Author
|
Topic: Dan Kaminsky breaks DNS, massive multi-vendor patch coming, (Read 880 times) |
|
Fritz
Archon
Gender: 
Posts: 1746
Reputation: 8.84
Rate Fritz
  
|
 |
Dan Kaminsky breaks DNS, massive multi-vendor patch coming,
« on: 2008-07-11 15:53:52 » |
 |
FYI ... we got fix'in to do .... and explaining later.
DECnet was better then IP !
Cheers
Fritz
Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at Black Hat Vegas ‘08
Source: ZDnet
Author: by Nathan McFeters
Date: July 8th, 2008
It would seem there’s a bigger story to that MS08-037 flaw that came out for Patch Tuesday today.
From Dave Lewis over at the Liquid Matrix security blog:
Today Dan Kaminsky released a first, as far as I can recall. A coordinated patch was released today by Dan Kaminsky of IO Active that fixes a vulnerability that apparently exists in all DNS servers.
Unlike other researchers who give up the gory details, Kaminsky took a wiser path by smiling and nodding. He’ll give up the goods at Black Hat in August. That should give folks enough time to patch their systems.
From CNET:
Toward addressing the flaw, Kaminsky said the researchers decided to conduct a synchronized, multivendor release and as part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco, Sun, and Bind are also expected to roll out patches later on Tuesday.
As part of the coordinated release, Art Manion of CERT said vendors with DNS servers have been contacted, and there’s a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Inc., Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.
Apparently Kaminsky has also provided a DNS checking tool on his site to see if your DNS is vulnerable.
The Liquid Matrix guys also mention that Rich Mogull has more details on the flaw over at the Securosis blog, and that the Thomas Ptacek, of the Matasano crew, has some doubts about this flaw, as seen on Twitter. Mogull calls the issue a “major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients).” Mogull further goes on to say:
The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediately reveal the vulnerability and reverse engineering isn’t directly possible.
Dan asked for some assistance in getting the word out and was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day.
Dan and the vendors, did an amazing job with this one. We’ve also attached the official CERT release and an Executive Overview document discussing the issue
|
Where there is the necessary technical skill to move mountains, there is no need for the faith that moves mountains -anon-
|
|
|
Hermit
Archon
Posts: 4288
Reputation: 8.94
Rate Hermit
Prime example of a practically perfect person
|
|
Re:Dan Kaminsky breaks DNS, massive multi-vendor patch coming,
« Reply #1 on: 2008-07-11 16:33:48 » |
|
Why are you not running djbdns (available at http://cr.yp.to)
The Dan Kaminsky interview has more information. His simple message is "if it recurses, patch it, but non-recursive clients are also affected as a lesser priority." and "Dan Bernstein completely solved a big security issue he didn't even know about!" IMO, Dan did prove that he sufficiently recognized the potential of this and related potential challenges back in the days of DNS DDOS and cache poisoning attacks which is why one reason supporting his design decision to deploy port and transaction ID randomization, both of which are implicated in this design failure. The trouble was really that nobody with Bind or even in the wider IETF paid Dan sufficient attention. This was one of the reasons I switched to djbdns in the first place.
I also enjoyed, "Even I gotta admit, maybe there is something to this whole DNSSEC thing...."but he still isn't saying DNSSEC is workable. Dan Bernstein is sure it is not - but that it isn't needed either as it is trivial to synchronize servers via file transfer via SSH - or using LDAP as we do here.
Kind Regards
Hermit
PS Many things are better than IP. I personally liked ArcNet a lot, recognized that Token ring was vastly superior to any contention protocol for most applications, and still like SONET most of all (but I always ran IP directly over SONET) for many applications. But IP makes effective use of oversubscribed bandwidth, so it has a significant place in the world. And name resolution is at the top of the stack, not wriggling in the transaction layer, so if it were as incompetently designed and implemented for other protocols as DNS is for IP it wouldn't matter what flavor of network it ran over.
|
With or without religion, you would have good people doing good things and evil people doing evil things. But for good people to do evil things, that takes religion. - Steven Weinberg, 1999
|
|
|
Fritz
Archon
Gender:
Posts: 1746
Reputation: 8.84
Rate Fritz
|
|
Re:Dan Kaminsky breaks DNS, massive multi-vendor patch coming,
« Reply #2 on: 2008-07-14 21:49:57 » |
|
Quote:
[Fritz] Great lead thanks. I will be making myself considerable less popular then a smelly fart, at the next group hug at my place of employment, which might look like:
Half switched to MS Windows 2003 with the auto magical DNS, limping on 6 year old BIND on Tru64 5.2 UNIX and dying with a 10 year old BIND running on OpenVMS 7.3 with trolls moving the tables entries between all the worlds manually amongst 800 servers supporting 12,000 plus user universe, held together will a national network with the response time of a oozing pustulant kumquat
Dear reader, you may have guessed this can only be the description of a non private sector organization with stock car drivers at the helm trying to pilot a starship.
"Just another brick in the wall"
Fritz ... 1+1=2, 2+2=3, 3+3=4 .........
|
Where there is the necessary technical skill to move mountains, there is no need for the faith that moves mountains -anon-
|
|
|
Fritz
Archon
Gender:
Posts: 1746
Reputation: 8.84
Rate Fritz
|
|
Re:Dan Kaminsky breaks DNS, massive multi-vendor patch coming,
« Reply #3 on: 2008-07-21 21:38:41 » |
|
[Fritz]more on the DNS saga ....
Researcher's hypothesis may expose uber-secret DNS flaw Responsible disclosure debate rages on
Source: The Register: Biting the hand that feeds IT
Author: Dan Goodin in San Francisco
Date: Monday 21st July 2008 19:28 GMT
Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit it before overlords of the domain name system had a chance to fix it.
That hasn't stopped researcher Halvar Flake from posting a hypothesis that several researchers say is highly plausible. It describes a simple method for tampering with DNS name servers that get queried when a user tries to visit a specific website. As a result, attackers would redirect someone trying to visit a site such as bankofamerica.com to an impostor site that steals their credentials. names The recipe calls for the attacker to flood a DNS server with multiple requests for domain, for instance www.ulam00001.com, www.ulam00002.com and so on. Since the name server hasn't seen these requests before, it queries a root server for the name server that handles lookups for domains ending in .com. The attacker then uses the information to send fraudulent lookup information to the DNS server and make it appear as if it came from the authoritative .com name server. With enough requests, eventually one of the spoofed requests will match and the IP address for a requested domain will be falsified.
In an email to El Reg, Kaminsky declined to confirm whether Flake's speculation is correct. We're hoping it is, because if it isn't, it means the net's DNS is vulnerable to a second flaw that, like Kaminsky's, could result in major security breaches for an untold number of users.
"It's very plausible; I think he's nailed it," Nate Lawson, principal of Root Labs, said of Flake's hypothesis. "If that is the case, it definitely goes against Dan's request that people not speculate."
It would also demonstrate the difficulty researchers like Kaminsky face in trying to keep the specifics of a vulnerability quiet. While Flake is highly respected in security circles, he admits his knowledge of DNS is limited. He had to spend time reading a "DNS-for-dummies" text to get up to speed.
If a few weeks was enough for him to come up with an attack scenario, plenty of less scrupulous hackers almost certainly will be able to do the same thing, calling into question whether it's realistic to limit vulnerability disclosure in the way Kaminsky has proposed.
"It's the universal opinion of the research community that it's not a reasonable request," said Thomas Ptacek, a researcher at Matasano who is critical of the admonition against other researchers publicly discussing the flaw. Ptacek and several other researchers have received a briefing from Kaminsky in exchange for a promise not to discuss it publicly, a condition he says is perfectly OK.
But Ptacek bristles at calls that others who have not been briefed should be pressured to keep quiet.
"The cabal approach does not work," he said.
Kaminsky has said he won't provide a detailed discussion of the DNS flaw until he speaks early next month at the Black Hat conference in Las Vegas. Critics say the move has more to do with artificially generating buzz than following responsible disclosure guidelines.
Kaminsky and his supporters disagree, saying it takes time for those maintaining DNS servers to deploy patches and detailed discussions in the meantime could allow attackers to exploit the flaw.
"The vast majority of people are choosing not to publicly speculate, and I appreciate that," Kaminsky wrote in an email. "A few aren't, as is their right. Thus far, everyone who's found the bug has been gracious enough to me to let me present the research on August 6th. But I don't know how long that will last. People need to patch this, sooner rather than later." ®
|
Where there is the necessary technical skill to move mountains, there is no need for the faith that moves mountains -anon-
|
|
|
Fritz
Archon
Gender:
Posts: 1746
Reputation: 8.84
Rate Fritz
|
|
Re:Dan Kaminsky breaks DNS, massive multi-vendor patch coming,
« Reply #4 on: 2008-07-29 14:33:02 » |
|
Update on the saga
Cheers
Fritz
Source: ZDnet Blog
Date: July 29th, 2008 @ 3:24 am
Author: Dancho Danchev
DNS cache poisoning attacks exploited in the wild
Numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, inDNS Cache Poisoning Test what appears to be an attempt to take advantage of the “recent” DNS cache poisoning vulnerability :
” client 143.215.143.11 query (cache) ‘www.ebay.com/ANY/IN’ denied: 31
Time(s)
client 143.215.143.11 query (cache) ‘www.facebook.com/ANY/IN’
denied: 30 Time(s)
client 143.215.143.11 query (cache) ‘www.gmail.com/ANY/IN’ denied:
30 Time(s)
client 143.215.143.11 query (cache) ‘www.google.com/ANY/IN’ denied:
30 Time(s)
client 143.215.143.11 query (cache) ‘www.live.com/ANY/IN’ denied: 30
Time(s)
client 143.215.143.11 query (cache) ‘www.microsoft.com/ANY/IN’
denied: 30 Time(s)
client 143.215.143.11 query (cache) ‘www.msn.com/ANY/IN’ denied: 30
Time(s)
client 143.215.143.11 query (cache) ‘www.myspace.com/ANY/IN’ denied:
30 Time(s)”
Surprised? I’m not, since this was pretty logical given that the three publicly available exploits have been downloaded over 15,000 times in the last couple of days. What I’m actually surprised of is that it took so long to produce a working exploit, and the despite the media outbreak raising awareness on the potential for abuse, major international and local ISPs remain vulnerable. Ironically, remain vulnerable just like they’ve always been even though patches for a particular vulnerability were available. Insecure and misconfigured DNS servers were, and continue to be a realistic threat even in a Web 2.0 world.
|
Where there is the necessary technical skill to move mountains, there is no need for the faith that moves mountains -anon-
|
|
|
Hermit
Archon
Posts: 4288
Reputation: 8.94
Rate Hermit
Prime example of a practically perfect person
|
|
Re:Dan Kaminsky breaks DNS, massive multi-vendor patch coming,
« Reply #5 on: 2008-07-29 15:13:04 » |
|
I first used Men & Mice's DNS evaluation suite to watch complex DNS set-ups in 1996. It was the best available software then, it remains so now.
http://www.menandmice.com/
They offer a free DNS test and report. Worth trying. Most DNS set-ups have severe misconfigurations (often due to serious misunderstanding of the fundamentals).
|
With or without religion, you would have good people doing good things and evil people doing evil things. But for good people to do evil things, that takes religion. - Steven Weinberg, 1999
|
|
|
|
Logged
