Massive Internet Security Flaw Uncovered

Massive Internet Security Flaw Uncovered

www.latimes.com

Security researchers on Tuesday said they had discovered an enormous flaw that could let hackers steer most people using corporate computer networks to malicious websites of their own devising.

"This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It's more, but I can't talk about how much more."

(visit the link for the full news article)

Apparently, big ones like Microsoft Corp. and Sun Microsystems Inc. are all working on patches to fix this vital flaw. Though they say that no criminals have yet to utilize this hole, it is rather alarming that somebody was able to find it in a few hours and that it was a flaw inherent in most major corporate networks. If this hole was found, what others are out there?

The last comment made by Dan Kaminsky, employee of the security firm IOActive Inc. that found the problem, was rather alarming.

The integrity of the Web and e-mail? And more? What exactly is this guy talking about?

www.latimes.com
(visit the link for the full news article)

More detail from CVE:

The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via certain cache poisoning techniques against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability."

There also links there to security bulletins and patches from various vendors.

Essentially, DNS is the protocol that translates from an internet name (like www.abovetopsecret.com) into a number (like 75.126.76.151). It does this by communicating special packets of data between your computer and a central 'domain name server'. In these packets, there's a 'Query ID' field, that's only 16-bits wide. That means that a number 0-65535 uniquely identifies the request. Turns out the numbers, by the standard protocol, are allocated in a way that can be guessed beforehand, allowing someone to inject a fake packet with the correct Query ID, and mapping an internet name to the incorrect number (spoofing).

The patch I just installed for Ubuntu avoids that possibility by applying more randomization to the Query ID field; other vendor's patches should be available soon.

reply to post by Ian McLean


Thank you for the explanation!

If somebody is able to guess the numbers beforehand, how come this has not been done/used before? What does it take to guess the numbers?

And also, if this information is out and the patches has yet to be distributed, couldn't somebody use this information before the fix? Pardon my ignorance of computers if this is an obvious question

[edit on 9-7-2008 by astronomine]

reply to post by astronomine


They're keeping that sorta hush-hush right now, for obvious reasons. With these things, there's usually a 30-day grace period for vendors to fix the problem before the exact specifics are released.

Obligatory ATS spin: The biggest security flaw with the Internet is the fact that it's an internet.

Looked into this a little more... wondering if this is a problem for client (end-user) machines or not. Eg, can the spoofing be individually targeted?

See, my initial summary was slightly too simplified. Rather than a 'central' name server, there's actually hierarchies of domain name servers that process name-to-number requests. For example, there might be one inside your company's network, that connects to one at the ISP, that connects to the network of centrally-managed DNS servers.

Each of these layers of servers 'cache' the results of name-to-number requests, so they don't have to keep passing the same request up the chain. The exploit is a combination of 'cache-pollution' attacks that invalidate those caches so requests are re-issued, and a packet-spoofing technique to insert invalid (redirected) name-to-number results.

So, is this packet spoofing only applicable between different layers in the DNS hierarchy (server-to-server), or can it also be applied to individual client results (client-to-server)? Anyone know? Regardless, just patching your local machine isn't enough.

Go to IOActive. Read Kaminsky's work. Read between the lines. think "vector". Won't say more.

Originally posted by Ian McLean
Looked into this a little more... wondering if this is a problem for client (end-user) machines or not. Eg, can the spoofing be individually targeted?

The chances of that are very slim. Unless they have and use their own DNS server and it gets poisoned, instead of an ISP's or public/open DNS server, I don't see how can someone can be individually targeted.

So, is this packet spoofing only applicable between different layers in the DNS hierarchy (server-to-server), or can it also be applied to individual client results (client-to-server)? Anyone know?

The target of this are obviously DNS servers. The clients will get 'contaminated' once they ask the DNS server to resolve something that happens to be poisoned on that DNS server.

Regardless, just patching your local machine isn't enough.

Yeah. If you patch your local machine but the DNS servers you use don't get patched, and get poisoned, the patch on your local machine won't do you any good.

I'm guessing that the patch for client machines (people not running DNS servers) is just so that the resolver (DNS client) uses the new techniques (stronger DNS Query IDs & random UDP port queries) when contacting DNS servers, but the crucial thing is patching DNS servers.

This vulnerability was discovered back in March as indicated by the CVE.

Phase - Assigned (20080321)

Microsoft released a patch yesterday.

Cisco also released a patch yesterday.

Most server & network admins automate the patch/update process.




[edit on 7/9/08 by makeitso]

Originally posted by astronomine
If this hole was found, what others are out there?

Oh I guarantee there are at least tens of thousands of more security holes to be discovered, especially in windows based servers and software.

Security holes are found almost daily in windows software. Luckily, the anti-virus and firewall companies usually find them first.

Funny how security companies stay in business because of the security issues with windows.


This is why I certainly don't look forward to windows native firewalls taking over where private firms used to control. I really don't think Microsoft is up to the task.

Originally posted by johnsky
Oh I guarantee there are at least tens of thousands of more security holes to be discovered, especially in windows based servers and software.

This one is more serious because the flaw is in the DNS protocol, affecting all operating systems in essence.

But this sort of attack, DNS poisoning, is not new. It has been around since 1990 basically. After that they addressed it and plenty of fixes were introduced in BIND and other DNS servers, but should have modified the protocol altogether at that time to fix it permanently.

Luckily, the anti-virus and firewall companies usually find them first.
Funny how security companies stay in business because of the security issues with windows.

You bring up an interesting point.

Many people say the companies that develop the anti-virus applications are also engaged in developing news virus and worms, to keep the business going and justify updates.