Published: 2008-07-20T10:29+00:00
Last Updated: 2008-08-31T04:54+00:00
TRTA08-190B
Multiple DNS implementations vulnerable to cache poisoning
Overview
Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. Effective attack techniques against these vulnerabilities have been demonstrated.
Event Information
| Date (UTC) | Description |
| 2008-08-24 |
ICANN Domain Name Security Paper Released ICANN's strategic and operating plans call for ICANN to be operationally ready to deploy DNSSEC at the root level and work with relevant stakeholders to determine how this should be implemented. |
| 2008-08-22 |
Office of Management and Budget M-08-23: Securing the Federal Government's Domain Name System Infrastructure (Submission of Draft Agency Plans Due by September 5, 2008) This memorandum describes existing and new policies for deploying Domain Name System Security (DNSSEC) to all Federal information systems by December 2009. DNSSEC provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet. |
| 2008-08-08 |
SecurityFocus Successfully poisoned the latest BIND with fully randomized ports! Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447) Exploit required to send more than 130 thousand of requests for the fake records like 131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry for the poisoned_dns.blah.com. #Cid: attack_client.c |
| 2008-08-06 20:45 |
Hewlett-Packard HPSBUX02351: SSRT080058 rev.3 - HP-UX Running BIND, Remote DNS Cache Poisoning |
| 2008-08-06 |
ICANN ICANN Highlights Domain Name System Vulnerability; Releases Tools To detect whether a particular zone is vulnerable, ICANN has produced a tool that can check a particular domain: |
| 2008-08-06 |
Why So Serious |
| 2008-08-02 11:12 |
SANS Internet Storm Center BIND: -P2 patches are released As expected, the Internet Systems Consortium released patches today addressing stability and performance issues some of those having significant load on their systems were struggling with. |
| 2008-08-01 23:54 |
Internet Systems Consortium (ISC) bind-9.4.2-P2.tar.gz ISC BIND patch |
| 2008-08-01 23:54 |
Internet Systems Consortium (ISC) bind-9.5.0-P2.tar.gz ISC BIND patch |
| 2008-08-01 23:53 |
Internet Systems Consortium (ISC) bind-9.3.5-P2.tar.gz ISC BIND patch |
| 2008-08-01 15:33 |
SecurityFocus DNS Multiple Race Exploiting Tool Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447) #Cid: dns_mre-v1.0.tar.gz #Tested: Windows 2003 server |
| 2008-07-30 21:20 |
SANS Internet Storm Center DNS Cache Poisoning Issue Update Ok, we have a confirmed instance where the DNS cache poisoning vulnerability was used to compromise a DNS server belonging to AT&T. This PCWorld article covers the incident. The original article makes it sound as though the Metasploit site was 'owned' by this incident when really the issue was that the AT&T DNS server was compromised and was providing erroneous IP addresses to incoming queries. This updated PCWorld article clarifies the first one. |
| 2008-07-29 |
Metasploit Project DNS Attacks in the Wild In a recent conversation with Robert McMillan (IDG), I described a in-the-wild attack against one of AT&T's DNS cache servers, specifically one that was configured as an upstream forwarder for an internal DNS machine at BreakingPoint Systems. The attackers had replaced the cache entry for www.google.com with a web page that loaded advertisements hidden inside an iframe. |
| 2008-07-25 19:45 |
SANS Internet Storm Center Recursive DNS Cache Auditing Resource For those with a need, research described in Jose Avila's Recursive DNS Cache Auditing presentation is backed by the ONZRA security research tool CacheAudit v.01, see the Research folder at ONZRA for the CacheAudit download. |
| 2008-07-25 17:23 |
Microsoft Microsoft Security Advisory (956187): Increased Threat for DNS Spoofing Vulnerability DNS Insufficient Socket Entropy Vulnerability (MS08-037, CVE-2008-1447) |
| 2008-07-25 14:12 |
SANS Internet Storm Center DNS bug - observations As indicated in earlier diary entries, an authoritative server sees queries from recursive servers for nonexistent names if their domain is being targeted by the latest DNS attack. They can't do much: all they can do is report them. |
| 2008-07-25 12:32 |
SANS Internet Storm Center DNS developments Security Blogs and E_News outlets are giving extended coverage of the DNS vulnerability exploit releases and we're receiving a few reports of attacks. |
| 2008-07-25 06:47 |
SANS Internet Storm Center DNS cache poisoning vulnerability details confirmed (Version: 2) A couple of the handlers tuned into the Blackhat "webinar" today. The topic was Kaminsky's DNS vulnerability. Here are some quick notes... |
| 2008-07-25 01:15 |
JPCERT/CC JPCERT-AT-2008-0013: Cache-Poisoning Vulnerability In Multiple DNS Servers |
| 2008-07-25 |
SecurityFocus BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c) Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447) #Cid: kaminsky-attack.c |
| 2008-07-24 15:33 |
SecurityFocus BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py) Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447) #Cid: dns-recurs-poisoning.py |
| 2008-07-24 14:00 |
US-CERT DNS Cache Poisoning Public Exploit Code Available US-CERT Current Activity US-CERT is aware of publicly available exploit code for a cache poisoning vulnerability in common DNS implementations. Exploitation of this vulnerability may allow an attacker to cause a nameserver's clients to contact the incorrect, and possibly malicious hosts for particular services. As a result, web traffic, email and other important network data could be redirected to systems under the attacker's control. |
| 2008-07-24 10:06 |
JPCERT/CC JPCERT-AT-2008-0014: Cache-Poisoning Vulnerability In Multiple DNS Servers |
| 2008-07-24 03:56 |
SecurityFocus CAU-EX-2008-0003: BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit for Domains (meta) Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447) #Cid: bailiwicked_domain.rb #Tested: BIND 9.4.1 #Tested: BIND 9.4.2 |
| 2008-07-24 |
Details |
| 2008-07-23 22:53 |
SecurityFocus CAU-EX-2008-0002: BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (meta) Vulnerability Proof Of Concept (DNS Insufficient Socket Entropy - MS08-037, CVE-2008-1447) #Cid: baliwicked_host.rb #Tested: BIND 9.4.1 #Tested: BIND 9.4.2 |
| 2008-07-23 19:48 |
McAfee "The-Cat-is-Out-of-The-Bag" DNS Bug Computer Security Research - McAfee Avert Labs Blog There has been a lot of hush-hush recently regarding a DNS security issue finding by Dan Kaminsky. Industry wide coordinated effort led by Dan ensured that patches were released by multiple vendors. Even though the technical details of the issue were not yet made public by Dan, an inadvertent leak by Matasano Security blog seems to have given out a lot of the information regarding the issue. |
| 2008-07-23 18:13 |
US-CERT NAT/PAT Affects DNS Cache Poisoning Mitigation US-CERT Current Activity US-CERT released a Current Activity entry and a Vulnerability Note on July 8, 2008 regarding deficiencies in DNS implementations. These deficiencies could leave an affected system vulnerable to cache poisoning. Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch systems or apply workarounds immediately. A number of patches implement source port randomization in the name server as a way to reduce the practicality of cache poisoning attacks. Administrators should be aware that in infrastructures where nameservers exist behind Network Address Translation (NAT) and Port Address Translation (PAT) devices, port randomization in the nameserver may be overwritten by the NAT/PAT device and a sequential port address could be allocated. This may weaken the protection offered by source port randomization in the nameserver. |
| 2008-07-23 |
JPCERT/CC JPCERT-AT-2008-0013: Cache-Poisoning Vulnerability In Multiple DNS Servers |
| 2008-07-22 11:50 |
US-CERT DNS Implementations Vulnerable to Cache Poisoning US-CERT Current Activity Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately. |
| 2008-07-21 19:34 |
Matasano Security blog Reliable DNS Forgery in 2008: Kaminsky's Discovery |
| 2008-07-19 11:29 |
Hewlett-Packard HPSBUX02351: SSRT080058 rev.2 - HP-UX Running BIND, Remote DNS Cache Poisoning |
| 2008-07-17 02:21 |
Hewlett-Packard HPSBUX02351: SSRT080058 rev.1 - HP-UX Running BIND, Remote DNS Cache Poisoning |
| 2008-07-17 |
IBM Internet Security Systems Multiple Vendors Vulnerable to DNS Cache Poisoning DNS Insufficient Socket Entropy Vulnerability (CVE-2008-1447) Multiple vendor DNS protocol implementations could allow a remote attacker to poison the DNS cache. Patches that resolve the vulnerability on the DNS may be rendered ineffective if the DNS is behind a NAT device that does not randomize ports. |
| 2008-07-16 18:26 |
DNS-OARC Web-based DNS Randomness Test This page exists to help you learn if your ISP's nameservers are vulnerable to this type of attack. If you click on the button below, we will test the randomness of your ISP DNS resolver. |
| 2008-07-14 23:53 |
IBM Internet Security Systems More on DNS Cache Poisoning and Network Address Translation This blog post is a followup to an earlier note I posted about the effect of different NAT devices on the recent DNS vulnerability patches. A reader named Huzeyfe ONAL wrote in to let me know that he had tested his OpenBSD machine running pf and found that each UDP session seemed to be assigned a different, random port. Several references online seem to confim this. This provides another example of a secure NAT strategy, besides the one employed by Linux. |
| 2008-07-13 19:10 |
FreeBSD FreeBSD-SA-08:06.bind: DNS cache poisoning The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization. |
| 2008-07-10 22:56 |
IBM Internet Security Systems (UPDATED) DNS Cache Poisoning and Network Address Translation On July 8th a number of DNS software vendors published security updates which improve the randomness of UDP source port assignments to protect against DNS Cache Poisoning. The following day someone called imipack posted an interesting observation to the Full Disclosure mailing list. He noticed that the UDP source ports for DNS transactions coming from a patched server were still sequential when placed behind a firewall performing Network Address Translation. |
| 2008-07-09 14:00 |
Full-disclosure DNS and Checkpoint I've had a report from someone with clue (and tcpdump) that a properly functioning DNS resolver that correctly uses randomised source ports magically becomes vulnerable once the traffic's passed through a Checkpoint firewall. |
| 2008-07-09 04:35 |
JPCERT/CC JPCERT-AT-2008-0013: Cache-Poisoning Vulnerability In Multiple DNS Servers |
| 2008-07-08 23:09 |
SANS Internet Storm Center Multiple Vendors DNS Spoofing Vulnerability (Version: 4) Overview of the July 2008 Microsoft patches and their status. |
| 2008-07-08 20:49 |
US-CERT TA08-190B: Microsoft Updates for Multiple Vulnerabilities Via US-CERT Mailing List |
| 2008-07-08 20:08 |
Microsoft MS08-JUL: Microsoft Security Bulletin Summary for July 2008 Included in this advisory are updates for newly discovered vulnerabilities. |
| 2008-07-08 19:37 |
US-CERT DNS Implementations Vulnerable to Cache Poisoning US-CERT Current Activity US-CERT is aware of deficiencies in the DNS protocol. Implementations of this protocol may leave the affected system vulnerable to DNS cache poisoning attacks. If an attacker can successfully conduct a cache poisoning attack, they may be able to cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. This may allow an attacker to obtain sensitive information or mislead users into believing they are visiting a legitimate website. |
| 2008-07-08 18:00 |
Cisco cisco-sa-20080708-dns: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. |
| 2008-07-08 06:10 |
Internet Systems Consortium (ISC) ISC BIND patch release |
| 2008-07-08 |
Internet Systems Consortium (ISC) ISC acts quickly to shield BIND user base Internet Systems Consortium (ISC) released several fixes for BIND9 in response to the United States Computer Emergency Readiness Team (US-CERT) Vulnerability notice number 800113 regarding a DNS Cache Poisoning Issue. The basis for the vulnerability is inherent in the DNS protocol and not a flaw specific to BIND9, the leading software implementation of the DNS protocol written and distributed by ISC. |
| 2008-07-04 05:56 |
Internet Systems Consortium (ISC) bind-9.5.1b1.tar.gz ISC BIND patch |
| 2008-07-04 05:55 |
Internet Systems Consortium (ISC) bind-9.4.3b2.tar.gz ISC BIND patch |
| 2008-05-28 22:54 |
Internet Systems Consortium (ISC) bind-9.3.5-P1.tar.gz ISC BIND patch |
| 2008-05-28 21:03 |
Internet Systems Consortium (ISC) bind-9.5.0-P1.tar.gz ISC BIND patch |
| 2008-05-28 19:40 |
Internet Systems Consortium (ISC) bind-9.4.2-P1.tar.gz ISC BIND patch |