Vulnerability to cache poisoning -- the rest of the solution
Chris Buxton
cbuxton at menandmice.com
Fri Jul 11 23:01:22 UTC 2008
On Jul 11, 2008, at 11:37 AM, Chris Buxton wrote:
> However, that said, this attack is not new. The weakness addressed by
> this latest patch is not some new revelation - it's something we in
> the community have known about for years. It's just that Dan Kaminsky
> is presenting a paper next month at Black Hat telling the world how to
> exploit it.
After some private cage-rattling by Alan Clegg and others, I am
prepared to retract the statement above.
This is not a minor publication of a previously-known vulnerability,
the ability to brute-force the query id and thus forge a response.
This is a new, non-obvious but apparently intuitive method of
poisoning a cache.
I don't know enough about the exploit to be able to say definitively
whether it's truly a case of response forgery or not. I find it
interesting that Microsoft was compelled to release patches for both
the DNS service and the DNS client service (the stub resolver). I've
been told that glibc is also vulnerable, presumably insomuch as it
provides nscd.
Apparently upon being given the gist of the attack vector, without the
full details, other researchers were able to reproduce it in fairly
short order, so it's likely that the bad operators will be able to
exploit this in advance of the full disclosure next month.
Read this:
http://www.securityfocus.com/brief/772
Then go and patch your boxes, and start thinking about how you will
deploy DNSSEC.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list