DNS Hole Prompts Patching Effort by IT Vendors
In a rare synchronized security move, Microsoft Corp., Cisco Systems Inc. and other IT vendors today released software patches aimed at addressing a fundamental design flaw in the Domain Name System (DNS) protocol used to direct traffic on the Internet.
The so-called DNS cache-poisoning flaw was discovered earlier this year by Dan Kaminsky, a researcher at security services firm IOActive Inc., but it wasn't publicized until today. The vulnerability could allow attackers to redirect Web traffic and e-mails to systems under their control, according to Kaminsky, who said in an interview that the flaw exists at the DNS protocol level and affects numerous products from multiple vendors.
Virtually every domain name server that resolves IP addresses on the Internet is vulnerable to the flaw and needs to be patched against it as quickly as possible to avoid potentially serious problems, such as companies having all of their network traffic rerouted to malicious Web sites or having employee e-mails captured by attackers, Kaminsky said.
Because of the seriousness of the issue, Kaminsky first communicated news of the flaw to the U.S. Computer Emergency Readiness Team (US-CERT) and to multiple vendors, all of which agreed to keep the discovery under wraps until they had patches ready. Kaminsky said that security researchers from 16 companies met at Microsoft's Redmond, Wash., campus in March to discuss a fix for the problem as well as a strategy for minimizing the potential damage that could result once the vulnerability's existence was disclosed.
Microsoft released a patch for the DNS flaw as part of its monthly Patch Tuesday set of software updates. Among the other organizations that issued patches today were Cisco and the Internet Systems Consortium Inc., which maintains the widely used Berkeley Internet Name Domain technology.
BIND, an implementation of the DNS protocol that includes a DNS server and resolver library, is used on most domain name servers and distributed by vendors such as Sun Microsystems Inc. and Red Hat Inc., which both also issued advisories about the security flaw.
Despite the potential seriousness of the DNS cache-poisoning problem, there is no indication that it has been discovered by malicious hackers yet, according to Kaminsky. And he said that with patches available for the flaw, much of the immediate risk has been mitigated. Kaminsky noted that the patches have been designed in such a way as to minimize the chances of them being reverse-engineered in order to exploit the vulnerability.
An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.
Microsoft issued a patch for a separate DNS cache-poisoning flaw last November. The software vendor gave the latest DNS vulnerability an "important" severity rating, one step below its top rating of "critical."
Nonetheless, Kaminsky and others said the vulnerability is a bona fide threat to users. "It's not good when the DNS goes bad," Kaminsky said. "At the end of the day, the DNS controls where people go on the Internet. Everything depends on it."
Kaminsky said a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS packets include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn't especially random and can be guessed, he said.
Joao Damas, a senior program manager at the ISC, said that what Kaminsky has discovered is a way to efficiently identify responses to specific queries and then quickly inject forged information into them. With their patches, the ISC and other vendors are trying to add more randomness to the process in order to make it much harder for attackers to determine the identifier values, Damas added. "Increasing forgery resilience is the way we are trying to do this," he said.
The technique uncovered by Kaminsky does seem to offer an "extremely easy way" to compromise DNS servers, said Rich Mogull, who heads the security consulting firm Securosis. But for the moment, at least, the flaw doesn't appear to be exploitable because the only ones who know about it are the "good guys," Mogull said. "Your risk isn't any greater today that it was yesterday."
Even so, companies should make sure that their domain name servers are patched as soon as possible, Kaminsky said. He added that if a particular vendor has yet to make a patch available, IT managers might want to consider using open-source technologies such as Open DNS, which is not vulnerable to the cache-poisoning issue.
The US-CERT's advisory also listed other steps that companies could take to mitigate the threat, such as restricting access to their DNS servers and filtering traffic for spoofed IP addresses at their network perimeters.