Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at Black Hat Vegas '08

Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at Black Hat Vegas '08

Summary: It would seem there's a bigger story to that MS08-037 flaw that came out for Patch Tuesday today.From Dave Lewis over at the Liquid Matrix security blog:Today Dan Kaminsky released a first, as far as I can recall.

SHARE:
29

It would seem there's a bigger story to that MS08-037 flaw that came out for Patch Tuesday today.

From Dave Lewis over at the Liquid Matrix security blog:

Today Dan Kaminsky released a first, as far as I can recall. A coordinated patch was released today by Dan Kaminsky of IO Active that fixes a vulnerability that apparently exists in all DNS servers.

Unlike other researchers who give up the gory details, Kaminsky took a wiser path by smiling and nodding. He’ll give up the goods at Black Hat in August. That should give folks enough time to patch their systems.

From CNET:

Toward addressing the flaw, Kaminsky said the researchers decided to conduct a synchronized, multivendor release and as part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco, Sun, and Bind are also expected to roll out patches later on Tuesday.

As part of the coordinated release, Art Manion of CERT said vendors with DNS servers have been contacted, and there’s a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Inc., Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.

Apparently Kaminsky has also provided a DNS checking tool on his site to see if your DNS is vulnerable.

The Liquid Matrix guys also mention that Rich Mogull has more details on the flaw over at the Securosis blog, and that the Thomas Ptacek, of the Matasano crew, has some doubts about this flaw, as seen on Twitter. Mogull calls the issue a "major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients)." Mogull further goes on to say:

The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediately reveal the vulnerability and reverse engineering isn’t directly possible.

Dan asked for some assistance in getting the word out and was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day.

Dan and the vendors, did an amazing job with this one. We’ve also attached the official CERT release and an Executive Overview document discussing the issue.

Executive Overview (pdf)

CERT Advisory (doc)

Further, Mogull has released a podcat of his interview with Kaminsky here.

I'll be trying to reach out to Thomas Ptacek and Dan Kaminsky to see if we can get anymore details, but we may have to accept that this won't be resolved for a month at Black Hat. We'll have full coverage of that event, so stay tuned.

-Nate

Topics: Browser, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • What should users of the DNS checking tool expect to see?

    Can you document that a bit more?
    D T Schmitz
    • It makes multiple DNS queries, and checks the source port for each

      It shows you the results of those connections. If the responses always come from the same port, then it tells you you are vulnerable.
      bmerc
  • RE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at

    Your name server, at 10.1.1.1, appears vulnerable to DNS Cache Poisoning.

    All requests came from the following source port: 1278

    Requests seen for 73fe92fc7e07.toorrr.com:
    10.1.1.1:1278 TXID=52428
    10.1.1.1:1278 TXID=45916
    10.1.1.1:1278 TXID=27890
    10.1.1.1:1278 TXID=23416
    10.1.1.1:1278 TXID=38577

    Basically to me it looks like it is showing you that the source port for your requests is predictable, potentially allowing someone to spoof their own DNS response to that port.

    -Nate
    nmcfeters
  • Dan Kaminsky breaks DNS???

    What brainless twit writes these headlines?
    Media Whore
    • Actually, for testers the title fits what he did

      Think of it as jargon. He broke (or not using jargon, he found a problem with the program, a bug if you like) the program or in this case more specifically the protocol. He didn't fix the protocol unless he wrote a code fix for the programmers which I doubt that he did.
      alaniane@...
    • Village idiot

      Brainless twit is depriving a nice village of an idiot.
      allor
    • Wow

      Why throw a negative comment like that without stating your problem with it? Literally, Dan's attack breaks the intended way DNS works, so what's the problem with stating the title as such?

      -Nate
      nmcfeters
  • RE: Dan Kaminsky breaks DNS

    Uhhh Sounds like "Dan Kaminsky FIXES DNS" should be the
    title, but then would we have read it?
    Timpraetor
    • Something has to be broken for it to get fixed

      Dan broke DNS, Dan fixed DNS. Go Dan.

      -Nate
      nmcfeters
  • RE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at Black Hat Vegas '08

    Pretty ironic then that his 'Check My DNS' tool on doxpara.com is broken and just produces the stupid IIS 'The page cannot be found' error.
    vukko
    • No, it's not. It works fine. (nt)

      nt
      bmerc
    • Same here (is working)

      Says my name server appears to be safe
      boony
    • Pretty ridiculous you didn't check it again

      Think of how many hits that page was getting.

      -Nate
      nmcfeters
  • RE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at Black Hat Vegas '08

    If things are good you will see this on the doxpara.com tester:

    Your name server, at 10.0.0.1, appears to be safe.
    Requests seen for deadbeefdeadbeef.toorrr.com:
    10.0.0.1:26156 TXID=4994
    10.0.0.1:26156 TXID=42279
    10.0.0.1:26156 TXID=12037
    10.0.0.1:26156 TXID=58911
    10.0.0.1:34370 TXID=43667

    IPs franked to protect the innocent.
    jrp@...
  • RE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at Black Hat Vegas '08

    Isn't it actually the case that Mr. Kaminsky only discovered that DNS was ALREADY broken, and therefore helped to provide a fix?
    Billsey
    • We have to wait and see

      There's tons of problems with DNS that have been known about. My understanding is that Dan's was something new, and it was devastating enough to get this fixed.

      -Nate
      nmcfeters
  • RE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming, details at

    Of course I'm vulnerable... I use T/W cable/road runner... (ISP)
    catseverywhere@...
  • Is this the cause of the massive failure of Firewalls today

    We've been pummeled with complaints that clients cannot access the Internet. This seems to be a direct result of the patches Microsoft downloaded last night. The magic cure is to uninstall your own choice of firewall and use Windows' build in firewall. Gee Whiz.
    pdavis@...
    • Some software firewalls are failing

      Not sure if this was what you are getting at, but ZoneAlarm for one is not working if you have the MS patch installed (http://www.heise-online.co.uk/news/ZoneAlarm-blocks-internet-access-following-Microsoft-s-DNS-patch--/111076) or directly to Checkpoint's website where they say to remove the patch: http://forums.zonealarm.com/zonelabs/board/message?board.id=Official&message.id=6
      riveroad