« OpenBSD - Episode 4 - Apache, MySQL, PHP
This week in Infosec - 2008-08-07 »

This week in Infosec - 2008-07-25

The DNS Bug

Background
The DNS system allows computers to find each other on the Internet.  Every computer on the Internet is identified uniquely by a numeric IP address.  The DNS system allows us to use a cute name rather than a number.

For example, when you type www.google.com, DNS servers resolve the name to Google’s unique server address:  66.233.169.104

There are countless thousands of DNS servers on the Internet.

The Itch
About 6 months ago, researcher Dan Kaminsky discovered a means of easily defeating a flaw in the DNS protocol.

He did not find a problem in a specific DNS server, he found a way to exploit the protocol itself.

Every DNS Server (except those using OpenDNS, OpenBSD, and possibly a few others [EDITED: add DJBDNS to the list]) are vulnerable.

Dan pulled together, in secret, a team of researchers and industry professionals that worked in secret for over 6 months to devise a means of patching the flaw.

On July 7, US-Cert announced the vulnerability.

Simultaneously, 16 vendors released patches for 60 different DNS products.

What followed was a broadcast from those involved in the research, and those close to Kaminsky: “Patch your DNS immediately.”  One of those closest to the incident is Rich Mogull of Securosis who pushed a blog post the morning of the CERT advisory.

Dan vowed he would do all he could to keep details of the vulnerability under wraps, but would fully disclose the exact nature of the vulnerability at Black Hat in August.

There wasn’t a security podcast, blog, chat room, or IRC channel that wasn’t buzzing with speculation.

The Scratch
On July 23, security researchers HD Moore and |)ruid developed a working exploit and introduced it into the Metasploit framework.  Metasploit is a free penetration testing platform.

The exploit is capable of poisoning the cache of an un-patched DNS server in just a few minutes.

With a weaponized payload in the wild, consequences could be dire.

Aftermath
What you can do?

  • System administrators should ensure that all DNS servers under your control are patched immediately.  Patches are available for all major products.
  • End users should run automatic updates as soon as possible.  Patches are available.
  • The paranoid can manually configure their computers to use the OpenDNS servers.
  • Many ISP’s have patched, and you can check their sites for more details.

Prelude
Today, Kaminsky released additional details about the vulnerability.  It’s worth a read.

Let’s hope next week is… well… booring.  I think we can all use a rest after these past two…

Bill

This entry was posted on Friday, July 25th, 2008 at 11:54 pm and is filed under Last Week, News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply