tools being published.
The DNS protocol and multiple DNS servers contain a vulnerability
that allows cache-poisoning attacks. A remote attacker could use this
vulnerability and pollute a DNS cache server with forged DNS
information.
Although details of this vulnerability was supposed to be announced
by a security researcher in August 2008, attack techniques were made
public on July 22, 2008, earlier than originally scheduled. Then,
attack tools targeting this vulnerability were made public on July 24,
2008.
Because of this, attacks targeting this vulnerability are more
likely to occur within several days. Administrators should
immediately apply corrected software provided by the vendors.
II. Products Affected
This vulnerability affects multiple DNS servers.
Major products affected are as follows:
- ISC BIND (including BIND 8)
- Microsoft DNS servers
- Multiple Cisco products
- Multiple Juniper products (including Netscreen products)
- YAMAHA RT series
- Part of FURUKAWA ELECTRIC FITELnet series
For more information, refer to each company's announcement from the
following JVN website:
JVNVU#800113
Multiple DNS implementations vulnerable to cache poisoning
http://jvn.jp/cert/JVNVU800113/index.html
Note that products not included in the JVN may also be affected.
When using a DNS server not mentioned above, contact its vendor.
III. Solution
Update the products to the corrected software provided by the
vendors. This randomizes query source ports and significantly reduces
the risk of a cache-poisoning vulnerability.
Note 1:
When BIND is used in distributions such as Debian GNU/Linux and
Fedora, named.conf may have been configured as follows, which
fixes the source port of DNS queries:
query-source port 53;
query-source-v6 port 53;
In this case, the countermeasure to the cache-poisoning
vulnerability is not sufficient until this configuration is changed
after updating BIND. For information on how to change the
configuration, refer to the vendors' websites.
Note 2:
Once the configuration is changed, source ports for queries from a
DNS server become randomized. This could cause a firewall to
restrict communication from the DNS server. Administrators are
recommended to check the firewall settings before changing the
configuration.
Note 3:
When a DNS server is installed inside a gateway device such as a
router, the NAT/NAPT function may reduce source port randomness
and eliminate the effect of the patches. It is recommended to
check the NAT/NAPT function of gateway devices and reconsider the
DNS server installation environment such as a DNS server in a DMZ.
IV. References
JVNVU#800113
Multiple DNS implementations vulnerable to cache poisoning
http://jvn.jp/cert/JVNVU800113/index.html
US-CERT Vulnerability Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning
http://www.kb.cert.org/vuls/id/800113
ISC - CERT VU#800113 DNS Cache Poisoning Issue
http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
(Critical) Cache-Poisoning Vulnerability In Multiple DNS Software
(Follow-up)
http://jprs.jp/tech/security/multiple-dns-vuln-cache-poisoning-update.html
Multiple Vendors Vulnerable to DNS Cache Poisoning
http://www.isskk.co.jp/support/techinfo/general/DNS_cachepoison_298.html
DNS Cache Poisoning Overview and Countermeasures (Regarding the
DNS Vulnerability)
http://www.nttv6.net/files/DKA-20080723.pdf
Computer Security Research - McAfee Avert Labs Blog
http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/
If you have any information you could provide regarding this alert,
please contact us.
__________
Revision history
2008-07-24 First edition
2008-07-31 Revised typos
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600 FAX: 03-3518-4602
http://www.jpcert.or.jp/
Top