Multiple vendor DNS implementations vulnerable to cache poisoning

Update to Advisory AV08-056
Date: 11 July 2008

Number: AV08-056
Date: 8 July 2008

Purpose

The purpose of this advisory is to raise awareness of deficiencies in the DNS protocol and common DNS implementations that can facilitate DNS cache poisoning attacks.

Assessment

DNS cache poisoning attacks are used to insert false DNS information in caching “name servers” which will be relayed to hosts requesting DNS information from the affected servers. If successful, these attacks may allow other attacks against the users of affected caching “name servers”. The possible impacts from a successful attack could include identity theft, distribution of malware, dissemination of false information, and man-in-the-middle attacks.

Authoritative name servers that do not act as resolving “name servers” are not affected by this issue.

Although cache poisoning attacks are not new, recent research into these and other related vulnerabilities has produced extremely effective exploitation methods to achieve cache poisoning. DNS software makers have implemented source port randomization in their DNS software to reduce the effectiveness of the exploitation method.

Multiple DNS implementations are affected including the following:
• Bind (All versions prior to those officially released today are affected)
• Microsoft (Implementations for Windows 2000, XP, 2003, 2008. See MS08-037 for details)

Some DNS implementations provided in the base operating system used by servers and workstations to query DNS servers are also vulnerable.

Suggested action

The solution to the issue would require the usage of DNSSEC across all DNS implementations and servers on the Internet. The effort required to perform such a change is enormous; it is not likely to happen quickly. Multiple vendors are simultaneously releasing official fixes to limit the effectiveness of cache poisoning attacks using the new method.

CCIRC recommends that system administrators test and apply fixes to their caching “name servers” and operating systems at the earliest opportunity. The proposed fix will add source port randomization to DNS implementations. Organizations may need to make changes to their network perimeter access controls (i.e. firewall rules) to allow this change in network communications.

Additionally, the following recommendations should be considered for caching name servers:
• Only allow queries from known IP addresses;
• Apply anti-spoofing filters at the network perimeter;
• Do not provide authoritative name service on a caching name server.

REFERENCES
----------

ISC Bind advisory
http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php

Microsoft advisory MS08-037 Vulnerabilities in DNS Could Allow Spoofing (953230)
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

US-CERT/CERT-CC Vulnerability note
http://www.kb.cert.org/vuls/id/800113

CERT/CC Securing DNS servers
http://www.cert.org/archive/pdf/dns.pdf

DNSSEC
http://www.isc.org/sw/bind/docs/dnssec.html

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca