HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2008-35
Cache poisoning vulnerability in multiple DNS implementations

Original issue date: July 11, 2008

Severity Rating: Medium

Systems Affected

•  Multiple implementations of DNS as Caching DNS     resolvers and DNS stub resolvers

Overview

A vulnerability has been reported in common DNS implementations that assists in DNS cache poisoning attack.

Description

 Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP /IP. The DNS database contains records that map user-friendly alphanumeric names for network resources to the IP addresses used by those resources for communication.

DNS cache poisoning is injecting false information into the caches of the DNS system so that future requests are diverted to rogue site.

Successful exploitation of cache poisoning attack can cause a DNS server's clients to contact the rogue and possibly malicious hosts. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control.

This issue is in the design of DNS and not limited to any single product. The products that do not implement DNS server functionality are not vulnerable to cache poisoning attacks.

Following DNS software with latest versions are not vulnerable to this issue:

  • Simple DNS Plus by JH software
  • Open DNS
  • Power DNS

Other vendor's whose products are implementing DNS functionality and are vulnerable to this issue are releasing respective patches or fixes. Information regarding patches or fixes released by different vendors is mentioned in solution section.


Workarounds

  • Disable recursion, if not required.
  • If recursion is considered necessary, then restrict sources that can request for recursion.
  • Filter spoofed addresses at network perimeter by using anti-spoofing techniques like Unicast Reverse Path Forwarding (URPF).
  • Consider DNSSEC implementations.

Solutions

Apply appropriate patches or fixes released by respective vendors at server and client level.

Bind
http://www.isc.org/index.pl?/sw/bind/bind-security.php

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

Cisco
http://www.cisco.com/en/US/products/products_security_advisory
09186a00809c2168.shtml

Debian
http://www.debian.org/security/2008/dsa-1603
http://www.debian.org/security/2008/dsa-1604
http://www.debian.org/security/2008/dsa-1605

Ubuntu
http://www.ubuntu.com/usn/usn-622-1

Red Hat
http://rhn.redhat.com/errata/RHSA-2008-0533.html

Sun Microsystems
http://sunsolve.sun.com/search/document.do?assetkey=
1-26-239392-1

Nominum Software
http://www.nominum.com/asset_upload_file741_2661.pdf

References

US-CERT
http://www.kb.cert.org/vuls/id/800113
http://www.us-cert.gov/cas/techalerts/TA08-190B.html
http://www.us-cert.gov/current/index.html#dns_implementations
_vulnerable_to_cache

ISS
http://xforce.iss.net/xforce/xfdb/43334

CVE-Name
CVE-2008-1447

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003