www.infoblox.com/solutions/DNS-Security-Flaw.cfm
More information on DNS vulnerability and Frequently asked questions JULY 21 UPDATE: Details Regarding How To Exploit The Vulnerability Have Been Released Into The Wild On July 8th, 2008, the US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership announced a serious DNS security flaw that makes virtually all DNS servers vulnerable to cache poisoning. The flaw exists in the design of DNS protocol and therefore virtually all vendors and products including ISC BIND and Microsoft DNS servers are affected. This vulnerability has the potential to redirect all of the website traffic to a malicious web page if the cache of a DNS server is poisoned using this method. Cache poisoning attacks are well known and understood but before discovery of this vulnerability it was generally believed that mounting such an attack would require bombarding a DNS server with tremendous amount of traffic and thus could be identified and blocked easily. This vulnerability makes it possible to poison a DNS cache without being detected and therefore poses a serious security risk. The flaw was detected several months ago by Dan Kaminsky (and kept secret) while a group of researchers worked on fixes for all of the affected DNS implementations - which include ISC's BIND and Microsoft's DNS server. UPDATE: A complete explanation of the DNS vulnerability and an explanation of how to create an exploit has been publically released. ALL ORGANIZATIONS ARE URGED TO PATCH THEIR DNS SERVERS IMMEDIATELY. We also encourage you to view the Webinar hosted by Cricket Liu and Dan Kaminsky. US-CERT VU#800113 (CVE-2008-1447) Frequently Asked Questions What is DNS cache poisoning? DNS cache poisoning is a security attack on DNS servers that allows attackers to populate DNS server caches with incorrect information. A client request to a legitimate website can be directed to a malicious website using this attack. Once a non suspecting user connects to the malicious website, they may divulge personal information eg bank account numbers and passwords similar to phishing attacks. Normally, DNS cache poisoning is not easy to exploit and the known methods to poison a DNS cache require sending large amounts of data to DNS servers and therefore easily detected and blocked. However this vulnerability (CERT VU#800113 (CVE-2008-1447)) allows a hacker to poison DNS cache easily and without being detected. Details of this new vulnerability have not been released yet to allow for administrators to patch their servers before the technique becomes well known to attackers. However, an exploit has now been released into the wild. This flaw exists in the design of DNS protocol and therefore all vendor products including those from Microsoft, ISC and Cisco are affected. Will automatic patching using Windows Upgrade resolve this issue? Windows Update can upgrade the DNS client on your PC, DNS servers represent the most significant vulnerability, and few (if any) IT departments will use Windows Update to patch their production DNS servers. Companies using Microsoft DNS will have to patch all of their servers - which can be a significant and disruptive undertaking. All administrators are advised to obtain patches to their DNS servers from respective vendors. If you cannot patch immediately there are some workarounds that can limit exposure: Limit access to recursion as much as possible Only allow recursive queries from internal clients Of course, if you are performing queries to outside servers, the response can be spoofed. The only way to protect servers that must process recursive queries to outside servers is to patch those servers, which may be a significant undertaking. The Infoblox DNS solution is based on BIND and therefore older versions of software contain the vulnerability. Infoblox works closely with Internet Software Consortium (ISC) and has already released software that includes fixes for the vulnerability, including UDP source port randomization. The patched releases are available to all supported Infoblox customers via the Infoblox Support Web site. Upgrading to the new software is relatively simple using the automated upgrade features provided by Infoblox grid technology - and for customers with best practices architectures deployed, upgrades can be achieved with no service downtime.
|
http://csua.com/feed/