SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Microsoft DNS Server Vendors:   Microsoft
Microsoft DNS Server Software Susceptible to DNS Cache Poisoning in Default Configuration, Allowing Remote Users to Inject False DNS Records in Certain Situations
SecurityTracker Alert ID:  1002317
SecurityTracker URL:  http://securitytracker.com/id/1002317
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 4 2001
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   CERT is warning of a configuration vulnerability in Microsoft DNS Servers that allows bogus DNS entries to be cached in the server. Active attacks against this configuration issue have been observed on the Internet.

It is reported that the default configuration allows data from malicious or incorrectly configured DNS servers to be cached in the DNS server. As a result, a DNS server containing erroneous DNS records may propagate that to a Microsoft DNS server, which may in turn provide the erroneous information to any clients that use the server to obtain DNS information.

For more information, see CERT Incident Note IN-2001-11, available at:
http://www.cert.org/incident_notes/IN-2001-11.html
Impact:   A remote user may be able to inject false DNS information into a DNS server running Microsoft DNS Server. This could cause connections to be redirected to a malicious host.
Solution:   The DNS server can be configured to only save query records for names that are in the same subtree as the server that provided them. For information on how to appropriately configure the server, see:

http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP
http://msdn.microsoft.com/library/en-us/regentry/46753.asp
http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCachePollutedNames.htm
Vendor URL:  support.microsoft.com/support/kb/articles/Q241/3/52.ASP (Links to External Site)
Cause:   Configuration error
Underlying OS:   Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  Sat, 01 Sep 2001 20:53:56 -0400
Subject:  Cache Corruption on Microsoft DNS Servers


CERTŪ Incident Note IN-2001-11

The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community. 

Cache Corruption on Microsoft DNS Servers

Release Date: August 31, 2001

Systems Affected

Microsoft Windows NT 4.0 and Windows 2000 systems running Microsoft DNS
Server 

I. Overview

The CERT/CC has received reports from sites experiencing cache
corruption on systems running Microsoft DNS Server.  The default
configuration of this software allows data from malicious or incorrectly
configured servers to be cached in the DNS server. This corruption can
result in erronous DNS information later being returned to any clients
which use this server. 

II. Description

In the default configuration, Microsoft DNS server will accept bogus
glue records from non-delegated servers. These bogus records will be
added to the cache when a client attempts to resolve a particular
hostname served by a malicious or incorrectly configured DNS server. The
client can be coerced to request such a hostname as a result of an
otherwise non-malicious piece of HTML email (such as spam) or in banner
advertisements on websites, to give some examples. 

Based on information contained in reports of this activity, there are
sites actively engaged in this deceptive DNS resolution. These reports
indicate that malicious DNS servers are providing bogus glue records for
the generic top-level domain servers (gtld-servers.net) potentially
resulting in erroneous results (e.g., failed resolution or redirection)
for any DNS request. 

More information about the problem can be found at 

VU#109475 - Microsoft Windows NT and 2000 Domain Name Servers allow
non-authoritative RRs to be cached by default
http://www.kb.cert.org/vuls/id/109475 

Secure server cache against names pollution
                
http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCachePollutedNames.htm 

How to Prevent DNS Cache Pollution (Q241352)
http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP
http://msdn.microsoft.com/library/en-us/regentry/46753.asp 

III. Impact

Clients resolving hostnames against the corrupted cache can be
unknowingly redirected to illegitimate sites. Additionally, applications
that rely on DNS information for authentication or access control can
potentially be manipulated by erroneous information stored in the cache. 

IV. Solutions

Apply the workarounds supplied by Microsoft at 

http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP 

V. References

Internet Engineering Task Force (IETF) Request for Comments (RFCs): 

IETF RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES
IETF RFC 1035: DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
IETF RFC 1912: Common DNS Operational and Configuration Errors
IETF RFC 2181: Clarifications to the DNS Specification

VI. Reporting

The CERT/CC is interested in receiving reports of this activity. If
machines under your administrative control are compromised, please send
mail to cert@cert.org with the following text included in the subject
line: "[CERT#29164]".


Author(s): Chad Dougherty, Roman Danyliw 



CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends. 

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from

http://www.cert.org/CERT_PGP.key 

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from our
web site

http://www.cert.org/ 

To subscribe to the CERT mailing list for advisories and bulletins, send
email to majordomo@cert.org. Please include in the body of your message

subscribe cert-advisory 

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied
as to any matter including, but not limited to, warranty of fitness for
a particular purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement. 

Conditions for use, disclaimers, and sponsorship information

Copyright 2001 Carnegie Mellon University.

Revision History 

August 31, 2001: Initial Release


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC