[GTER] Simultaneous Queries DNS Spoofing Vulnerability

Jordi jordi at terra.com.br
Mon May 19 11:41:44 -03 2003

Olá a todos,

Não sei se o assunto foi abordado nesta lista.
Fica o alerta.


(1) HIGH: Simultaneous Queries DNS Spoofing Vulnerability

Affected Products:
ISC BIND 4.9.11 and prior
ISC BIND 8.2.7 and prior, and 8.3.4 and prior
Other DNS server implementations may also be vulnerable

A remote attacker can use an adaptation of the probabalistic "birthday
attack" to trick a DNS server into accepting a spoofed name query
response with far fewer packets than a brute force attack requires. If
the attacker generates multiple spoofed DNS queries for the same
resource record sourced from different IP addresses, a vulnerable
server will forward all of the queries, thus entering a state where
there are multiple open server requests for the same record. At this
point the attacker can send many spoofed DNS replies to the server,
and has a surprisingly good chance of successfully causing the server
to accept a fake response.

Risk: Remote attackers can cause DNS servers to accept, and possibly
cache, false DNS record information. By controlling the mapping between
hostnames and IP addresses in this manner, attackers can masquerade
as any desired Internet server.

Deployment: Huge. Some experts estimate that 60% of currently deployed
DNS servers are vulnerable.

Ease of Exploitation: Straightforward. This attack has been reasonably
well known in the DNS developer community for some time, thus it is
likely that attackers were also aware of the vulnerability prior to
the public announcement. Some reports indicate that the vulnerability
is being actively exploited.

Status: Vendor confirmed. The recommended action is to upgrade to BIND
9.2.1. Administrators can also reduce risk by limiting a server's
use of recursion, as non-recursive name servers are more resistant
to exploitation.


CERT Vulnerability Note:

CAIS/RNP (Brazilian Research Network PSIRT) Security Advisory:

Bugtraq Discussions:

Council Site Actions:
Some council members are treating the issue as already well-known and
are taking no immediate action to upgrade servers, but are watching for
signs of exploitation and taking other actions to mitigate risk. Other
sites are either already running BIND 9 or have recommended that
administrators upgrade to BIND 9.

More information about the gter mailing list