Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BIND Domain Name Software Allows Remote Users to Spoof the DNS
|
|
SecurityTracker Alert ID: 1005691 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 24 2002
|
Impact: Modification of system information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.9.11 and prior (4.9.x), 8.2.7 and prior (8.2.x), 8.3.4 and prior (8.3.x)
|
Description: A DNS spoofing vulnerability was reported in the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) name server software. A remote user may be able to spoof DNS entries in certain cases.
It is reported that BIND versions 4 and 8 do not prevent the transmission of two or more resolution requests for the same domain
name, allowing remote users to spoof the DNS system.
A remote user can send specially crafted DNS packets to a target DNS server
to inject false domain name information into a DNS cache. The remote user may map a host name to an arbitrary IP address.
According
to the report, when the software receives multiple requests for the same resource record (RR), the software will generate multiple
outstanding queries for that RR. A remote user can rapidly send multiple queries for a particular RR to a target DNS server to
cause the target server to open multiple queries (it will open these queries with other DNS servers to resolve the name).
Then,
the remote user can send spoofed responses to the target server. The report indicates that the remote user (the attacker) can achieve
a high probability of success.
Caching DNS servers that provide recursive services are reported to be readily vulnerable.
CAIS/RNP
(the Brazilian Research Network CSIRT) and Vagner Sacramento from DIMAp/UFRN (Department of Computer Science and Applied Mathematics/Federal
University of Rio Grande do Norte) reported these vulnerabilities.
For more information on the vulnerability, including some
information on how many spoofed packets may be required, see the original advisory at:
http://www.rnp.br/cais/alertas/2002/cais-ALR-19112002a.html
|
Impact: A remote user may be able to inject false information into the DNS system.
|
Solution: Users can upgrade to BIND 9.2.1, available at:
http://www.isc.org/products/BIND/bind9.html
|
Vendor URL: www.isc.org/products/BIND/ (Links to External Site)
|
Cause: Authentication error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Vagner Sacramento <vagner@natalnet.br>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 23 Nov 2002 22:17:00 -0300 (EST)
From: Vagner Sacramento <vagner@natalnet.br>
Subject: [VulnWatch] CAIS-ALERT: Vulnerability in the sending requests control of BIND
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
@ Copyright CAIS - Brazilian Research Network CSIRT
Security Incidents Response Center (CAIS/RNP)
Subject : Vulnerability in the sending requests control of BIND
versions 4 and 8 allows DNS spoofing
Date : November 19th, 2002
Credits : Vagner Sacramento, DIMAp-UFRN
Systems affected: 4.9.11 and priors (4.9.x); 8.2.7 and priors (8.2.x);
8.3.4 and priors (8.3.x);
- -----------------------------------------------------------------------
1. Abstract
CAIS/RNP (the Brazilian Research Network CSIRT) and Vagner Sacramento
from DIMAp/UFRN (Department of Computer Science and Applied
Mathematics/Federal University of Rio Grande do Norte) made some
experiments with several versions of the Internet Software Consortium's
(ISC) Berkeley Internet Name Domain (BIND), demonstrating the
possibility of successful DNS Spoofing attacks to versions 4 and 8.
The BIND application is one implementation of the Domain Name System
(DNS) protocol, maintained by ISC. This application resolves Internet
host names into IP addresses and IP addresses back into host names,
receiving requests from DNS clients at port fifty-three (53).
The identified vulnerability seriously affects the operation of
Internet basic services because many of them depend on DNS to perform
their functionalities.
Most of name servers in the Internet are running BIND. Recent
information obtained from Bill Manning of the USC/ISI indicates that
more than 60% of the current DNS servers still use vulnerable and old
versions of BIND.
The problem described on this advisory certifies BIND versions 4 and 8
do not prevent sending of two or more resolution requests for the same
domain name allowing DNS Spoofing attacks with significant probability
of success.
2. Details
BIND versions 4 and 8 use procedures that allow a remote DNS Spoofing
attack against DNS servers.
The attack goal is to anticipate a reply with false information to the
target DNS server, making the server to store in its cache a false IP
address for a certain domain name.
To better understand the identified vulnerability, consider the
following scenario. When n different DNS clients send simultaneous
requests to a target DNS server (running BIND 4 or BIND 8) to resolve
the same domain name, the target server will forward the requests
received to others DNS servers, starting from root-servers and trying
to get replies for each one of the requests.
In this context, the identified vulnerability can be exploited if an
attacker sends simultaneously n requests to the target DNS server using
in each one a different IP source address and the same domain name. The
target DNS server will send all the received requests to others DNS
servers in order to resolve them. Since these requests will be
processed independently, they will be assigned different identifiers
(ID). As a result, this server will be waiting for n replies with
different IDs for the resolution of the same domain name. The attacker
then sends several replies with different IDs to the target DNS server
attempting to guess one of the expected replies ID, thus applying a DNS
Spoofing attack.
The success probability in the implementation of DNS Spoofing attack in
BIND 4 and BIND 8 is calculated by the equation: n-request-sent/65535,
where n-request-sent is the number of requests sent simultaneously to
the target DNS server.
3. Impact
Normal operation of many Internet services depends on the proper
operation of DNS servers. thus, other services could be impacted if
this vulnerability is succesfully exploited. An attacker can use DNS
spoofing mechanisms to apply a denial of service attack (DoS) or
masquerade as "trusted" entity.
The attacker can inject false information into a DNS cache mapping a
host name to an arbitrary IP address. Some direct consequences of DNS
spoofing attacks are:
. compromise of applications that depend on DNS service to resolve host
names (such as smtp, http, ldap, ftp, ssh, etc), generating false
information and consequently intercepting, analyzing, or
intentionally corrupting sensitive data;
. impersonation of websites since the attacker can define for example
the address of the site www.mydomain.br as being the IP address
1.2.3.4, redirecting the access to a fake web server instead of to
the real one;
. attacks based on the exploitation of trust relationship among
security systems.
4. Systems Affected
DNS Servers running the following versions of ISC BIND:
. 4.9.11 and prior (4.9.x);
. 8.2.7 and prior (8.2.x);
. 8.3.4 and prior (8.3.x);
5. Solutions
Upgrade to BIND 9.2.1, available at:
http://www.isc.org/products/BIND/bind9.html
6. Actions Recommended
Some applicable recommendations regarding the security of DNS servers
are:
. configure DNS server in order to allow the use of recursion only at
stations which belong to its domain;
. configure anti-spoofing rules on the firewall or border router;
. considering the network topology, set up the DNS server into a DMZ
(demilitarized zone).
In addition, best practices for secure configuration of DNS server
referenced on a recently published document by CERT/CC: "Securing an
Internet Name Server" should be considered. This document is available
in:
http://www.cert.org/archive/pdf/dns.pdf
7. References
[1] Internet Software Consortium;
http://www.isc.org
[2] Securing na Internet Name Server; Cricket Liu;
http://www.linuxsecurity.com/resource_files/
[3] DNS and BIND, 4th Edition; Paul Albitz & Cricket Liu; May 2001
http://www.oreilly.com/catalog/dns4/chapter/ch11.html
[4] Securing an Internet Name Server; CERT Coordination Center; Allen
Householder, Brian King, Ken Silva
http://www.cert.org/archive/pdf/dns.pdf
8. Acknowledgements
To Vagner Sacramento that discovered the vulnerability described in
this advisory during the development of his master thesis in the
DIMAp/UFRN under the orientation of Prof. Thais Vasconcelos Batista and
Prof. Guido Lemos de Souza Filho.
To Thiago Alves da Silva that provides support during the tests at
CAIS.
- -------------------------------------------------------------------------
Thanks to CERT Coordination Center (CERT/CC) for testing and validating
the reported vulnerability.
http://www.kb.cert.org/vuls/id/457875
- --------------------------------------------------------------------------
This document can be found at:
http://www.rnp.br/cais/alertas/2002/cais-ALR-19112002a.html
- --------------------------------------------------------------------------
CAIS PGP key:
http://www.rnp.br/chaves/cais-pgp-key.asc
Contact:
+55 (19) 3787-3300
+55 (19) 3787-3301
cais@cais.rnp.br
- ------------ Output from pgp ------------
Good signature made 2002-11-19 20:59 GMT by key:
1024 bits, Key ID C5E14F15, Created 1997-11-27
"Centro de Atendimento a Incidentes de Seguranca <cais@cais.rnp.br>"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE94CieK1P2yRm9oFARAqt+AKCzNyFihaE7Qt6RCIwoEpRwpORkhQCeLu77
o1rDxJJjRTT0nFl7aw6JJp0=
=WzPd
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
