MS-ISAC ADVISORY NUMBER:
2008-026 Updated

DATE(S) ISSUED:
7/8/2008
7/22/2008 - Updated

SUBJECT:
Vulnerabilities in Multiple Vendors' DNS Implementations May Allow For Cache Poisoning

ORIGINAL OVERVIEW:

Domain Name System (DNS) is an essential core service that translates a name, such as a web site or email address, to a numeric address which is needed for computers to communicate. Two vulnerabilities have been discovered in multiple vendors' DNS implementations that may allow an attacker to redirect users, without their knowledge, from trusted web sites to a malicious web site.

Affected vendors include Microsoft, Cisco, Juniper, and Internet Systems Consortium (ISC). Be advised that this may not be a complete list.

UPDATED OVERVIEW:
Technical details about how to exploit these vulnerabilities have been publically released on the Internet. As a result of the increased potential for attacks, we recommend that all organizations immediately review their DNS infrastructure and apply the necessary patches and workarounds after appropriate testing. Successful attacks may result in web browsing, email, and other network traffic initiated by your organization's users possibly redirected to malicious destinations. This could lead to the disclosure of sensitive information to unauthorized parties.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Server SP4
  • Microsoft XP Service Pack 2
  • Microsoft XP Service Pack 3
  • Microsoft Windows 2003 SP 1
  • Microsoft Windows 2003 SP 2
  • Microsoft Windows 2003 x64 edition
  • Microsoft Windows 2003 x64 edition SP2
  • BIND 9.3, 9.4, & 9.5 (note - this will affect multiple Unix and Linux variants)
  • Juniper network firewalls running ScreenOS software
  • J-series routers running JUNOS Enhanced Services Software (junos-jsr) built prior to May 23, 2008
  • Juniper switching products running JUNOS Enhanced Switching Software (junos-ex) built prior to May 23, 2008
  • Multiple Cisco products that utilize DNS resolution, as either a server or a client (refer to Cisco link in the "References" section below)
  • Additional products may be affected (unconfirmed at this time)

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
Multiple Domain Name System (DNS) implementations fail to use enough randomization when selecting UDP source ports and transaction IDs. This allows a malicious user to send specially-crafted DNS packets to an affected DNS client or sever, poison the DNS cache, and redirect users to arbitrary hosts. Microsoft is working with a number of other vendors to release simultaneous patches for all DNS servers and clients. Please refer to the References section below for additional information on affected vendors.

Affected vendors include Microsoft, Cisco, Juniper, and Internet Systems Consortium (ISC) BIND. Be advised that this may not be a complete list, and we will update this advisory as additional details become available.

UPDATED DESCRIPTION:
Technical details about how to exploit these vulnerabilities have been publically released on the Internet. As a result of the increased potential for attacks, we recommend that all organizations immediately review their DNS infrastructure and apply the necessary patches and workarounds after appropriate testing. Successful attacks may result in network traffic being intercepted or modified.

Multiple sources have reported that certain Network Address Translation/Protocol Address Translation (NAT/PAT) devices (such as certain firewalls) do not sufficiently randomize their source ports, and may negate the changes made by DNS server patches. Depending on your organization's DNS architecture, this may render the patches ineffective and increase the ease of attacks.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

  • Install appropriate vendor patches as soon as they become available after appropriate testing.
  • Monitor network traffic for anomalous DNS traffic patterns.

UPDATED RECOMMENDATIONS:
We recommend that following actions be taken:

  • Immediately review your DNS infrastructure and apply the necessary patches and workarounds after appropriate testing.
  • Do not provide authoritative DNS name services on caching DNS servers.
  • Confirm that NAT/PAT devices do not interfere with DNS server source port randomization
  • Apply ingress and egress anti-spoofing rules at your network borders.
  • If you believe you have been affected by attacks exploiting this vulnerability, please contact us immediately.

ORIGINAL REFERENCES:

Microsoft:
 http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx(New Window)

ISC
http://www.isc.org/sw/bind/bind-security.php(New Window)

Cisco
http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml(New Window)

US-CERT
http://www.kb.cert.org/vuls/id/800113(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1454(New Window)

UPDATED REFERENCES:
CircleID
 http://www.circleid.com/posts/87143_dns_not_a_guessing_game(New Window)

IBM
 http://blogs.iss.net/archive/morednsnat.html(New Window)
http://blogs.iss.net/archive/dnsnat.html(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.