Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Vendors Issue Massive Simultaneous Patch for Common Internet Flaw

Design flaw in DNS protocols could have been used to redirect traffic across the Internet

A large number of major vendors are issuing patches today to repair a newly discovered vulnerability that could allow hackers to redirect traffic across the Internet.

Dan Kaminsky, director of penetration testing at IOActive, today revealed a "design flaw" he discovered in the core protocols used by Domain Name System (DNS), which is used for IP addressing and query routing across the Internet. Although there are no exploits in the wild, the vulnerability could potentially be used to hijack Web sessions remotely and route them to another server.

Kaminsky shared his find with 16 vendors -- including the major makers of DNS servers, such as Cisco, Microsoft, Sun, and open source operating systems -- back in March, suggesting that each vendor create a patch for the problem. In an unprecedented rollout, all of those vendors are releasing their respective patches today.

Citing concerns that attackers would learn the nature of the flaw, Kaminsky declined to give many details on the vulnerability. He did say that the patches add a source port randomization element to the DNS query process, which currently relies on transaction IDs alone. The transaction ID, which assigns a value of between one and 65,000 to each query, "is no longer enough" following the discovery of the flaw, Kaminsky said.

But Tom Ptacek, a fellow security researcher and founder of Matasano Security, said the "new" vulnerability has actually been known for more than a decade. Ptacek cited vulnerability reports from 1997 and 2002 that revealed similar findings about DNS.

So why are vendors now acting en masse to patch the vulnerability? Ptacek suggests that there must have been threat of an exploit. "What changed isn't the vulnerability," he suggested. "What changed is someone threatening to release exploit code."

Kaminsky has released a DNS checking tool that allows users to find out if their DNS servers are subject to the vulnerability. Client systems could potentially be vulnerable, but operating system vendors and Internet service providers will likely have distributed automatic patches before client systems can be widely affected, Kaminsky said.

Unlike most patches, the new multivendor DNS patch does not give away the vulnerability it fixes, according to Rich Mogull, founder and principal analyst at Securosis, a security consultancy. "Reverse engineering the vulnerability by looking at the patch will not be easy with this one," he said.

Kaminsky said he discovered the flaw "while working on something totally unrelated to security."

Jeff Moss, a security researcher and founder of the Black Hat conference, said Kaminsky could have made "hundreds of thousands of dollars" if he had chosen to sell the vulnerability on the open market. "If spammers knew about this, they would use it to great effect," he said. "It would be a great tool for phishing."

Kaminsky preferred to focus on the cross-vendor cooperation that occurred in rolling out the patches. "Nothing like this has ever happened on this scale before," he said. "Interesting vulnerabilities happen every day, but I'm really hoping that this sort of [cooperation] will happen again in the future."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • IOActive
  • Matasano Security LLC
  • Microsoft Corp. (Nasdaq: MSFT)
  • Sun Microsystems Inc. (Nasdaq: JAVA)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Ransomware Damage Hit $11.5B in 2019
    Dark Reading Staff 2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-21
    btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
    PUBLISHED: 2020-02-21
    Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
    PUBLISHED: 2020-02-21
    uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
    PUBLISHED: 2020-02-20
    Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
    PUBLISHED: 2020-02-20
    The Trend Micro Security 2019 ( and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...