The security researcher who recently discovered a heretofore unknown flaw in the Internet's core Domain Name System (DNS) protocol warned IT managers on Thursday to expect more security fixes aimed at mitigating the issue over the coming months.
At a press conference this morning, Dan Kaminsky, a researcher at security firm IOActive Inc., said that the patches recently issued by multiple vendors in response to his bug discovery are at best a stopgap measure aimed at preventing immediate attacks on the DNS infrastructure.
But Kaminsky plans to disclose details of the bug at the upcoming Black Hat security conference, and with more researchers likely to try and exploit it, there is going to be a need for a more permanent fix.
"There is going to be another round of patches coming online as we as a global community figure out how to address this," Kaminsky said. The current set of security updates that were released a few days ago were designed to make it harder for the bug to be exploited, while also ensuring that would-be attackers wouldn't be able to discover what the flaw is by reverse-engineering the patches.
The stopgap patch was appropriate in its time. "We needed to find a way to stop the bleeding while we figured out what to do here. This fix gets us out of the emergency zone," Kaminsky said, speaking with Computerworld after this morning's press conference. "I think there will be discussions after the bug is disclosed for more comprehensive mechanisms for addressing this class of flaw." He added that he was however unable to discuss what exactly the next generation patches would do, until details of the bug were publicly disclosed.
He noted that the patches that have been released appear to be working, since no one has exploited the vulnerability yet despite the unprecedented attention focused on it. However, he said, "there are people who have gotten really, really close," who have been asked not to disclose their research publicly until he reveals the full details at Black Hat.
One Flaw to Rule Them All
News of the DNS protocol flaw, which was discovered earlier this year by Kaminsky, was made public about 10 days ago in a rare synchronized security update from numerous organization including Microsoft Corp., Cisco Systems Inc., and the U.S. Computer Emergency Readiness Team (US-CERT). The flaw has received widespread attention both because of its apparent seriousness and the fact that it affects virtually every single domain name server that resolves IP addresses on the Internet.
DNS servers are responsible for routing all Internet traffic to their correct destinations. The so-called cache poisoning vulnerability that Kaminsky discovered could allow attackers to redirect Web traffic and e-mails to systems under their control, according security researches. The flaw exists at the DNS protocol level and affects numerous products from multiple vendors.
According to Kaminsky, a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS messages include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn't especially random and can be guessed, he said.
An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.
The patches issued by the various vendors employ a so-called "port randomization" technique that is designed to make it much harder by many magnitudes for anyone to guess at DNS message IDs so as to be able to spoof the messages.