Secrecy and the DNS flaw
By Jake Edge
July 9, 2008
By now, most folks will have seen reports of the design flaw discovered in DNS as
it has seen fairly widespread coverage, even in the non-technical press.
It is rare to see such a coordinated disclosure and security update amongst
that many of the big players in the computer industry. While fixes abound,
the actual problem has yet to be disclosed, which has both positives and
negatives.
Responsible disclosure policies dictate that vulnerabilities be kept secret
until all affected vendors can create an update. Because this flaw is in
the design of DNS, most implementations were affected. This still doesn't
quite explain the roughly six months between the discovery of the problem
and the release of the fix. Evidently it took a meeting of the minds at
the Microsoft campus in March to decide upon the right course of action.
Once the fixes were done, presumably they were released on the next "patch
Tuesday"—Microsoft's monthly security update day.
Normally, once fixes are available, information about the vulnerability is
released. But, for a number of reasons, that has not happened in this
case. One of the main reasons is that DNS is an essential internet service
and it will take time for affected users to patch their systems. In
addition, there have been no reports of this flaw being exploited "in the
wild", reducing the pressure to divulge it.
Security researcher Dan Kaminsky discovered the flaw and he has yet another, "blatantly selfish"
reason for keeping it quiet as he would like to be able to announce it at Black Hat in Las Vegas in early August:
While I'm out there, trying to get all these bugs scrubbed — old and
new —
please, keep the speculation off the @public forums and IRC channels. We're
a curious lot, and we want to know how things break. But the public needs
at least a chance to deploy this fix, and from a blatantly selfish
perspective, I'd kind of like my thunder not to be completely stolen in
Vegas.
None of these seem like horrible reasons to keep the vulnerability quiet
for a time (roughly 30 days), but they do leave some DNS implementations
and worried administrators without the information they need to evaluate
the situation. Administrators do not know what traffic patterns or
other symptoms to look for to determine if exploits are being attempted.
Smaller, less prominent DNS implementations were not included in the
collaboration, thus they don't have enough information to decide whether
they are vulnerable or not.
A perfect example is Dnsmasq, a
lightweight DNS server for smaller networks. Dnsmasq is often used in
embedded Linux distributions targeted for home wireless routers. Simon
Kelley, Dnsmasq developer, was asked about the vulnerability; his response
speaks volumes:
I wasn't contacted in advance about this, and no patch for dnsmasq has
been released. Since the exact nature of the new vulnerability has not
(as far as I know) been announced, I don't know if dnsmasq is vulnerable.
Kelley has since released
a patched version, but it is still unknown whether it is needed or,
really, if it even fixes the problem. It is difficult to know for sure that
a security hole has been closed if information about the hole is not
available. This points to the problems that can come from withholding
vulnerability information.
Based on the patches and some information from Kaminsky and others, it is
clear that this is a cache
poisoning vulnerability. Since source port randomization is the change
that was applied to alleviate, but not eliminate, the flaw, we can surmise
that Kaminsky found a way to reduce the number of spoofed replies that need
to be sent to something tractable. According Internet Systems Consortium,
developers of the BIND DNS server, the only true solution is DNSSEC, which implies that
the current fixes only make cache poisoning less likely, not impossible.
Source port randomization is a technique that has been advocated by Daniel
J. Bernstein (i.e. djb) for many years. He implemented it in his djbdns name server long ago.
Essentially, it chooses a random source UDP port for each query that the
name server makes, which has the effect of increasing the randomness that
an attacker needs to be able to predict before being able to poison the
cache.
While the market share of Dnsmasq may be miniscule, there are certainly
other DNS implementations that are also concerned. In addition, we are
relying on those
who are "in the know" to be on the lookout for suspicious traffic that
might indicate the vulnerability being exploited. Kaminsky is certainly
under no obligation to reveal anything, but one wonders if the safest
course would have been for him to provide details now, even at the expense
of his "thunder".
Comments (15 posted)
Security news
Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)
Dan Kaminsky has found a flaw in the design of DNS that can allow cache poisoning as an
article at Securosis.com details. This has lead to a
CERT advisory as well as a coordinated release of patched DNS servers from all affected vendors. Evidently source port randomization is helpful in alleviating the problem. "
The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible." That last claim seems rather strong, time will tell, but it makes sense to be prepared to upgrade affected servers as soon as distributions make them available.
Comments (28 posted)
Mozilla Foundation developing a model for a security metric (heise online)
An
article at heise online describes Mozilla's new
security metrics project, which is an attempt to measure the relative security of Firefox. "
One of the main factors cited is how long Firefox users are exposed to a threat while a hole remains unpatched. The developers say they want to use the security metric derived from the results to identify any problematic stage in the development and patch process."
Comments (none posted)
New vulnerabilities
bind9: DNS cache poisoning
| Package(s): | bind9 |
CVE #(s): | CVE-2008-1447
|
| Created: | July 8, 2008 |
Updated: | February 16, 2009 |
| Description: |
From the Debian advisory: Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email
rerouting. |
| Alerts: |
|
Comments (none posted)
glib2: buffer overflow
| Package(s): | glib2 |
CVE #(s): | CVE-2008-2371
|
| Created: | July 3, 2008 |
Updated: | January 22, 2009 |
| Description: |
The glib2 library has a heap-based overflow that is caused by incorrect
option handling in pcre. |
| Alerts: |
|
Comments (none posted)
jetty: multiple vulnerabilities
| Package(s): | jetty |
CVE #(s): | CVE-2007-5615
CVE-2007-5614
CVE-2007-5613
|
| Created: | July 7, 2008 |
Updated: | February 17, 2009 |
| Description: |
From the Red Hat bugzilla:
For CVE-2007-5613: "Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty
before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML
via unspecified parameters and cookies."
For CVE-2007-5614: "Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote
sequences" in HTML cookie parameters, which allows remote attackers to hijack
browser sessions via unspecified vectors."
For CVE-2007-5615: "CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote
attackers to inject arbitrary HTTP headers and conduct HTTP response splitting
attacks via unspecified vectors." |
| Alerts: |
|
Comments (none posted)
linuxdcpp: denial of service
| Package(s): | linuxdcpp |
CVE #(s): | CVE-2008-2953
CVE-2008-2954
|
| Created: | July 3, 2008 |
Updated: | December 9, 2008 |
| Description: |
From the Red Hat
bug report:
CVE-2008-2953:
Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a
denial of service (crash) via "partial file list requests" that
trigger a NULL pointer dereference.
CVE-2008-2954:
client/NmdcHub.cpp in Linux DC++ (linuxdcpp) before 0.707 allows
remote attackers to cause a denial of service (crash) via an empty
private message, which triggers an out-of-bounds read. |
| Alerts: |
|
Comments (none posted)
mercurial: unauthorized access
| Package(s): | mercurial |
CVE #(s): | CVE-2008-2942
|
| Created: | July 3, 2008 |
Updated: | July 18, 2008 |
| Description: |
From the
National Vulnerability Database:
Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file. |
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2008-2952
|
| Created: | July 3, 2008 |
Updated: | October 17, 2008 |
| Description: |
From the
National Vulnerability Database:
liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams, which triggers an assertion error. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2007-1649
CVE-2008-2107
CVE-2008-2108
CVE-2008-2829
|
| Created: | July 4, 2008 |
Updated: | June 1, 2009 |
| Description: |
From the CVE entries:
PHP 5.2.1 allows context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with S:, which does not properly track the number of input bytes being processed. (CVE-2007-1649)
The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed. (CVE-2008-2107)
The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions. (CVE-2008-2108)
php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message. (CVE-2008-2829) |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: cross-site scripting
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2008-2960
|
| Created: | July 7, 2008 |
Updated: | February 2, 2009 |
| Description: |
From the NVD Entry:
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/. |
| Alerts: |
|
Comments (none posted)
pidgin: buffer overflow
| Package(s): | Pidgin |
CVE #(s): | CVE-2008-2927
|
| Created: | July 9, 2008 |
Updated: | June 2, 2009 |
| Description: |
The MSN protocol handler in pidgin contains an integer overflow vulnerability. |
| Alerts: |
|
Comments (none posted)
poppler: memory management bug
| Package(s): | poppler |
CVE #(s): | CVE-2008-2950
|
| Created: | July 9, 2008 |
Updated: | September 12, 2008 |
| Description: |
Poppler (prior to version 0.6.3-r1) contains "a memory management issue" which can be exploited (via a specially crafted PDF file) to run arbitrary code. |
| Alerts: |
|
Comments (none posted)
ruby: directory traversal vulnerability
| Package(s): | ruby |
CVE #(s): | CVE-2008-1891
|
| Created: | July 3, 2008 |
Updated: | October 10, 2008 |
| Description: |
From the
National Vulnerability Database:
Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. |
| Alerts: |
|
Comments (none posted)
ruby: integer overflow
| Package(s): | ruby |
CVE #(s): | CVE-2008-2376
|
| Created: | July 3, 2008 |
Updated: | December 17, 2008 |
| Description: |
Ruby has an integer overflow vulnerability in in the rb_ary_fill() function. |
| Alerts: |
|
Comments (none posted)
sipp: buffer overflows
| Package(s): | sipp |
CVE #(s): | CVE-2008-2085
|
| Created: | July 9, 2008 |
Updated: | July 9, 2008 |
| Description: |
The sipp tool suffers from multiple buffer overflows which enable denial of service attacks and possible remote code execution vulnerabilities. |
| Alerts: |
|
Comments (none posted)
squid: denial of service
| Package(s): | squid |
CVE #(s): | CVE-2004-0918
|
| Created: | July 3, 2008 |
Updated: | July 9, 2008 |
| Description: |
From the
National Vulnerability Database:
The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that causes a memory allocation error. |
| Alerts: |
|
Comments (none posted)
vsftpd: denial of service
| Package(s): | vsftpd |
CVE #(s): | CVE-2008-2375
|
| Created: | July 9, 2008 |
Updated: | July 30, 2008 |
| Description: |
Another denial of service vulnerability based on a memory leak has been found in vsftpd; this one is exploitable by way of invalid authentication attempts. |
| Alerts: |
|
Comments (none posted)
webkit: memory corruption
| Package(s): | WebKit |
CVE #(s): | CVE-2008-2307
|
| Created: | July 9, 2008 |
Updated: | November 24, 2008 |
| Description: |
WebKit suffers from a memory corruption issue in its JavaScript array handling code, leading to denial of service problems and the potential for remote code execution. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
