Massive Coordinated Vendor Patch For DNS
Dan “Doxpara” Kaminsky today released information about a fundamental design flaw in the architecture of DNS which if properly exploited would allow a malicious party to impersonate any website they wanted to. This issue effects every single version of DNS. The flaw primarily effects the DNS server but it can also effect clients as well in certain scenarios. Patches are available or will be available soon from Microsoft, Sun, ISC and Cisco to name just a few. Due to the potential risks of this vulnerability details of the vulnerability are not being currently released. In order to allow users time to patch, Dan will not release full details until Blackhat 2008. What I do know at this point is that the flaw allows a malicious party to poison dns caches and that the fix improves the situation by increasing the level of randomness of port selection. Dan has posted a widget on this website that allows users to check and see if their DNS servers are vulnerable or not. Feel free to throw out your theories as to the actual nature of the vulnerability or your feelings on whether or not this was responsible disclosure.
[Edit: More details from ISC and Microsoft.]
[Edit2: Transaction ID (16 bits of randomness) is not random enough. The patch also adds randomness to the source port and requires that both the source port and transaction id must match for a query to be considered valid.]
[Edit3: DJBdns is in fact not affected as DJB had already implemented port randomness even though he didn’t know it was an issue.]
[Edit4: Executive Overview from securosis.]
[Edit5: More reading here via the crypto mailing list.]
[Edit6: And more reading: from djb and Paul Vixie.]
[Edit7: Matasano’s Ptacek has peeked inside the kimono and says it’s the real deal. — cw]
Dan always seems to do very interesting work with DNS. I remember summarizing the talk he gave at LISA ’06 for ;login: magazine. It was fascinating stuff. I think his talk is what really got me fired up about security research.
The thing that I found interesting was that djb wrote about XID not cutting it back in 2001, in one of those eerily prescient writings one occasionally comes across. Of course, I do not know the details of this vuln, but by all reports source port randomization (or lack thereof) is involved.