NISCC Vulnerability
Advisory 758884/NISCC/DNS
Vulnerability Issues in Implementations of the DNS Protocol
Version Information
|
Advisory Reference |
758884/NISCC/DNS |
|
Release Date |
|
|
Last Revision |
|
|
Version Number |
1.2 |
What is Affected?
The vulnerabilities
described in this advisory affect the Domain Name System (DNS) protocol. Many
vendors include support for this protocol in their products and may be impacted
to varying degrees, if at all.
Please note
that the information contained within this advisory is subject to changes. All
subscribers are therefore advised to regularly check the UNIRAS website (http://www.uniras.gov.uk/vuls/2004/758884/index.htm)
for updates to this notice.
Severity
The severity of these vulnerabilities varies by vendor. Please see the vendor
section below for further information. Alternatively contact your vendor for
product specific information.
If exploited,
these vulnerabilities could allow an attacker to create a Denial of Service
condition.
Summary
Several vulnerabilities have been discovered within the Domain Name System (DNS)
protocol by two DNS experts, Roy Arends and Jakob Schlyter.
The Domain Name
System (DNS) protocol is an Internet service that translates domain names into
Internet Protocol (IP) addresses. Because domain names are alphabetic, they're
easier to remember, however the Internet is really based on IP addresses; hence
every time a domain name is requested, a DNS service must translate the name
into the corresponding IP address.
NISCC wishes to
advise users of the availability of a test tool that is designed to confirm the
existence of vulnerabilities in the DNS protocol.
All users of
applications that support DNS are recommended to take note of this advisory and
carry out any remedial actions suggested by their vendor(s).
Details
The Domain Name System (DNS) is basically a
database of host information. The DNS protocol is utilised to identify servers
by their IP addresses and aliases given their registered domain name. The
request is usually simple, including just the name of the server. The response
however can be quite complex, because it will contain all the addresses and
aliases that the server might have. A DNS query is sent to a name server to
provoke a response; a DNS response then either answers
the query, refers the requester to another set of name servers or signals some
error condition. Please refer to RFC 1034:Section 3.7,
RFC 1034:Section 4.1, RFC 1034:Section 4.3.1 and RFC 1035:Section 4.1.1 for
further information on the query-response relationship within the DNS protocol.
The relevant
vulnerabilities are a result of liberal interpretation of the DNS protocol by implementors. DNS uses a message format to provide a
mechanism to resolve domain names into IP addresses; a message can either be a
'query' or a 'response'. By implementating the
protocol in such a way in which a 'response' is allowed to be answered with a
'response', this will cause messages to bounce back and forth between the
servers and hence cause a query-respose storm that
can result in a denial-of-service attack.
In addition, by
sending these implementations a query that appears to originate from the localhost on UDP port 53, the server will respond to itself
and will keep responding to these responses, hence entering a loop which can
exhaust system resources and hence result in a denial-of-service attack.
Vendor specific information will be released as it becomes available and if vendor permission has been received. Subscribers are advised to check the following URL regularly for updates:
http://www.uniras.gov.uk/vuls/2004/758884/index.htm
[Please note that updates to this advisory will not be notified by email.]
This vulnerability has
been assigned the CVE name CAN-2004-0789.
Mitigation
Patch all affected implementations.
Solution
Please refer to the Vendor Information section of this advisory for platform
specific remediation.
Vendor Information
The following vendors have provided information about how their products are
affected by these vulnerabilities.
Please note that JPCERT/CC have released a Japanese language
advisory for this vulnerability which contains additional information regarding
Japanese vendors.This advisory is available at http://jvn.jp/niscc/NISCC-758884.html.
|
The DNS issues that Roy Arends had identified in Axis products have now been
eliminated. The affected products and firmware
release version are: Axis 2100 Network Camera - 2.42
(Currently release candidate and will be official soon) The firmware releases can be downloaded from Axis Support page http://www.axis.com/techsup/firmware.php. |
|
|
Cisco Systems is evaluating the vulnerabilities identified by NISCC #758884. At this time the Cisco PSIRT is not aware of any Cisco products which are vulnerable to this issue. Should an issue be found, Cisco will release a Security Advisory. The most up-to-date information on all Cisco product security issues may be found at http://www.cisco.com/go/psirt/. |
|
|
Not vulnerable from version 2.11 and above. |
|
|
HP has
determined that we are not impacted by this vulnerability. |
|
|
BIND (all versions) are not affected by this vulnerability. |
|
|
The JDNSS team would like to thank NISCC for notifying us of
the possible vulnerabilities; our testing shows JDNSS is not vulnerable to
these exploits. |
|
|
JS Software products are not vulnerable to this vulnerability. |
|
|
Juniper Networks products are not susceptible to this vulnerability. |
|
|
|
The Men & Mice Suite, which is a DNS and IP management suite, is not affected by this vulnerability.
QuickDNS Server, a DNS server for Mac OS 8 and 9 which is no longer sold by Men & Mice, was updated to address this vulnerability in the following versions and on the following dates: |
|
|
MyDNS 0.10.1 and all later versions are not vulnerable. |
|
|
Posadis have updated their product to guard against this vulnerability. For more detail, please visit Posadis Security Advsiory at http://www.posadis.org/security/pos_adv_006.txt. |
|
|
Sprint products are not susceptible to this vulnerability.
|
|
|
Wind River's response to Vulnerability Advisory 758884/NISCC/DNS:
Wind River does not ship a DNS server with its products and therefore we believe that we are not vulnerable to the attacks specified in this vulnerability report.
|
Acknowledgements
NISCC wishes to thank the following:
|
• |
Roy Arends for his
contributions to this advisory. |
|
• |
Jakob Schlyter, who helped establish the initial list of
vulnerable implementations. |
|
• |
JPCERT/CC for their assistance in co-ordinating
this disclosure in |
References
|
Related RFC |
|||
|
RFC 1034 |
|||
|
RFC 1035 |
|||
|
Related Advisories |
|||
|
CERT/CC |
|||
|
JPCERT/CC |
|||
Contact Information
The NISCC Vulnerability
Management Team can be contacted as follows:
|
Email |
vulteam@niscc.gov.uk
|
|
Telephone |
+44 (0)870 487 0748 Extension 4511 |
|
Fax |
+44 (0)870 487 0749 |
|
Post |
Vulnerability Management Team |
We encourage those who
wish to communicate via email to make use of our PGP key. This is available
from http://www.uniras.gov.uk/UNIRAS.asc.
Please note that
If you wish to be added
to our email distribution list, please email your request to uniras@niscc.gov.uk.
What is NISCC?
For further information
regarding the UK National Infrastructure Security Co-Ordination Centre, please
visit the NISCC web site at: http://www.niscc.gov.uk/aboutniscc/index.htm
Reference to any specific commercial product, process or service by trade name,
trademark manufacturer or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by NISCC. The views and opinions of
authors expressed within this notice shall not be used for advertising or
product endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions contained
within this advisory. In particular, they shall not be liable for any loss or
damage whatsoever, arising from or in connection with the usage of information
contained within this notice.
© 2004 Crown Copyright
Revision History
|
|
Initial release (1.0) |
|
|
Added vendor statement for ISC (1.1) |
|
|
Updated vendor statement for Cisco (1.2) |
<End of NISCC Vulnerability Advisory>