Richi Jennings

Horrific DNS vulnerability now exploited

July 24, 2008 6:28 AM EDT
The sky is falling on IT Blogwatch: in which the theoretical DNS vulnerability of two weeks ago is now not-so-theoretical any more. Not to mention the pipetting system boyband (huh?)...

Robert McMillan realizes our worst fears:
Hackers have released software that exploits a recently disclosed flaw in the Domain Name System (DNS) ... Internet security experts warn that this code may give criminals a way to launch virtually undetectable phishing attacks against Internet users whose service providers have not installed the latest DNS server patches
...
The bug was first disclosed by IOActive researcher Dan Kaminsky earlier this month, but technical details of the flaw were leaked onto the Internet earlier this week .
...
The corporate users and Internet service providers who are the major users of DNS servers have had since July 8 to patch the flaw, but many have not yet installed the fix on all DNS servers. more
Glenn Fleishman adds:
Do you run domain name service (DNS) nameservers in your company? Not sure? Go check. Now. Really. I mean it. DNS is the glue that binds the Internet.
...
Kaminsky ... [and] Paul Vixie ... pulled together a secret meeting at Microsoft earlier this year that involved all major operating system and DNS server developers. Simultaneous work was performed to release patches all at the same time for every system.
...
Visit the CERT page on the vulnerability to find what steps you need to take to ensure your users aren't vulnerable. more
Dan Kaminsky (for it is he) pens this ditty:
Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have. more
And Paul Vixie (the very same) flogs a dead horse:
As the coordinator of the combined vendor response, I've heard plenty of complaints, and I've watched as Dan Kaminsky has been called an idiot ... Stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.
...
Please ... take the advisory seriously—we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it.
...
News bulletin ... if your recursive nameserver is behind most forms of NAT/PAT device, the patch won't do you any good since your port numbers will be rewritten on the way out ... [So] move your recursive DNS to be outside your NAT/PAT perimeter, or enable your NAT/PAT device to be an ALG, or use TSIG-secured DNS forwarding when passing through your perimeter. more
Dr. Neal Krawetz despairs:
Patch now. Dan Kaminsky clearly found something -- some type of big bug that has been lurking in DNS. Even without knowing the details, it is clear that the fix needs to be applied.
...
One would think that every major ISP would be rushing to apply the fix. However, this does not seem to be the case. With half of the 30-day warning period already past, a surprisingly large number of ISPs are still vulnerable. In fact, of the 60 DNS servers I tested, more than half of them were still vulnerable. Considering that many of the "safe" DNS servers were not vulnerable prior to this situation, this means that far fewer than half of the large ISPs have even reacted to the notice. Here is the wall of shame so far. more
Kim Zetter is tired of being collated at the ends of lists:
Well ... the anticipated attack code to exploit the critical Kaminsky DNS cache-poisoning flaw is now in the wild (assuming there wasn't one already out there). Let's call it a .5-day exploit.
...
System administrators who dragged their feet over updating their DNS servers have lost the race . . . so to speak. But that doesn't mean it's too late to patch your system. more
But bizitch can haz criticizm:
In case anyone is dumb enough to use a Microsoft DNS server as a authoritative internet DNS server - MS has released two lovely patches - KB951746 and KB951748.

The problem with this fix is that it turns the DNS.EXE daemon into a UDP socket grubbing whore. After the patch, the DNS.EXE daemon grabs no less than 2500 freaking UDP sockets.

This wreaks havoc on anything that - you know - needs UDP sockets on the same server. So far Zonealarm, Blackberry BES and Sphericall VOIP software all break with this "patch"

Stay tuned for more fun to come. more
And finally...
Buffer overflow:
Other Computerworld bloggers:
RSS feed icon Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 21 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch: