Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Vendors Issue Massive Simultaneous Patch for Common Internet Flaw

Design flaw in DNS protocols could have been used to redirect traffic across the Internet

A large number of major vendors are issuing patches today to repair a newly discovered vulnerability that could allow hackers to redirect traffic across the Internet.

Dan Kaminsky, director of penetration testing at IOActive, today revealed a "design flaw" he discovered in the core protocols used by Domain Name System (DNS), which is used for IP addressing and query routing across the Internet. Although there are no exploits in the wild, the vulnerability could potentially be used to hijack Web sessions remotely and route them to another server.

Kaminsky shared his find with 16 vendors -- including the major makers of DNS servers, such as Cisco, Microsoft, Sun, and open source operating systems -- back in March, suggesting that each vendor create a patch for the problem. In an unprecedented rollout, all of those vendors are releasing their respective patches today.

Citing concerns that attackers would learn the nature of the flaw, Kaminsky declined to give many details on the vulnerability. He did say that the patches add a source port randomization element to the DNS query process, which currently relies on transaction IDs alone. The transaction ID, which assigns a value of between one and 65,000 to each query, "is no longer enough" following the discovery of the flaw, Kaminsky said.

But Tom Ptacek, a fellow security researcher and founder of Matasano Security, said the "new" vulnerability has actually been known for more than a decade. Ptacek cited vulnerability reports from 1997 and 2002 that revealed similar findings about DNS.

So why are vendors now acting en masse to patch the vulnerability? Ptacek suggests that there must have been threat of an exploit. "What changed isn't the vulnerability," he suggested. "What changed is someone threatening to release exploit code."

Kaminsky has released a DNS checking tool that allows users to find out if their DNS servers are subject to the vulnerability. Client systems could potentially be vulnerable, but operating system vendors and Internet service providers will likely have distributed automatic patches before client systems can be widely affected, Kaminsky said.

Unlike most patches, the new multivendor DNS patch does not give away the vulnerability it fixes, according to Rich Mogull, founder and principal analyst at Securosis, a security consultancy. "Reverse engineering the vulnerability by looking at the patch will not be easy with this one," he said.

Kaminsky said he discovered the flaw "while working on something totally unrelated to security."

Jeff Moss, a security researcher and founder of the Black Hat conference, said Kaminsky could have made "hundreds of thousands of dollars" if he had chosen to sell the vulnerability on the open market. "If spammers knew about this, they would use it to great effect," he said. "It would be a great tool for phishing."

Kaminsky preferred to focus on the cross-vendor cooperation that occurred in rolling out the patches. "Nothing like this has ever happened on this scale before," he said. "Interesting vulnerabilities happen every day, but I'm really hoping that this sort of [cooperation] will happen again in the future."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • IOActive
  • Matasano Security LLC
  • Microsoft Corp. (Nasdaq: MSFT)
  • Sun Microsystems Inc. (Nasdaq: JAVA)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
    Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
    7 Powerful Cybersecurity Skills the Energy Sector Needs Most
    Pam Baker, Contributing Writer,  6/22/2021
    Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
    Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-06-24
    In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
    PUBLISHED: 2021-06-24
    The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
    PUBLISHED: 2021-06-23
    Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
    PUBLISHED: 2021-06-23
    A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
    PUBLISHED: 2021-06-23
    A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.