Thursday, August 7, 2008

DNS Vulnerability Disclosure - PowerDNS - Lack of Response Considered Harmful

As an aside to my previous discussion about my own investigation into DNS, I had also been curious if there was any "lack of response" issues impacting today's DNS servers. Afterall DNS spoofing attacks generally involve a race, if you can initiate a race and leave the competor at the starting blocks, you'll always win. In my invesitgation, I started submitting malicious requests with non-standard and/or binary data in the queries. Pretty quickly I discovered that some servers were not responding to my requests even ones as simple as those including a leading space in the name for example.

While this is a seemingly benign flaw on face value, the implications given the Kaminsky style attack is that it allows even a less sophisticated attack attempt a very long window to spoof domains that are hosted on vulnerable servers. Note that at first I made an incorrect assumption that this particular flaw affected multiple DNS solutions, but after further investigation it turns out this one was in a particular implementation, namely PowerDNS. While PowerDNS is the only server I am aware of that has this flaw, I would be concerned about other malformed queries affecting other DNS implementations in similar ways. Feel free to let me know if you become aware of any other DNS servers with similar issues, I would be curious to know.

In case you are using PowerDNS the flaw I had discovered has just been recently patched (aka CVE-2008-3337), so please deploy this patch, to remove this extended time window advantage from attackers.
Thanks to Bert Hubert of PowerDNS for responding to my notification quickly, immediately seeing the importance and turning around this patch in such a short time frame given the heightened climate of attention on DNS.

Additional References:

No comments: