Drop everything and patch your DNS: like, NOW

Uh-oh. It's IT Blogwatch: in which the sky is falling, and just about everyone needs to patch their DNS, right now. Not to mention Ruth Lemos...

Jaikumar Vijayan resolves the news: [You're fired -Ed.]

In a rare synchronized security move, Microsoft Corp., Cisco Systems Inc. and other IT vendors today released software patches aimed at addressing a fundamental design flaw in the Domain Name System (DNS) protocol used to direct traffic on the Internet ... could allow attackers to redirect Web traffic and e-mails to systems under their control ... the flaw exists at the DNS protocol level and affects numerous products from multiple vendors. Virtually every domain name server ... is vulnerable to the flaw and needs to be patched against it as quickly as possible to avoid potentially serious problems, such as companies having all of their network traffic re-routed to malicious Web sites or having employee e-mails captured by attackers. more

The anonymous CircleID gnomes add:

A fundamental flaw in the design of the Domain Name System (DNS) was found earlier this year by security researcher Dan Kaminsky, renowned Internet Security expert. Researchers say they will fully describe the vulnerability in 30 days, after companies that operate web sites or Internet service providers can put the patches in place. The flaw is big enough that Kaminsky and other companies involved brought in government agencies such as the Department of Homeland Security and the U.S. Computer Emergency Response Team. Until the announcement today, experts had been quietly working on coordinating a massive patch affecting all types DNS implementation. Experts emphasized during the press conference today that the flaw is within the DNS protocol and in no way specific to any particular vendor. more

Chad R Dougherty works your tax dollars:

Recent additional research into these issues and methods of combining them to conduct improved cache poisoning attacks have yielded extremely effective exploitation techniques ... Because attacks against these vulnerabilities all rely on an attacker's ability to predictably spoof traffic, the implementation of per-query source port randomization in the server presents a practical mitigation ... and make attacks impractical ... Thanks to Dan Kaminsky of IOActive for identifying the effectiveness and practicality of DNS cache poisoning, and to Paul Vixie of Internet Systems Consortium (ISC) for raising the urgency of these issues. Daniel J. Bernstein is credited with the original idea and implementation of randomized source ports in the DNS resolver. more

But Augusto Quadros Paes de Barros sees the silver lining:

A few years ago, it would be impossible to imagine something like what Dan Kaminsky has done with the recently uncovered DNS cache poisoning vulnerability. Although the technical details of the issue are still not public (and are probably “wicked cool”, 3117, etc), the mosr impressive fact of the whole story is that there was an joint effort from several companies (competitors included) and organizations to release the patch in a organized way. It is the best sample of responsible disclosure I’ve ever seen so far. I think this is a vey good example of how mature our field is comparing to old times. more

And Dave Lewis evokes Sailor Moon (or is it Darkwing Duck?):

Unlike other researchers who give up the gory details, Kaminsky took a wiser path by smiling and nodding. He’ll give up the goods at Black Hat in August. That should give folks enough time to patch their systems ... So, the race is on. How long until the negaverse discovers the true nature of the vulnerability? Dan has provided a DNS checking tool on his site to see if your DNS is vulnerable. more

Rich Mogull lays it on the line:

A massive multivendor patch release to resolve a major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients) ... The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation ... [Dan] was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day. more listen

John Nagle digs in:

The vulnerable systems are ones where the 16-bit DNS transaction ID and the 16-bit port number for a transaction are not randomly chosen ... the attacker must be able to spoof IP addresses, that is, they must not be behind some ISP with egress filtering ... So it looks like a form of this attack documented in 2003 at "Cache Poisoning using DNS Transaction ID Prediction". Back in 2003, it took a large number of packets to make this attack work, and even then it wasn't reliable. But there may be a more cost-effective attack strategy if you know how the DNS server assigns transaction numbers and ports. The fundamental problem comes from 1) the fact that source IP addresses can be forged, and 2) the DNS transaction ID, at 16 bits, is far too short to be considered a useful random key. Any key with security implications should be at least 64 bits and be generated by a crypto-grade random number generator. more

Thomas Ptacek compares session ID lengths:

Java JSESSIONID: BB16479A0338D3DCF26D11712F138BC1



DNS XID: 04d8

Getting To File This Week’s Front Page Security Story Before Changing Out Of Your Pajamas: Priceless. There are some vulnerabilities money can’t buy. For everything else: there’s the DNS. more

And finally...

Buffer overflow:

Other Computerworld bloggers:

RSS feed icon
Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 21 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

[More on today's story at Techmeme]

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon