JPCERT-AT-2008-0014 JPCERT/CC 2008-07-24 (First edition) 2008-07-31 (Updated) <<< JPCERT/CC Alert 2008-07-24 >>> Cache-Poisoning Vulnerability In Multiple DNS Servers http://www.jpcert.or.jp/at/2008/at080014.txt I. Overview Note: JPCERT-AT-2008-0013 has been updated in response to changes in the situation such as attack tools being published. The DNS protocol and multiple DNS servers contain a vulnerability that allows cache-poisoning attacks. A remote attacker could use this vulnerability and pollute a DNS cache server with forged DNS information. Although details of this vulnerability was supposed to be announced by a security researcher in August 2008, attack techniques were made public on July 22, 2008, earlier than originally scheduled. Then, attack tools targeting this vulnerability were made public on July 24, 2008. Because of this, attacks targeting this vulnerability are more likely to occur within several days. Administrators should immediately apply corrected software provided by the vendors. II. Products Affected This vulnerability affects multiple DNS servers. Major products affected are as follows: - ISC BIND (including BIND 8) - Microsoft DNS servers - Multiple Cisco products - Multiple Juniper products (including Netscreen products) - YAMAHA RT series - Part of FURUKAWA ELECTRIC FITELnet series For more information, refer to each company's announcement from the following JVN website: JVNVU#800113 Multiple DNS implementations vulnerable to cache poisoning http://jvn.jp/cert/JVNVU800113/index.html Note that products not included in the JVN may also be affected. When using a DNS server not mentioned above, contact its vendor. III. Solution Update the products to the corrected software provided by the vendors. This randomizes query source ports and significantly reduces the risk of a cache-poisoning vulnerability. Note 1: When BIND is used in distributions such as Debian GNU/Linux and Fedora, named.conf may have been configured as follows, which fixes the source port of DNS queries: query-source port 53; query-source-v6 port 53; In this case, the countermeasure to the cache-poisoning vulnerability is not sufficient until this configuration is changed after updating BIND. For information on how to change the configuration, refer to the vendors' websites. Note 2: Once the configuration is changed, source ports for queries from a DNS server become randomized. This could cause a firewall to restrict communication from the DNS server. Administrators are recommended to check the firewall settings before changing the configuration. Note 3: When a DNS server is installed inside a gateway device such as a router, the NAT/NAPT function may reduce source port randomness and eliminate the effect of the patches. It is recommended to check the NAT/NAPT function of gateway devices and reconsider the DNS server installation environment such as a DNS server in a DMZ. IV. References JVNVU#800113 Multiple DNS implementations vulnerable to cache poisoning http://jvn.jp/cert/JVNVU800113/index.html US-CERT Vulnerability Note VU#800113 Multiple DNS implementations vulnerable to cache poisoning http://www.kb.cert.org/vuls/id/800113 ISC - CERT VU#800113 DNS Cache Poisoning Issue http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php (Critical) Cache-Poisoning Vulnerability In Multiple DNS Software (Follow-up) http://jprs.jp/tech/security/multiple-dns-vuln-cache-poisoning-update.html Multiple Vendors Vulnerable to DNS Cache Poisoning http://www.isskk.co.jp/support/techinfo/general/DNS_cachepoison_298.html DNS Cache Poisoning Overview and Countermeasures (Regarding the DNS Vulnerability) http://www.nttv6.net/files/DKA-20080723.pdf Computer Security Research - McAfee Avert Labs Blog http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/ If you have any information you could provide regarding this alert, please contact us. __________ Revision history 2008-07-24 First edition 2008-07-31 Revised typos ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: 03-3518-4600 FAX: 03-3518-4602 http://www.jpcert.or.jp/