[ISN] DNS flaws put Net connected systems at risk

From: InfoSec News (isnat_private)
Date: Tue Jul 02 2002 - 02:37:28 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - July 1st 2002"

    By Joris Evers 
    July 1, 2002 9:18 am PT
    A FLAW IN software that supports the Internet's DNS (Domain Name
    System) for translating text-based Web addresses to numeric IP
    (Internet Protocol) addresses can put Internet-connected systems at
    risk, experts warned.
    The flaw lies in two versions of the DNS resolver library, which is
    not only used in DNS servers, but also in network hardware such as
    routers and switches, said Joost Pol, a security consultant at Pine
    Internet in The Hague, Netherlands, on Monday.
    "This code was written a long time ago and distributed for free, it is
    widespread," said Pol, who wrote the first alert on the issue last
    week. "This is essential software that runs on the client and on the
    Affected are the Berkeley Internet Name Domain (BIND) DNS resolver
    library, developed by the Internet Software Consortium, and the
    Berkeley Software Distribution (BSD) DNS resolver library, according
    to an advisory released on Friday by the U.S.-based Computer Emergency
    Response Team Coordination Center (CERT/CC).
    A buffer overflow vulnerability in the libraries could allow a remote
    attacker to take over systems using the affected software by sending a
    malformed DNS response, according to CERT/CC. After a successful
    attack on a router, for example, an attacker could tap or divert
    traffic, said Pol.
    Administrators should immediately check if their systems use any of
    the vulnerable DNS resolver libraries and, if so, upgrade those, Pol
    said, adding that this is not a simple job.
    "This is living hell for an administrator," he said.
    It is not just a question of checking which systems are vulnerable --
    including server operating systems, DNS servers, e-mail servers,
    switches and routers -- and then simply applying a patch. The
    vulnerable library could be embedded in an application, which means an
    administrator has to recompile the application, said Pol.
    Only if applications dynamically link to the DNS resolver library can
    the issue be solved by just updating the library, said Pol.
    A solution suggested by CERT/CC is shielding vulnerable systems by
    setting up an additional DNS server as a gatekeeper. This local
    caching DNS server will prevent malicious DNS responses from reaching
    systems using vulnerable DNS resolver libraries by reconstructing DNS
    responses, CERT/CC said.
    Pol however feels DNS caching can only be a temporary solution.
    "There will always be a point that the additional DNS server is
    switched off, for example when a new system administrator comes in,"  
    he said.
    Products that use the vulnerable DNS resolver libraries include the
    various BSD operating systems and products from Cray., Network
    Appliance and the Internet Software Consortium, according to a list
    compiled by CERT/CC.
    Microsoft says it does not use the affected libraries in its software,
    according to the list, but Pol has his doubts.
    "A lot of BSD code was used in Windows 2000, but if you believe
    Microsoft, you have no problem," he said.
    No exploit script to take advantage of the DNS resolver library flaws
    is currently in public circulation, according to Pol and various
    advisories addressing the issue. But it won't be long until computer
    crackers come up with one, Pol warned. "I think work is being done on
    exploits right now."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 05:19:05 PDT