A security researcher has responsibly disclosed a fundamental flaw within the Domain Name System (DNS), the addressing scheme behind the common names used on the Internet. Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site.
Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said, "the severity is shown by the number of people who've gotten onboard with this patch."
He declined to name the flaw as that would give away details.
On March 31, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix.
Toward addressing the flaw, Kaminsky said the researchers all decided to conduct a synchronized, multivendor release. As part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco Systems, Sun Microsystems, and BIND are also expected to roll out patches later on Tuesday.
The coordinated release covers a wide variety of vendors. Art Manion of US-CERT (United States Computer Emergency Readiness Team) said vendors with DNS servers have been contacted, and there's a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.
Most systems will be patched automatically. However, those that are not will have 30 days to be patched manually before additional details are made public.
This issue also affects Internet service providers used by home users. In the coming days, ISPs are expected to apply the patch to their systems. Hardware routers used by home users should not be affected.
Kaminsky said he will release details in time for Black Hat 2008, on August 7 and 8 in Las Vegas. However, Microsoft in its security bulletin said its patch uses strongly random DNS transaction IDs, random sockets for UDP (User Datagram Protocol) queries, and updates the logic used to manage the DNS cache."
Kaminsky did confirm that the patches released today will increase DNS randomness: "Where we had 16-bit before, we now have 32 bits."
To check to see if your system is vulnerable, Kaminsky has provided a DNS checker.
Researcher offers insight into DNS flaw
You might be interested in:
At Tuesday's press conference, Kaminsky refused to provide details about the flaw, preferring to give additional vendors and administrators affected at least 30 days to create or implement the patches.
But within the conference call, during the question-and-answer session, some details and clarifications emerged.
DNS servers translate a popular name such as CNET.com into its numeric IP address. There are 13 principal servers and many subservers located throughout the world to speed the process of IP resolution. Usually a DNS look-up query is assigned a random translation ID, but Kaminsky observed that when a vulnerable DNS server is able to perform recursive DNS queries, it was possible to guess the transaction ID and redirect the result.
DNS queries currently offer a transaction ID that is one of 65,000 possible values. The ID is supposed to be there on every legitimate response. But Kaminsky and others noticed that some weren't particularly random. What has been discovered is that 65,000 is just not enough, said Kaminsky.
Every query has a transaction ID between 0 and 65,000, and the reply must contain the transaction ID. Thus, it may be possible to guess these transaction ID values in advance and insert a malicious server as the authoritative DNS server for a popular bank or e-commerce site.
After applying the patch, Kaminsky said, the transaction ID would now contain the correct transaction ID plus the correct source port, a random identifier located at a different layer in the IP packet. He said when discussing remediation of the flaw the only place they could go for additional randomness within the current infrastructure was the source port. This would increase the size of the translation ID from, say, 16 bits to 32 bits, he said.
The IP protocol has a system for sending small messages and there are various headers. He said think of the source port in this case as a return address on an envelope; it's extra data in addition to the message you are sending. He said you can sign your name on the letter itself. You can also sign your name on the envelope as well. The patch does something similar with the translation IDs.
Kaminsky said he will release more details in time for Black Hat 2008, to be held August 7 and 8 in Las Vegas.
In the meantime he's set a high standard for responsible vulnerability disclosure.
Linkedin 
RSS Feeds 
Newsletters 
Alerts
