Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12418
HistoryApr 26, 2006 - 12:00 a.m.

NISCC - Vulnerability Issues in Implementations of the DNS Protocol

2006-04-2600:00:00
vulners.com
9

UNIRAS (UK Gov CERT)
Advisory Type: Briefing
Id: 20060425-00311 Ref: 307/06 Date: 25 April 2006 Time: 12:57

Title: NISCC - Vulnerability Issues in Implementations of the DNS Protocol

Abstract: The vulnerabilities described in this advisory affect implementations of the Domain Name System (DNS) protocol. Many vendors include support for this protocol in their products and may be impacted to varying degrees, if at all.

Vendors affected: multiple

Operating Systems affected: multiple

Applications/Services affected: Domain Name System (DNS)

Title

NISCC - Vulnerability Issues in Implementations of the DNS Protocol

Detail

NISCC Vulnerability Advisory 144154/NISCC/DNS

Vulnerability Issues in Implementations of the DNS Protocol

Version Information


Advisory Reference 144154/NISCC/DNS
Release Date 25 April 2006
Last Revision 25 April 2006
Version Number 1.0

Acknowledgement


The DNS Test Tool was created by the Oulu University Secure Programming Group
(OUSPG) from the University of Oulu in Finland.

What is affected?


The vulnerabilities described in this advisory affect implementations of the
Domain Name System (DNS) protocol. Many vendors include support for this protocol
in their products and may be impacted to varying degrees, if at all.

Please note that the information contained within this advisory is subject to
changes. All subscribers are therefore advised to regularly check the NISCC
website (http://www.niscc.gov.uk) for
updates to this notice.

Impact


If exploited, these vulnerabilities could cause a variety of outcomes including,
for example, a Denial-of-Service (DoS) condition. In most cases, they can expose
memory corruption, stack corruption or other types of fatal error conditions. Some
of these conditions may expose the protocol to typical buffer overflow exploits,
allowing arbitrary code to execute or the system to be modified.

Severity


The severity of this vulnerability varies by vendor. Please see the 'Vendor
Information' section below for further information. Alternatively, contact your
vendor for product specific information.

Summary


During 2002 the Oulu University Secure Programming Group (OUSPG) discovered a number
of implementation specific vulnerabilities in the Simple Network Management Protocol
(SNMP). Further work has been done to identify implementation specific
vulnerabilities in related protocols that are used in critical infrastructure. The
DNS protocol, which is the primary naming system used on the Internet, was studied
as part of this program of work.

DNS is an Internet service that translates domain names into Internet Protocol (IP)
addresses and vice versa. Because domain names are alphabetic, they're easier to
remember, however the Internet is really based on IP addresses; therefore every time
a domain name is requested, a DNS service must translate the name into the
corresponding IP address.

OUSPG has developed a PROTOS DNS Test Suite for DNS implementations and employed it
to validate their findings against a number of products from different vendors.
NISCC has contacted multiple vendors whose products support the DNS protocol and
provided them with the test tool to allow them to test their implementations. NISCC
believes that most of the relevant vendors who provide support for the DNS protocol
have been covered by this advisory.

[Please note that revisions to this advisory will not be notified by email. All
subscribers are advised to regularly check the NISCC website
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.]

Details


DNS is a system that stores information associated with domain names in a distributed
database on networks, such as the Internet. The domain name system associates many
types of information with domain names, but most importantly, it provides the IP
address associated with the domain name. It also lists mail exchange servers accepting
e-mail for each domain.

The OUSPG DNS Test Suite covers a limited set of information security and robustness
related implementation errors for the DNS protocol.

The factors behind choosing DNS included:

  • DNS is a fundamental infrastructure of the Internet, and most Internet applications
    are dependent on it.

  • DNS implementations are ubiquitous, present in servers, end-user equipment such as
    personal computers and mobile phones, and in routers and firewalls. Therefore DNS may
    be a potential attack vector in a variety of scenarios against a variety of
    systems and infrastructure components.

  • There are no free, publicly available robustness test suites to evaluate DNS
    implementations.

The material contained in the test suite covers basic queries, dynamic updates, basic
responses and zone transfers. However please be aware that the test material does not
cover cache poisoning or address spoofing vulnerabilities.

There are three sets of test materials available with the tool; these are specifically
designed for the following scenarios:

  1. The Query Material -> [queries, dynamic DNS updates] -> DNS server
  2. The Response Material -> [query replies] -> DNS server
  3. The Response Material -> [query replies] -> DNS stub resolver (client)
  4. The Zone Transfer Material -> [zone transfers] -> secondary DNS server

The test material simulates hostile input to the DNS implementation by sending invalid
and/or abnormal packets. Therefore by applying the OUSPG DNS Test Suite to a variety of
products, several vulnerabilities can be revealed that can have varying effects.

Mitigation


Patch all affected implementations.

Solution


Please refer to the 'Vendor Information' section of this advisory for platform specific
remediation.

Vendor Information


A complete list of vendor responses to this vulnerability is available on our website.
Please visit the website at http://www.niscc.gov.uk/niscc/vulnAdv-en.html in order to view
the latest vendor statements.

Credits


The NISCC Vulnerability Management Team would like to thank OUSPG for producing the DNS
Test Tool.

The NISCC Vulnerability Management Team would also like to thank the vendors for their
co-operation in handling this vulnerability and to JPCERT/CC for co-ordinating this issue
in Japan.

Contact Information


The NISCC Vulnerability Management Team can be contacted as follows:

Email [email protected]
Please quote the advisory reference in the subject line

Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00

Fax +44 (0)870 487 0749

Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP key. This is
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.

Please note that UK government protectively marked material should not be sent to the email
address above.

If you wish to be added to our email distribution list please email your request to
[email protected].

What is NISCC?


For further information regarding the UK National Infrastructure Security Co-ordination
Centre, please visit http://www.niscc.gov.uk.

Reference to any specific commercial product, process, or service by trade name, trademark
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or
favouring by NISCC. The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained within
this advisory. In particular, they shall not be liable for any loss or damage whatsoever,
arising from or in connection with the usage of information contained within this notice.

C 2006 Crown Copyright
<End of NISCC Vulnerability Advisory>

Acknowledgements

UNIRAS wishes to acknowledge the contributions of the NISCC Vulnerability Management Team for the information contained in this Briefing.
Updates

This advisory contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem.
Legal Disclaimer

Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice.
FIRST

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.