Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for DNS Cache Poisoning Vulnerability

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for DNS Cache Poisoning Vulnerability

- Let it go and you may end up leaking sensitive information and losing user confidence. Apply a security patch to the DNS server or revise its configuration now –

September 18, 2008
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki), in response to the recent increase in DNS cache poising related reports, has issued the Security Alert for DNS Cache Poisoning Vulnerability and urges all website operators to apply a security patch to the DNS server or revise its configuration as appropriate.

Various DNS server vendors have issued a security advisory and provided countermeasures against the DNS (Domain Name System)(*1) cache poisoning vulnerability in July 2008(*2). Following the publication of attack code exploiting this vulnerability, IPA has issued an emergency notification on July 24, 2008(*3).

However, the drastically increasing volume of reports on the vulnerability suggests that a number of DNS servers in operation may be still left unpatched(*4).

If exploited, this vulnerability could redirect internal domain users to malicious websites and make them a victim of financial fraud or personal information theft even if they have requested the correct URL. As a result, the website operators may lose user confidence and suffer financial loss.

IPA urges anew website operators and business owners to apply a security patch to their DNS server or revise its configuration as appropriate as soon as possible.

1.Reporting Status (of DNS Cache Poisoning)

As shown in Figure 1, the first report was made in the week of August 18 and tens of cases have been reported every week in September (as of Sep. 18, 12:00pm, total 204 are reported).

Considering the number of reports on website vulnerability ordinarily fluctuates between 10 and 20, IPA must notice that the high number of DNS cache poisoning related reports is prominent.

The websites reported for having DNS cache poisoning vulnerability are various in operatorship, such as government agencies, local public bodies and private companies.

The vulnerability has been found in a number of DNS servers supporting the web sites that could have a big social impact. IPA advises all website operators to check their DNS server for the vulnerability and take necessary action.

Figure 1. Reporting Status of DNS Cache Poisoning

Figure 1. Reporting Status of DNS Cache Poisoning

2. Threat (of DNS Cache Poisoning)

DNS has a mechanism to cache requested IP addresses. A DNS server (DNS cache server) is the one that offers the function.

A DNS cache server may have a DNS cache poisoning vulnerability that makes the server unable to return the correct IP addresses when exploited. As a result, the Internet related systems, such as web and email systems, will be rendered unable to reach the intended destinations.

In case of a web system, shown in Figure 2, an attacker could redirect the internal domain users to a bogus website and steal their password or financial information. While in case of an email system, the attacker could have emails go through a bogus mail server reading and changing their contents as the attacker wishes.

What is characteristic of these types of manipulation is that it is quite difficult for the users to detect the deception.

Figure 2. Threat of DNS Cache Poisoning

Figure 2. Threat of DNS Cache Poisoning

3. How to Check for the Vulnerability

To see if one's own DNS server has a DNS cache poisoning vulnerability, the operator should ask three questions. If any of them are positive, the DNS cache server is left unpatched or has a problem in its configuration.

  1. the port number used by DNS queries is not randomized
  2. the ID number used for DNS queries is not randomized
  3. the DNS server is allowed to reply to recursive DNS queries originated from the outside

Presently, none of technique is available to check these issues all together but the operator can check each one by the following method.

3.1 Check the DNS Server for the Issue A

If randomization of the port number used by DNS queries is insufficient, the risk of the server getting poisoned becomes higher.

The operator could use the “porttest.dns-oarc.net” tool by DNS-OARC(*5) to check the DNS server for the issue A.

Checking is done from the OS command line. For Windows, use the nslookup command.

  • Command to check for the issue A using the porttest.dns-oarc.net tool:
  • > nslookup -querytype=TXT -timeout=10 porttest.dns-oarc.net.

If the result says “POOR” or “GOOD”, randomization is insufficient and thus DNS server has a problem in terms of the issue A. Apply a security patch or revise the DNS server configuration as appropriate.

If the result says “GREAT”, the DNS server is cleared of the issue A.

3.2 Check the DNS Server for the Issue B

If randomization of the ID number for DNS queries is insufficient, the risk of the server getting poisoned becomes higher.

The operator could use the “txidtest.dns-oarc.net” tool by DNS-OARC to check the DNS server for the issue B.

Checking is done from the OS command line. For Windows, use the nslookup command.

  • Command to check for the issue B using the txidtest.dns-oarc.net tool:
  • > nslookup -querytype=TXT -timeout=10 txidtest.dns-oarc.net.

If the result says “POOR” or “GOOD”, randomization is insufficient and thus the DNS server has a problem in terms of the issue B. Apply a security patch or revise the DNS server configuration as appropriate.

If the result says “GREAT”, the DNS server is cleared of the issue B.

3.3 Check the DNS Server for the Issue C

Essentially, a DNS server (DNS content server) should not reply to recursive DNS queries originated from the outside. Even if the server also acts as a DNS cache server, it should be limited to those originated within the domain.

The operator could use the “Cross-Pollination Scan” tool by IANA(*6) to check the DNS server for the issue C. Try the tool at the following URL. Specify the domain name(s) owned by the organization and send a test query.

If the result says “Vulnerable.”, it means the DNS server is configured to answer the recursive DNS queries originated from the outside. The DNS server listed under “Name Server” is likely vulnerable. If it is running as a DNS cache server, apply a security patch or revise the DNS server configuration as appropriate.

If the result says “Safe.”, the DNS server is cleared of the issue C.

4. Affected Products and Solution

Please refer to the “References to Advisories, Solutions, and ToolsSolution” and “Vulnerable software and versions” section of the following advisory in NVD(National Vulnerability Database)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1447

Footnote

(*1)A mechanism that transforms an IP address, a set of numbers that represents the location of a computer on the network of networks, into a human-friendly domain name.

(*2)Please refer to the following advisory in JVN iPedia:
DNS Cache Poisoning Vulnerability in Multiple DNS Products
http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-001495.html (in Japanese)

(*3)DNS Cache Poisoning Vulnerability in Multiple DNS Products
http://www.ipa.go.jp/security/ciadr/vul/20080724-dns.html (in Japanese)

(*4)Under the national software vulnerability reporting scheme pursuant to a METI Directive, IPA has been collecting and analyzing reports on vulnerabilities and JPCERT/CC has been coordinating the response with relevant players such as product vendors since July 2007.

(*5)DNS Operations, Analysis, and Research Center (DNS-OARC)
https://www.dns-oarc.net/

(*6)Internet Assigned Numbers Authority (IANA)
http://www.iana.org/

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: