DNS security hole details leak out
Speculation confirmed
TECHNICAL DETAILS about a flaw in the Internet's Domain Name System (DNS) that still exists on some networks were injudiciously confirmed in a security firm's blog on Monday.
Security researcher Dan Kaminsky had discovered the DNS vulnerability several months ago and worked with major software vendors to devise and disseminate a patch.
Kaminsky is the director of network penetration testing at the security firm Ioactive. The systemic weakness that he found in the DNS protocol can expose unpatched domain name servers to cache poisoning, which can enable malicious activities such as phishing and the propagation of viruses, trojans and bot infections.
Kaminsky had planned to keep the precise nature of the DNS vulnerability secret until next month's Black Hat conference in Las Vegas to give network administrators additional time to apply software upgrades to patch the flaw. Monday's leak foreclosed that grace period.
Halvar Flake, CEO of Zynamics and a reverse engineering expert, posted speculation about the technical nature of the DNS vulnerability on a bog.
Shortly thereafter, and in response to Flake's bog post, the security software development firm Matasano Security, which through its work was privy to the technical definition of the DNS flaw, posted confirmation on its company bog that Flake's speculation was accurate.
When it realised what it had done, Matasano removed its bog post, but not before Google managed to capture and save it in its search results. As it said, "The cat is out of the bag."
In reaction to finding out about the premature disclosure, Kaminsky posted on his own bog, "Patch. Today. Now." µ
See Also
DNS
Bug alive and kicking down under
DNS
hole patched - for now
L'Inq
Eweek
Comments
not new
This is a spoofing attack based on configurations where the SOURCE port of the DNS server reply is fixed rather than randomised.Since you have to implement the fixed source port configuration then the exploit really is a bit of a non-entity.
For bind on Linux comment out this option:
// query-source address * port 53;
For windows servers which are also vulnerable:
-no wait- who is dumb enough to run a windows server straight on the net??
On Linux you can test how good your implementation is with this command:
dig +short porttest.dns-oarc.net TXT
For windows:
- who cares...
Hope this helps!
Achilles Heel
"In reaction to finding out about the premature disclosure, Kaminsky posted on his own bog, "Patch. Today. Now.""QuITe, but Patch with WwwHat? And the Vulnerability may not BPatchable. That would then Require a ReBoot with New Drivers and a Virgin System.
What Patch has been Provided?
open or closed?
If it was a specific closed source program, then fine... tell the vendor, publicize that something was found...wait a while, then full disclosure at a hacker con. When it's OPEN source, as soon as there is a patch, the cat's out of the bag period.So when the problem is with open and closed software, you can either disclose the whole thing (everyone has same start and races to fix...) or inform the closed vendors first, then wait (responsible disclosure?), and piss off the open vendors (hey, we were vunerable!)
He tried the hybrid approach, inform the closed guys and open guys, and beg the open guys to act like closed guys. Probably pissing off the small guys, who were not in his list of cool people to get the patch.
So...
So, The Inquirer wrote exactly THIS because...? You wanted to inform MORE script idiots about it?Good work..
@ amanfromMars
Don't smoke and browse the web. Please?
This is it?
If this really is the problem that Dan Kaminsky was talking about, then it only took him about 8 years longer than DJB to figure it out. I distinctly remembering DJB mentioning this in one of his rants about gluelessness around 2000 or so. Of course, DJB being DJB, noone took any notice of him :) The response back then was than dnssec would take care of it.While it's good that there's been some progress towards making DNS spoofing harder, I've got to wonder if Kaminsky actually came up with it on his own or whether he just came across DJBs post about it.