Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Vendors Issue Massive Simultaneous Patch for Common Internet Flaw

Design flaw in DNS protocols could have been used to redirect traffic across the Internet

A large number of major vendors are issuing patches today to repair a newly discovered vulnerability that could allow hackers to redirect traffic across the Internet.

Dan Kaminsky, director of penetration testing at IOActive, today revealed a "design flaw" he discovered in the core protocols used by Domain Name System (DNS), which is used for IP addressing and query routing across the Internet. Although there are no exploits in the wild, the vulnerability could potentially be used to hijack Web sessions remotely and route them to another server.

Kaminsky shared his find with 16 vendors -- including the major makers of DNS servers, such as Cisco, Microsoft, Sun, and open source operating systems -- back in March, suggesting that each vendor create a patch for the problem. In an unprecedented rollout, all of those vendors are releasing their respective patches today.

Citing concerns that attackers would learn the nature of the flaw, Kaminsky declined to give many details on the vulnerability. He did say that the patches add a source port randomization element to the DNS query process, which currently relies on transaction IDs alone. The transaction ID, which assigns a value of between one and 65,000 to each query, "is no longer enough" following the discovery of the flaw, Kaminsky said.

But Tom Ptacek, a fellow security researcher and founder of Matasano Security, said the "new" vulnerability has actually been known for more than a decade. Ptacek cited vulnerability reports from 1997 and 2002 that revealed similar findings about DNS.

So why are vendors now acting en masse to patch the vulnerability? Ptacek suggests that there must have been threat of an exploit. "What changed isn't the vulnerability," he suggested. "What changed is someone threatening to release exploit code."

Kaminsky has released a DNS checking tool that allows users to find out if their DNS servers are subject to the vulnerability. Client systems could potentially be vulnerable, but operating system vendors and Internet service providers will likely have distributed automatic patches before client systems can be widely affected, Kaminsky said.

Unlike most patches, the new multivendor DNS patch does not give away the vulnerability it fixes, according to Rich Mogull, founder and principal analyst at Securosis, a security consultancy. "Reverse engineering the vulnerability by looking at the patch will not be easy with this one," he said.

Kaminsky said he discovered the flaw "while working on something totally unrelated to security."

Jeff Moss, a security researcher and founder of the Black Hat conference, said Kaminsky could have made "hundreds of thousands of dollars" if he had chosen to sell the vulnerability on the open market. "If spammers knew about this, they would use it to great effect," he said. "It would be a great tool for phishing."

Kaminsky preferred to focus on the cross-vendor cooperation that occurred in rolling out the patches. "Nothing like this has ever happened on this scale before," he said. "Interesting vulnerabilities happen every day, but I'm really hoping that this sort of [cooperation] will happen again in the future."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • IOActive
  • Matasano Security LLC
  • Microsoft Corp. (Nasdaq: MSFT)
  • Sun Microsystems Inc. (Nasdaq: JAVA)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Commentary
    What the FedEx Logo Taught Me About Cybersecurity
    Matt Shea, Head of Federal @ MixMode,  6/4/2021
    Edge-DRsplash-10-edge-articles
    A View From Inside a Deception
    Sara Peters, Senior Editor at Dark Reading,  6/2/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-34682
    PUBLISHED: 2021-06-12
    Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
    CVE-2021-31811
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    CVE-2021-31812
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    CVE-2021-32552
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
    CVE-2021-32553
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.