Security: Thoughts on Latest DNS Vulnerability

While on a quick trail run before work this morning, I was thinking about yesterday's announcement of a serious vulnerability in the DNS protocol. For those that don't know, yesterday Dan Kaminsky announced that there's a fundamental flaw in the DNS protocol. Shortly thereafter the United States Computer Emergency Readiness Team (US-CERT) issued a security advisory titled, "Multiple DNS implementations vulnerable to cache poisoning".

Since we're talking about a fundamental flaw within the DNS protocol itself, many implementations of DNS are considered to be vulnerable. DNS, in a nutshell, is what translates human readable and memorizable names, such as www.blackhat.com, to IP addresses that can get routed through the Net, such as 66.240.206.90.

BlackHat has made available a recording of the press conference at which Karminsky made the public announcement. Karminsky has also made available an online tool to check whether or not the primary DNS server you're using is vulnerable. A recent post on NANOG has a link to a perl script that allows one to run Karminsky's DNS checker against any nameserver.

I've heard a few individuals state that this latest vulnerability isn't critical in nature. We do know that Karminsky will be releasing full details of the vulnerability at next month's BlackHat in Las Vegas. It is also possible that exploit code could emerge prior since Karminsky did narrow down the area in which the DNS design flaw exists. Though Karminsky has stated, "This is not enough information to reverse engineer the flaw," I believe it's an extremely risky assumption for businesses to base delaying the patching of their vulnerable name servers upon.

Looking at a risk matrix, I see the this DNS vulnerability as a high risk:

Likelihood of exploitation: LOW/MEDIUM [ within 30 days]
Impact of exploitation: HIGH
-----------------
Risk Rating: HIGH

One individual I know had stated, "In terms of DNS, the world isn't any more dangerous today than it was yesterday." However, we're not just dealing with randomization of source ports which had been known publicly for several years (back in 2005). We're also dealing with the weak entropy in the DNS transfer id (DNS XID). I believe that the risk, or danger, has increased.

In some uncomfortable way, this latest issue with DNS reminds me of the levees in New Orleans that were known to have severe vulnerabilities. Eventually the threat (heavy rain) exploited (broke) the vulnerability (failing levees) resulting in negative impact (flooding, financial loss and loss of life). Ignoring the vulnerability with the levees didn't remove the risk or make things any "safer".

I'm interested to see what Karminsky produces at the upcoming BlackHat.

Steve Zenone
###

[UPDATE - 7/10/2008]: Yet another option to test your nameserver is to use the dig hack from Duane Wessels; from a unix shell type 'dig +short @nameserver-to-be-tested porttest.dns-oarc.net TXT'.

A vulnerable nameserver will display the following output:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"nameserver-you-tested is POOR: 22 queries in 0.6 seconds from 1 ports with std dev 0.00"

In turn, a better maintained nameserver will return the following:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"nameserver-you-tested is GOOD: 22 queries in 0.6 seconds from 1 ports with std dev 0.00"