Massive Patch Coming for DNS Vulnerability
Major vendors of domain name system (DNS) servers are making an unprecedented
coordinated release of patches for what is being called a fundamental flaw in
DNS, a core element of the Internet.
Patches are being released today by most vendors and will be released soon
by all, said Dan Kaminsky, director of penetration testing for IOActive Inc.,
who discovered the vulnerability about six months ago.
Automatic updates will handle patching in most servers, but it is critical
for all organizations to identify name servers in their networks and make sure
that the proper patches are applied, Kaminsky said.
According to a bulletin from the U.S. Computer Emergency Readiness Team (U.S.
CERT), the vulnerability (VU#800113) could allow cache poisoning and misdirection
of Web requests, sending users to unknown Web sites.
Web poisoning exploits already are known, but because the new vulnerability
is in the basic design of the protocol itself, it is potentially more dangerous
that previous problems. If the vulnerability were exploited, "you would have
the Internet, but it wouldn't be the Internet you expect," Kaminsky said.
There are no indications of an exploit for the vulnerability, he added.
DNS is a hierarchical system that translates written names such as those in
URLs and e-mail addresses into IP addresses. This function makes it critical
to almost all uses of the Internet. Because the vulnerability is in the basic
design of the design of DNS, it is found in nearly all implementations of the
protocols and the response has been coordinated.
Kaminsky said he found the bug by accident. "I wasn't looking for
this at all."
A group of 16 security researchers met on the Microsoft campus in March to
coordinate a response.
"Because of the fundamental nature of the vulnerability, it is in all
of our implementations, and we agreed that that only way we could do this was
by a coordinated release across all platforms," Kaminsky said in a news
conference Tuesday announcing the release.
Vendors agreed to release patches in July and wait for a month before releasing
details of the vulnerability.
Some vendors made early releases of the patches available to large Internet
service providers such as Comcast, which already have begun patching their infrastructures.
By withholding details and using a patch that does not directly fix the vulnerability
itself, the researchers hope to make it as difficult as possible for hackers
to reverse-engineer and find the vulnerability.
"Reverse-engineering is not impossible," Kaminsky said. "But we hope it will
not be done quickly. Things are well under control. We have bought you as much
time as possible."
It now is up to administrators to ensure that all servers are patched.
Although details of the vulnerability have not been released, Kaminsky said
it involves a weakness in the transaction ID used in DNS queries. Currently,
replies to a DNS query have to contain the proper transaction ID, which is chosen
randomly from 65,000 values.
"For undisclosed reasons, 65,000 is just not enough," Kaminsky
said. "We needed more randomization."
That is being obtained from a source port ID, another random identifier in
the packet. After patching, replies to DNS queries will require not only the
proper transaction ID but also the proper source port ID. "We are making
a system that was somewhat random more random," Kaminsky said.
"The use of randomized source ports can be used to gain approximately
16 additional bits of randomness in the data that an attacker must guess,"
U.S. CERT said.
Art Manion, lead vulnerability analyst for U.S. CERT, said a number of government
agencies cooperated in the response to the vulnerability.
Although patches are being released today, Kaminsky said that installing patches
will not necessarily happen immediately because DNS is such a fundamental part
of the Internet.
"It is very important to get DNS patched correctly," according
to Kaminsky. "If you screw up the deployment of a fix, a lot of people
get a sudden outage."
In some cases, more than patching will be required. Firewalls in front of servers
limiting the number of ports that can be used may have to be reconfigured to
allow the higher level of randomization. Many servers are running older versions
of the Berkeley Internet Name Domain (BIND) server, probably the most commonly
used DNS software. The latest version is BIND 9; BIND 8 no longer is supported,
but about 6 percent of servers scanned in a recent global survey still were
running it. Those servers will have to update to version 9.
Joao Damas, senior program manager for ISC whose responsibilities include BIND,
said Yahoo has agreed to migrate its infrastructure to BIND 9.
Kaminsky is scheduled to release details of the vulnerability at the Black
Hat Briefings security conference being held next month in Las Vegas.
William Jackson is the senior writer for Government Computer News (GCN.com).