MS-ISAC ADVISORY NUMBER:
2008-026

DATE(S) ISSUED:
7/8/2008

SUBJECT:
Vulnerabilities in Multiple Vendors' DNS Implementations May Allow For Cache Poisoning

OVERVIEW:
Domain Name System (DNS) is an essential core service that translates a name, such as a web site or email address, to a numeric address which is needed for computers to communicate. Two vulnerabilities have been discovered in multiple vendors' DNS implementations that may allow an attacker to redirect users, without their knowledge, from trusted web sites to a malicious web site.

Affected vendors include Microsoft, Cisco, Juniper, and Internet Systems Consortium (ISC). Be advised that this may not be a complete list.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Server SP4
  • Microsoft XP Service Pack 2
  • Microsoft XP Service Pack 3
  • Microsoft Windows 2003 SP 1
  • Microsoft Windows 2003 SP 2
  • Microsoft Windows 2003 x64 edition
  • Microsoft Windows 2003 x64 edition SP2
  • BIND 9.3, 9.4, & 9.5 (note - this will affect multiple Unix and Linux variants)
  • Juniper network firewalls running ScreenOS software
  • J-series routers running JUNOS Enhanced Services Software (junos-jsr) built prior to May 23, 2008
  • Juniper switching products running JUNOS Enhanced Switching Software (junos-ex) built prior to May 23, 2008
  • Multiple Cisco products that utilize DNS resolution, as either a
  • server or a client (refer to Cisco link in the "References" section below)
  • Additional products may be affected (unconfirmed at this time)

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Multiple Domain Name System (DNS) implementations fail to use enough randomization when selecting UDP source ports and transaction IDs.

This allows a malicious user to send specially-crafted DNS packets to an affected DNS client or sever, poison the DNS cache, and redirect users to arbitrary hosts. Microsoft is working with a number of other vendors to release simultaneous patches for all DNS servers and clients. Please refer to the References section below for additional information on affected vendors.

Affected vendors include Microsoft, Cisco, Juniper, and Internet Systems Consortium (ISC) BIND. Be advised that this may not be a complete list, and we will update this advisory as additional details become available.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Install appropriate vendor patches as soon as they become available after appropriate testing.
  • Monitor network traffic for anomalous DNS traffic patterns.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx(New Window)

ISC
http://www.isc.org/sw/bind/bind-security.php(New Window)

Cisco
http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml(New Window)

US-CERT
http://www.kb.cert.org/vuls/id/800113(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1454(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.