[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 307/06 - NISCC - Vulnerability Issues in Implementations of the DNS Protocol



-----BEGIN PGP SIGNED MESSAGE-----


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 307/06 dated 25.04.06  Time: 13:00  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
NISCC - Vulnerability Issues in Implementations of the DNS Protocol


Detail
====== 

NISCC Vulnerability Advisory 144154/NISCC/DNS

Vulnerability Issues in Implementations of the DNS Protocol

Version Information
- -------------------
Advisory Reference  144154/NISCC/DNS
Release Date	    25 April 2006
Last Revision	    25 April 2006
Version Number	    1.0

Acknowledgement
- ---------------
The DNS Test Tool was created by the Oulu University Secure Programming Group 
(OUSPG) from the University of Oulu in Finland.

What is affected?
- -----------------
The vulnerabilities described in this advisory affect implementations of the 
Domain Name System (DNS) protocol. Many vendors include support for this protocol 
in their products and may be impacted to varying degrees, if at all.

Please note that the information contained within this advisory is subject to 
changes. All subscribers are therefore advised to regularly check the NISCC 
website (http://www.niscc.gov.uk) for 
updates to this notice.

Impact
- ------
If exploited, these vulnerabilities could cause a variety of outcomes including, 
for example, a Denial-of-Service (DoS) condition. In most cases, they can expose 
memory corruption, stack corruption or other types of fatal error conditions. Some 
of these conditions may expose the protocol to typical buffer overflow exploits, 
allowing arbitrary code to execute or the system to be modified.

Severity 
- --------
The severity of this vulnerability varies by vendor. Please see the 'Vendor 
Information' section below for further information. Alternatively, contact your 
vendor for product specific information.

Summary
- -------
During 2002 the Oulu University Secure Programming Group (OUSPG) discovered a number 
of implementation specific vulnerabilities in the Simple Network Management Protocol 
(SNMP). Further work has been done to identify implementation specific 
vulnerabilities in related protocols that are used in critical infrastructure. The 
DNS protocol, which is the primary naming system used on the Internet, was studied 
as part of this program of work.

DNS is an Internet service that translates domain names into Internet Protocol (IP) 
addresses and vice versa. Because domain names are alphabetic, they're easier to 
remember, however the Internet is really based on IP addresses; therefore every time 
a domain name is requested, a DNS service must translate the name into the 
corresponding IP address.

OUSPG has developed a PROTOS DNS Test Suite for DNS implementations and employed it 
to validate their findings against a number of products from different vendors. 
NISCC has contacted multiple vendors whose products support the DNS protocol and 
provided them with the test tool to allow them to test their implementations. NISCC 
believes that most of the relevant vendors who provide support for the DNS protocol 
have been covered by this advisory.

[Please note that revisions to this advisory will not be notified by email. All 
subscribers are advised to regularly check the NISCC website 
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.]

Details
- -------
DNS is a system that stores information associated with domain names in a distributed 
database on networks, such as the Internet. The domain name system associates many 
types of information with domain names, but most importantly, it provides the IP 
address associated with the domain name. It also lists mail exchange servers accepting 
e-mail for each domain.

The OUSPG DNS Test Suite covers a limited set of information security and robustness 
related implementation errors for the DNS protocol. 

The factors behind choosing DNS included:

* DNS is a fundamental infrastructure of the Internet, and most Internet applications 
  are dependent on it.
    
* DNS implementations are commonly ubiquitous, present in servers, end-user equipment 
  such as personal computers and mobile phones, and in routers and firewalls. Therefore 
  DNS may be a potential attack vector in a variety of scenarios against a variety of 
  systems and infrastructure components.

* There are no free, publicly available robustness test suites to evaluate DNS 
  implementations. 

The material contained in the test suite covers basic queries, dynamic updates, basic 
responses and zone transfers. However please be aware that the test material does not 
cover cache poisoning or address spoofing vulnerabilities.

There are three sets of test materials available with the tool; these are specifically 
designed for the following scenarios:

   1. The Query Material -> [queries, dynamic DNS updates] -> DNS server
   2. The Response Material -> [query replies] -> DNS server
   3. The Response Material -> [query replies] -> DNS stub resolver (client)
   4. The Zone Transfer Material -> [zone transfers] -> secondary DNS server 

The test material simulates hostile input to the DNS implementation by sending invalid 
and/or abnormal packets. Therefore by applying the OUSPG DNS Test Suite to a variety of 
products, several vulnerabilities can be revealed that can have varying effects.

Mitigation
- ----------
Patch all affected implementations.

Solution
- --------
Please refer to the 'Vendor Information' section of this advisory for platform specific 
remediation.

Vendor Information
- ------------------
A complete list of vendor responses to this vulnerability is available on our website. 
Please visit the website at http://www.niscc.gov.uk/niscc/vulnAdv-en.html in order to view 
the latest vendor statements.

Credits
- -------
The NISCC Vulnerability Management Team would like to thank OUSPG for producing the DNS 
Test Tool.

The NISCC Vulnerability Management Team would also like to thank the vendors for their 
co-operation in handling this vulnerability and to JPCERT/CC for co-ordinating this issue 
in Japan.

Contact Information
- -------------------
The NISCC Vulnerability Management Team can be contacted as follows:

Email	   vulteam@xxxxxxxxxxxx 
           Please quote the advisory reference in the subject line

Telephone  +44 (0)870 487 0748 Ext 4511
           Monday - Friday 08:30 - 17:00

Fax	   +44 (0)870 487 0749

Post	   Vulnerability Management Team
           NISCC
           PO Box 832
           London
           SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP key. This is 
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.

Please note that UK government protectively marked material should not be sent to the email 
address above. 

If you wish to be added to our email distribution list please email your request to 
uniras@xxxxxxxxxxxxx
 
What is NISCC?
- --------------
For further information regarding the UK National Infrastructure Security Co-ordination 
Centre, please visit http://www.niscc.gov.uk.
 
Reference to any specific commercial product, process, or service by trade name, trademark 
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or 
favouring by NISCC. The views and opinions of authors expressed within this notice shall not 
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained within 
this advisory. In particular, they shall not be liable for any loss or damage whatsoever, 
arising from or in connection with the usage of information contained within this notice.

C 2006 Crown Copyright 
<End of NISCC Vulnerability Advisory>


- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of the NISCC Vulnerability 
Management Team for the information contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the site of the
original source to ensure that you receive the most current information concerning 
that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBRE3y3Ypao72zK539AQH3IgP/YgGzMtszLRM2BxrUaCvAiGWQjqM89+FH
HZJPrdgqtI6GUyG3m9AIY3kukFXn6SS5uZS4OFHvwhaQJb/i4mBZHGSGCo3wLBW6
9qOgsyWt3x8G5+XizQFD6+dd721IehkWfYPpSmybkwDFd/qiBjqyKzrGX+EXgAtM
ewT0U6j58t0=
=IrZP
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________