Vendors Issue Massive Simultaneous Patch for Common Internet Flaw
Design flaw in DNS protocols could have been used to redirect traffic across the Internet
A large number of major vendors are issuing patches today to repair a newly discovered vulnerability that could allow hackers to redirect traffic across the Internet.
Dan Kaminsky, director of penetration testing at IOActive, today revealed a "design flaw" he discovered in the core protocols used by Domain Name System (DNS), which is used for IP addressing and query routing across the Internet. Although there are no exploits in the wild, the vulnerability could potentially be used to hijack Web sessions remotely and route them to another server.
Kaminsky shared his find with 16 vendors -- including the major makers of DNS servers, such as Cisco, Microsoft, Sun, and open source operating systems -- back in March, suggesting that each vendor create a patch for the problem. In an unprecedented rollout, all of those vendors are releasing their respective patches today.
Citing concerns that attackers would learn the nature of the flaw, Kaminsky declined to give many details on the vulnerability. He did say that the patches add a source port randomization element to the DNS query process, which currently relies on transaction IDs alone. The transaction ID, which assigns a value of between one and 65,000 to each query, "is no longer enough" following the discovery of the flaw, Kaminsky said.
But Tom Ptacek, a fellow security researcher and founder of Matasano Security, said the "new" vulnerability has actually been known for more than a decade. Ptacek cited vulnerability reports from 1997 and 2002 that revealed similar findings about DNS.
So why are vendors now acting en masse to patch the vulnerability? Ptacek suggests that there must have been threat of an exploit. "What changed isn't the vulnerability," he suggested. "What changed is someone threatening to release exploit code."
Kaminsky has released a DNS checking tool that allows users to find out if their DNS servers are subject to the vulnerability. Client systems could potentially be vulnerable, but operating system vendors and Internet service providers will likely have distributed automatic patches before client systems can be widely affected, Kaminsky said.
Unlike most patches, the new multivendor DNS patch does not give away the vulnerability it fixes, according to Rich Mogull, founder and principal analyst at Securosis, a security consultancy. "Reverse engineering the vulnerability by looking at the patch will not be easy with this one," he said.
Kaminsky said he discovered the flaw "while working on something totally unrelated to security."
Jeff Moss, a security researcher and founder of the Black Hat conference, said Kaminsky could have made "hundreds of thousands of dollars" if he had chosen to sell the vulnerability on the open market. "If spammers knew about this, they would use it to great effect," he said. "It would be a great tool for phishing."
Kaminsky preferred to focus on the cross-vendor cooperation that occurred in rolling out the patches. "Nothing like this has ever happened on this scale before," he said. "Interesting vulnerabilities happen every day, but I'm really hoping that this sort of [cooperation] will happen again in the future."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Cisco Systems Inc. (Nasdaq: CSCO)
Microsoft Corp. (Nasdaq: MSFT)
Sun Microsystems Inc. (Nasdaq: JAVA)
About the Author
You May Also Like