Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Vendors Issue Massive Simultaneous Patch for Common Internet Flaw

Design flaw in DNS protocols could have been used to redirect traffic across the Internet

A large number of major vendors are issuing patches today to repair a newly discovered vulnerability that could allow hackers to redirect traffic across the Internet.

Dan Kaminsky, director of penetration testing at IOActive, today revealed a "design flaw" he discovered in the core protocols used by Domain Name System (DNS), which is used for IP addressing and query routing across the Internet. Although there are no exploits in the wild, the vulnerability could potentially be used to hijack Web sessions remotely and route them to another server.

Kaminsky shared his find with 16 vendors -- including the major makers of DNS servers, such as Cisco, Microsoft, Sun, and open source operating systems -- back in March, suggesting that each vendor create a patch for the problem. In an unprecedented rollout, all of those vendors are releasing their respective patches today.

Citing concerns that attackers would learn the nature of the flaw, Kaminsky declined to give many details on the vulnerability. He did say that the patches add a source port randomization element to the DNS query process, which currently relies on transaction IDs alone. The transaction ID, which assigns a value of between one and 65,000 to each query, "is no longer enough" following the discovery of the flaw, Kaminsky said.

But Tom Ptacek, a fellow security researcher and founder of Matasano Security, said the "new" vulnerability has actually been known for more than a decade. Ptacek cited vulnerability reports from 1997 and 2002 that revealed similar findings about DNS.

So why are vendors now acting en masse to patch the vulnerability? Ptacek suggests that there must have been threat of an exploit. "What changed isn't the vulnerability," he suggested. "What changed is someone threatening to release exploit code."

Kaminsky has released a DNS checking tool that allows users to find out if their DNS servers are subject to the vulnerability. Client systems could potentially be vulnerable, but operating system vendors and Internet service providers will likely have distributed automatic patches before client systems can be widely affected, Kaminsky said.

Unlike most patches, the new multivendor DNS patch does not give away the vulnerability it fixes, according to Rich Mogull, founder and principal analyst at Securosis, a security consultancy. "Reverse engineering the vulnerability by looking at the patch will not be easy with this one," he said.

Kaminsky said he discovered the flaw "while working on something totally unrelated to security."

Jeff Moss, a security researcher and founder of the Black Hat conference, said Kaminsky could have made "hundreds of thousands of dollars" if he had chosen to sell the vulnerability on the open market. "If spammers knew about this, they would use it to great effect," he said. "It would be a great tool for phishing."

Kaminsky preferred to focus on the cross-vendor cooperation that occurred in rolling out the patches. "Nothing like this has ever happened on this scale before," he said. "Interesting vulnerabilities happen every day, but I'm really hoping that this sort of [cooperation] will happen again in the future."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • IOActive
  • Matasano Security LLC
  • Microsoft Corp. (Nasdaq: MSFT)
  • Sun Microsystems Inc. (Nasdaq: JAVA)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
    Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-11-22
    nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
    PUBLISHED: 2019-11-22
    A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
    PUBLISHED: 2019-11-21
    An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
    PUBLISHED: 2019-11-21
    An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
    PUBLISHED: 2019-11-21
    An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...