User: Password:
Subscribe / Log in / New account


Secrecy and the DNS flaw

By Jake Edge
July 9, 2008

By now, most folks will have seen reports of the design flaw discovered in DNS as it has seen fairly widespread coverage, even in the non-technical press. It is rare to see such a coordinated disclosure and security update amongst that many of the big players in the computer industry. While fixes abound, the actual problem has yet to be disclosed, which has both positives and negatives.

Responsible disclosure policies dictate that vulnerabilities be kept secret until all affected vendors can create an update. Because this flaw is in the design of DNS, most implementations were affected. This still doesn't quite explain the roughly six months between the discovery of the problem and the release of the fix. Evidently it took a meeting of the minds at the Microsoft campus in March to decide upon the right course of action. Once the fixes were done, presumably they were released on the next "patch Tuesday"—Microsoft's monthly security update day.

Normally, once fixes are available, information about the vulnerability is released. But, for a number of reasons, that has not happened in this case. One of the main reasons is that DNS is an essential internet service and it will take time for affected users to patch their systems. In addition, there have been no reports of this flaw being exploited "in the wild", reducing the pressure to divulge it.

Security researcher Dan Kaminsky discovered the flaw and he has yet another, "blatantly selfish" reason for keeping it quiet as he would like to be able to announce it at Black Hat in Las Vegas in early August:

While I'm out there, trying to get all these bugs scrubbed — old and new — please, keep the speculation off the @public forums and IRC channels. We're a curious lot, and we want to know how things break. But the public needs at least a chance to deploy this fix, and from a blatantly selfish perspective, I'd kind of like my thunder not to be completely stolen in Vegas.

None of these seem like horrible reasons to keep the vulnerability quiet for a time (roughly 30 days), but they do leave some DNS implementations and worried administrators without the information they need to evaluate the situation. Administrators do not know what traffic patterns or other symptoms to look for to determine if exploits are being attempted. Smaller, less prominent DNS implementations were not included in the collaboration, thus they don't have enough information to decide whether they are vulnerable or not.

A perfect example is Dnsmasq, a lightweight DNS server for smaller networks. Dnsmasq is often used in embedded Linux distributions targeted for home wireless routers. Simon Kelley, Dnsmasq developer, was asked about the vulnerability; his response speaks volumes:

I wasn't contacted in advance about this, and no patch for dnsmasq has been released. Since the exact nature of the new vulnerability has not (as far as I know) been announced, I don't know if dnsmasq is vulnerable.

Kelley has since released a patched version, but it is still unknown whether it is needed or, really, if it even fixes the problem. It is difficult to know for sure that a security hole has been closed if information about the hole is not available. This points to the problems that can come from withholding vulnerability information.

Based on the patches and some information from Kaminsky and others, it is clear that this is a cache poisoning vulnerability. Since source port randomization is the change that was applied to alleviate, but not eliminate, the flaw, we can surmise that Kaminsky found a way to reduce the number of spoofed replies that need to be sent to something tractable. According Internet Systems Consortium, developers of the BIND DNS server, the only true solution is DNSSEC, which implies that the current fixes only make cache poisoning less likely, not impossible.

Source port randomization is a technique that has been advocated by Daniel J. Bernstein (i.e. djb) for many years. He implemented it in his djbdns name server long ago. Essentially, it chooses a random source UDP port for each query that the name server makes, which has the effect of increasing the randomness that an attacker needs to be able to predict before being able to poison the cache.

While the market share of Dnsmasq may be miniscule, there are certainly other DNS implementations that are also concerned. In addition, we are relying on those who are "in the know" to be on the lookout for suspicious traffic that might indicate the vulnerability being exploited. Kaminsky is certainly under no obligation to reveal anything, but one wonders if the safest course would have been for him to provide details now, even at the expense of his "thunder".

Comments (15 posted)

Brief items

Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (

Dan Kaminsky has found a flaw in the design of DNS that can allow cache poisoning as an article at details. This has lead to a CERT advisory as well as a coordinated release of patched DNS servers from all affected vendors. Evidently source port randomization is helpful in alleviating the problem. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible." That last claim seems rather strong, time will tell, but it makes sense to be prepared to upgrade affected servers as soon as distributions make them available.

Comments (28 posted)

Mozilla Foundation developing a model for a security metric (heise online)

An article at heise online describes Mozilla's new security metrics project, which is an attempt to measure the relative security of Firefox. "One of the main factors cited is how long Firefox users are exposed to a threat while a hole remains unpatched. The developers say they want to use the security metric derived from the results to identify any problematic stage in the development and patch process."

Comments (none posted)

New vulnerabilities

bind9: DNS cache poisoning

Package(s):bind9 CVE #(s):CVE-2008-1447
Created:July 8, 2008 Updated:March 16, 2010
Description: From the Debian advisory: Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.
Gentoo 201209-25 vmware-player 2012-09-29
rPath rPSA-2010-0018-1 bind 2010-03-15
Fedora FEDORA-2009-1069 dnsmasq 2009-01-29
Gentoo 200901-03 pdnsd 2009-01-11
Fedora FEDORA-2009-0350 bind 2009-01-14
Gentoo 200812-17 ruby 2008-12-16
Slackware SSA:2008-334-01 ruby 2008-12-01
Ubuntu USN-651-1 ruby1.8 2008-10-10
Debian DSA-1619-2 python-dns 2008-09-22
Gentoo 200809-02 dnsmasq 2008-09-04
SuSE SUSE-SR:2008:017 powerdns, dnsmasq, python, mailman, ruby, Opera, neon, rxvt-unicode, perl, wireshark, namazu, gnome-screensaver, mysql 2008-08-29
SuSE SUSE-SA:2008:041 openwsman 2008-08-14
Debian DSA-1617-1 refpolicy 2008-07-25
Red Hat RHSA-2008:0789-01 dnsmasq 2008-08-11
Debian DSA-1623-1 dnsmasq 2008-07-31
Slackware SSA:2008-205-01 dnsmasq 2008-07-24
rPath rPSA-2008-0231-1 bind 2008-07-19
rPath rPSA-2008-0230-1 bind 2008-07-18
Slackware SSA:2008-191-02 bind 2008-07-10
Mandriva MDVSA-2008:139 bind 2007-07-09
Fedora FEDORA-2008-6281 bind 2008-07-09
Ubuntu USN-622-1 bind9 2008-07-08
CentOS CESA-2008:0533 bind 2008-07-08
CentOS CESA-2008:0533 bind 2008-07-09
Debian DSA-1604-1 bind 2008-07-08
Debian DSA-1603-1 bind9 2008-07-08
Debian DSA-1619-1 python-dns 2008-07-27
Ubuntu USN-627-1 dnsmasq 2008-07-22
Gentoo 200807-08 bind 2008-07-11
SuSE SUSE-SA:2008:033 bind 2008-07-11
Fedora FEDORA-2008-6256 bind 2008-07-09
Debian DSA-1605-1 glibc 2008-07-08
CentOS CESA-2008:0533 bind 2008-07-09
Red Hat RHSA-2008:0533-01 bind 2008-07-09

Comments (none posted)

glib2: buffer overflow

Package(s):glib2 CVE #(s):CVE-2008-2371
Created:July 3, 2008 Updated:April 9, 2010
Description: The glib2 library has a heap-based overflow that is caused by incorrect option handling in pcre.
Ubuntu USN-624-2 erlang 2010-04-09
Mandriva MDVSA-2009:023 php 2009-01-21
Gentoo 200811-05 php 2008-11-16
rPath rPSA-2008-0305-1 pcre 2008-10-27
Ubuntu USN-628-1 php5 2008-07-23
Mandriva MDVSA-2008:147 pcre 2007-07-15
Ubuntu USN-624-1 pcre3 2008-07-15
Slackware SSA:2008-210-09 pcre 2008-07-29
Gentoo 200807-03 libpcre 2008-07-07
Fedora FEDORA-2008-6110 pcre 2008-07-06
Fedora FEDORA-2008-6111 pcre 2008-07-06
Debian DSA-1602-1 pcre3 2008-07-05
Fedora FEDORA-2008-6048 glib2 2008-07-03
SuSE SUSE-SR:2008:014 sudo, courier-authlib, gnome-screensaver, clamav, php5, ImageMagick, GraphicsMagick, mtr, bind, pcre, tomcat, squid, freetype2 2008-07-04
Fedora FEDORA-2008-6025 glib2 2008-07-03

Comments (none posted)

jetty: multiple vulnerabilities

Package(s):jetty CVE #(s):CVE-2007-5615 CVE-2007-5614 CVE-2007-5613
Created:July 7, 2008 Updated:February 17, 2009

From the Red Hat bugzilla:

For CVE-2007-5613: "Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies."

For CVE-2007-5614: "Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors."

For CVE-2007-5615: "CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors."

SuSE SUSE-SR:2009:004 apache, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools,opensc, perl, phpPgAdmin, sbl, sblim-sfcb, squirrelmail, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, xine-devel 2009-02-17
Fedora FEDORA-2008-6141 jetty 2008-07-06
Fedora FEDORA-2008-6164 jetty 2008-07-06

Comments (none posted)

linuxdcpp: denial of service

Package(s):linuxdcpp CVE #(s):CVE-2008-2953 CVE-2008-2954
Created:July 3, 2008 Updated:December 9, 2008
Description: From the Red Hat bug report:

CVE-2008-2953: Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a denial of service (crash) via "partial file list requests" that trigger a NULL pointer dereference.

CVE-2008-2954: client/NmdcHub.cpp in Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a denial of service (crash) via an empty private message, which triggers an out-of-bounds read.

Mandriva MDVSA-2008:236-1 vim 2008-12-08
Mandriva MDVSA-2008:236 vim 2008-12-03
Fedora FEDORA-2008-6018 linuxdcpp 2008-07-03
Fedora FEDORA-2008-6038 linuxdcpp 2008-07-03

Comments (none posted)

mercurial: unauthorized access

Package(s):mercurial CVE #(s):CVE-2008-2942
Created:July 3, 2008 Updated:July 18, 2008
Description: From the National Vulnerability Database: Directory traversal vulnerability in in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file.
SuSE SUSE-SR:2008:015 moddle, clamav, zypper, mercurial, poppler 2008-07-18
Gentoo 200807-09 mercurial 2008-07-15
rPath rPSA-2008-0211-1 mercurial 2008-07-03

Comments (none posted)

openldap: denial of service

Package(s):openldap CVE #(s):CVE-2008-2952
Created:July 3, 2008 Updated:October 17, 2008
Description: From the National Vulnerability Database: liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams, which triggers an assertion error.
SuSE SUSE-SR:2008:021 cups, hplip, apache2-mod_php5, openldap2 2008-10-17
Debian DSA-1650-1 openldap2.3 2008-10-12
Gentoo 200808-09 openldap 2008-08-08
rPath rPSA-2008-0249-1 openldap 2008-08-11
Ubuntu USN-634-1 openldap2.2, openldap2.3 2008-08-01
Mandriva MDVSA-2008:144 openldap 2007-07-11
CentOS CESA-2008:0583 openldap 2008-07-09
Red Hat RHSA-2008:0583-01 openldap 2008-07-09
Fedora FEDORA-2008-6029 openldap 2008-07-03
Fedora FEDORA-2008-6062 openldap 2008-07-03

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2007-1649 CVE-2008-2107 CVE-2008-2108 CVE-2008-2829
Created:July 4, 2008 Updated:June 1, 2009
Description: From the CVE entries:

PHP 5.2.1 allows context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with S:, which does not properly track the number of input bytes being processed. (CVE-2007-1649)

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed. (CVE-2008-2107)

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions. (CVE-2008-2108)

php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message. (CVE-2008-2829)

Fedora FEDORA-2009-3768 php 2009-04-21
Fedora FEDORA-2009-3848 php 2009-04-21
Debian DSA-1789-1 php5 2009-05-04
rPath rPSA-2009-0035-1 php 2009-03-02
SuSE SUSE-SR:2008:027 squirrelmail, gnutls, rubygem-activerecord, rubygem-actionpack, samba, dbus-1, pdns, php5, pam_krb5 2008-12-09
Slackware SSA:2008-339-01 php 2008-12-05
Gentoo 200811-05 php 2008-11-16
Ubuntu USN-628-1 php5 2008-07-23
CentOS CESA-2008:0545 php 2008-07-16
CentOS CESA-2008:0544 PHP 2008-07-16
Red Hat RHSA-2008:0545-01 php 2008-07-16
Red Hat RHSA-2008:0546-01 PHP 2008-07-16
Red Hat RHSA-2008:0544-01 PHP 2008-07-16
Red Hat RHSA-2008:0582-01 PHP 2008-07-22
Mandriva MDVSA-2008:130 php4 2008-07-03
Mandriva MDVSA-2008:129 php4 2008-07-03
Mandriva MDVSA-2008:128 php 2008-07-03
Mandriva MDVSA-2008:127 php 2008-07-03
Mandriva MDVSA-2008:125 php 2008-07-03
Mandriva MDVSA-2008:126 php 2007-07-03

Comments (none posted)

phpMyAdmin: cross-site scripting

Package(s):phpMyAdmin CVE #(s):CVE-2008-2960
Created:July 7, 2008 Updated:February 2, 2009

From the NVD Entry:

Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/.

SuSE SUSE-SR:2009:003 boinc-client, xrdp, phpMyAdmin, libnasl, moodle, net-snmp, audiofile, xterm, amarok, libpng, sudo, avahi 2009-02-02
Mandriva MDVSA-2008:131 phpMyAdmin 2008-07-04

Comments (none posted)

pidgin: buffer overflow

Package(s):Pidgin CVE #(s):CVE-2008-2927
Created:July 9, 2008 Updated:December 7, 2009
Description: The MSN protocol handler in pidgin contains an integer overflow vulnerability.
Mandriva MDVSA-2009:321 pidgin 2009-12-06
Debian DSA-1870-1 pidgin 2009-08-19
Mandriva MDVSA-2009:173 pidgin 2009-07-29
Mandriva MDVSA-2009:147 pidgin 2009-06-30
Mandriva MDVSA-2009:140 gaim 2009-06-25
Mandriva MDVSA-2009:127 gaim 2009-06-03
Fedora FEDORA-2009-5597 pidgin 2009-05-28
Fedora FEDORA-2009-5552 pidgin 2009-05-28
Fedora FEDORA-2009-5583 pidgin 2009-05-28
Gentoo 200905-07 pidgin 2009-05-25
Debian DSA-1805-1 pidgin 2009-05-22
CentOS CESA-2009:1060 pidgin 2009-05-22
Red Hat RHSA-2009:1060-02 pidgin 2009-05-22
Red Hat RHSA-2009:1059-02 pidgin 2009-05-22
Gentoo 200901-13 pidgin 2009-01-20
Ubuntu USN-675-2 gaim 2008-11-24
Ubuntu USN-675-1 pidgin 2008-11-24
rPath rPSA-2008-0246-1 gaim 2008-08-05
Debian DSA-1610-1 gaim 2008-07-15
Mandriva MDVSA-2008:143 pidgin 2008-07-10
CentOS CESA-2008:0584 Pidgin 2008-07-09
CentOS CESA-2008:0584 Pidgin 2008-07-09
Red Hat RHSA-2008:0584-01 Pidgin 2008-07-09

Comments (none posted)

poppler: memory management bug

Package(s):poppler CVE #(s):CVE-2008-2950
Created:July 9, 2008 Updated:September 12, 2008
Description: Poppler (prior to version 0.6.3-r1) contains "a memory management issue" which can be exploited (via a specially crafted PDF file) to run arbitrary code.
Fedora FEDORA-2008-7012 poppler 2008-09-11
Fedora FEDORA-2008-7104 poppler 2008-08-07
Mandriva MDVSA-2008:146 poppler 2008-07-15
Gentoo 200807-04 poppler 2008-07-08
Ubuntu USN-631-1 poppler 2008-07-28
SuSE SUSE-SR:2008:015 moddle, clamav, zypper, mercurial, poppler 2008-07-18
rPath rPSA-2008-0223-1 poppler 2008-07-09
Debian DSA-1606-1 poppler 2008-07-09

Comments (none posted)

ruby: directory traversal vulnerability

Package(s):ruby CVE #(s):CVE-2008-1891
Created:July 3, 2008 Updated:October 10, 2008
Description: From the National Vulnerability Database: Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and functionality and the :DocumentRoot option.
SuSE SUSE-SR:2008:017 powerdns, dnsmasq, python, mailman, ruby, Opera, neon, rxvt-unicode, perl, wireshark, namazu, gnome-screensaver, mysql 2008-08-29
Mandriva MDVSA-2008:140 ruby 2008-07-09
Mandriva MDVSA-2008:141 ruby 2007-07-09
Fedora FEDORA-2008-6094 ruby 2008-07-04
Fedora FEDORA-2008-6033 ruby 2008-07-03

Comments (none posted)

ruby: integer overflow

Package(s):ruby CVE #(s):CVE-2008-2376
Created:July 3, 2008 Updated:December 17, 2008
Description: Ruby has an integer overflow vulnerability in in the rb_ary_fill() function.
Gentoo 200812-17 ruby 2008-12-16
Ubuntu USN-651-1 ruby1.8 2008-10-10
Debian DSA-1612-1 ruby1.8 2008-07-21
Debian DSA-1618-1 ruby1.9 2008-07-26
CentOS CESA-2008:0561 ruby 2008-07-14
Red Hat RHSA-2008:0561-01 ruby 2008-07-14
CentOS CESA-2008:0562 ruby 2008-07-15
Mandriva MDVSA-2008:142 ruby 2008-07-09
Mandriva MDVSA-2008:141 ruby 2007-07-09
Mandriva MDVSA-2008:140 ruby 2008-07-09
rPath rPSA-2008-0218-1 ruby 2008-07-08
Fedora FEDORA-2008-6094 ruby 2008-07-04
Fedora FEDORA-2008-6033 ruby 2008-07-03

Comments (none posted)

sipp: buffer overflows

Package(s):sipp CVE #(s):CVE-2008-2085
Created:July 9, 2008 Updated:July 9, 2008
Description: The sipp tool suffers from multiple buffer overflows which enable denial of service attacks and possible remote code execution vulnerabilities.
Fedora FEDORA-2008-6219 sipp 2008-07-09
Fedora FEDORA-2008-6210 sipp 2008-07-09

Comments (none posted)

squid: denial of service

Package(s):squid CVE #(s):CVE-2004-0918
Created:July 3, 2008 Updated:July 9, 2008
Description: From the National Vulnerability Database: The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that causes a memory allocation error.
SuSE SUSE-SR:2008:014 sudo, courier-authlib, gnome-screensaver, clamav, php5, ImageMagick, GraphicsMagick, mtr, bind, pcre, tomcat, squid, freetype2 2008-07-04
Fedora FEDORA-2008-6045 squid 2008-07-03

Comments (none posted)

vsftpd: denial of service

Package(s):vsftpd CVE #(s):CVE-2008-2375
Created:July 9, 2008 Updated:July 30, 2008
Description: Another denial of service vulnerability based on a memory leak has been found in vsftpd; this one is exploitable by way of invalid authentication attempts.
Red Hat RHSA-2008:0680-01 vsftpd 2008-07-24
Red Hat RHSA-2008:0579-01 vsftpd 2008-07-24
CentOS CESA-2008:0579 vsftpd 2008-07-25
rPath rPSA-2008-0217-1 vsftpd 2008-07-08

Comments (none posted)

webkit: memory corruption

Package(s):WebKit CVE #(s):CVE-2008-2307
Created:July 9, 2008 Updated:November 24, 2008
Description: WebKit suffers from a memory corruption issue in its JavaScript array handling code, leading to denial of service problems and the potential for remote code execution.
Fedora FEDORA-2008-6186 WebKit 2008-07-08
Fedora FEDORA-2008-6220 WebKit 2008-07-09

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds