Links

Other Posts

 


Multi-Vendor DNS Spoofing Vulnerability

Posted on July 9th, 2008 by Ryan Spanier

GSA Reference Number: AD080709-01

Simply Put: Recently, multiple vendors have released patches to address a vulnerability in the DNS protocol.  DNS is used for resolving host names and web addresses to IP addresses on the Internet.  DNS servers will send out queries to other DNS servers when they receive a request for a host not stored in their database.  When that happens, an attacker can respond to the request with a specially crafted packet with a malicious IP address.  Since DNS takes the first response, this IP address will be written to its database and served to the users.  Consequently, if a user tries to go to a website they might be redirected to a malicious website instead.

Attack Details: For this attack to work, the attacker must know the DNS server request’s source port, sequence ID, and the server responding to the request.  Current DNS servers are vulnerable to this attack because they do not sufficiently randomize their source port and sequence ID.  The responding server is also easily determined.  This is a shortcoming of the DNS protocol itself and not a bug in a particular application, so any DNS server is vulnerable.

Gladiator does not feel that this vulnerability is easy to exploit because an attacker must send hundreds or thousands of spoofed DNS responses to the DNS requestor within a second or two of the request to increase the likelihood of success.

Countermeasures: Many vendors have released patches for their DNS servers.  The two most popular DNS servers, Microsoft DNS and ISC BIND, have both released patches.  These patches should be applied soon, but are not critical enough to forgo normal patch testing procedures.

Gladiator will be updating managed devices over the next few weeks to address this vulnerability.  Affected vendors are listed in the US-CERT Alert.

Reference Links:

Tags: , , ,


Reader Comments

Sorry, comments are closed.