Next Page >>
source port
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
Note that this security update changes BIND network behavior in a
the Windows SMTP service with no or just a few captured DNS queries an
attacker did not even need to guess valid query ids to be able to spoof
legitimate replies successfully.
Prior to MS10-024 the complexity of spoofing responses to Windows SMTP
Service or Microsoft Exchange Server was reduced to just guessing the
source port that originated the query. This lack of validation of
inbound responses was confirmed in practice with a proof of concept
exploit for the SMTP Server MX Record vulnerability disclosed in MS10-024.
MS10-024 also included "defense-in-depth changes" to Microsoft Exchange
2007 and Microsoft Exchange 2010 that added *source port*entropy to DNS
transactions initiated by the SMTP service as stated in the FAQ in the
of "blind" attacks that can be performed against the Transmission
Control Protocol (TCP) and similar protocols. The consequences of
these attacks range from throughput reduction to broken connections
or data corruption. These attacks rely on the attacker's ability to
guess or know the five-tuple (Protocol, Source Address, Destination
Address, Source Port, Destination Port) that identifies the transport
protocol instance to be attacked. This document describes a number
of simple and efficient methods for the selection of the client port
number, such that the possibility of an attacker guessing the exact
value is reduced. While this is not a replacement for cryptographic
methods for protecting the transport-protocol instance, the
Debian-specific: no
CVE Id(s) : CVE-2008-1637
Debian Bug : 490069
Thomas Biege discovered that the upstream fix for the weak random number
generator released in DSA-1544-1 was incomplete: Source port
randomization did still not use difficult-to-predict random numbers.
This is corrected in this security update.
Here is the text of the original advisory:
Update
======
The previous version of the PowerDNS Recursor (3.1.5) did not
properly address the issue, as UDP source port selection was
insufficiently randomized. We advise all users to upgrade to 3.1.6.
The updated sections appear below.
Affected packages
A vulnerability was found which may allow a remote attacker to cause a
denial of service to Simple DNS Plus
Sending multiple DNS respond packets to the source port of the server
This vulnerability is fixed in the new version of Simple DNS Plus 5.1.101.
usage: sdns-dos.pl <dns server> <dns source port> <num of packets>
Exploit written by Exodus.
http://www.blackhat.org.il
Multiple weaknesses have been identified in PyDNS, a DNS client
implementation for the Python language. Dan Kaminsky identified a
practical vector of DNS response spoofing and cache poisoning,
exploiting the limited entropy in a DNS transaction ID and lack of
UDP source port randomization in many DNS implementations. Scott
Kitterman noted that python-dns is vulnerable to this predictability,
as it randomizes neither its transaction ID nor its source port.
Taken together, this lack of entropy leaves applications using
python-dns to perform DNS queries highly susceptible to response
forgery.
transaction ID spoofed by the attacker will arrive before the reply from
the real server, the victim cache will believe the spoofed reply and
cache it.
The attack is made easier because Microsoft DNS server uses fixed source
port for the queries (so the attacker doesn't need to guess the source
port) and usually queries the first nameserver for the domain (so the
attacker only has to spoof the replies from one IP address).
In our testing we were able to reliably inject spoofed replies into the
cache.
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
The BIND 8 legacy code base could not be updated to include the
recommended countermeasure (source port randomization, see DSA-1603-1
for details). There are two ways to deal with this situation:
1. Upgrade to BIND 9 (or another implementation with source port
randomization). The documentation included with BIND 9 contains a
migration guide.
Multiple weaknesses have been identified in PyDNS, a DNS client
implementation for the Python language. Dan Kaminsky identified a
practical vector of DNS response spoofing and cache poisoning,
exploiting the limited entropy in a DNS transaction ID and lack of
UDP source port randomization in many DNS implementations. Scott
Kitterman noted that python-dns is vulnerable to this predictability,
as it randomizes neither its transaction ID nor its source port.
Taken together, this lack of entropy leaves applications using
python-dns to perform DNS queries highly susceptible to response
forgery.
Summary
=======
Multiple Cisco products are vulnerable to DNS cache poisoning attacks
due to their use of insufficiently randomized DNS transaction IDs and
UDP source ports in the DNS queries that they produce, which may allow
an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a
vulnerable DNS server to perform recursive DNS queries. Therefore, DNS
servers that are only authoritative, or servers where recursion is not
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490271
In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447). The fix,
while correct, was incompatible with the version of SELinux Reference
Policy shipped with Debian Etch, which did not permit a process
running in the named_t domain to bind sockets to UDP ports other than
Description
===========
Amit Klein of Trusteer reported that insufficient randomness is used to
calculate the TRXID values and the UDP source port numbers.
Impact
======
A remote attacker could send malicious answers to insert arbitrary DNS
At this time, it is not possible to implement the recommended
countermeasures in the GNU libc stub resolver. The following
workarounds are available:
1. Install a local BIND 9 resoler on the host, possibly in
forward-only mode. BIND 9 will then use source port randomization
when sending queries over the network. (Other caching resolvers can
be used instead.)
2. Rely on IP address spoofing protection if available. Successful
attacks must spoof the address of one of the resolvers, which may not
Description
===========
Hugo Dias reported a failed assertion in the
originates_from_local_legacy_unicast_socket() function in
avahi-core/server.c when processing mDNS packets with a source port of
0.
Impact
======
Debian-specific: no
CVE Id(s) : CVE-2008-1637
Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a
weak random number generator to create DNS transaction IDs and UDP
source port numbers. As a result, cache poisoning attacks were
simplified. (CVE-2008-1637)
For the stable distribution (etch), these problems have been fixed in
version 3.1.4-1+etch1.
USER DATA LENGTH : 96 octets
UDH LENGTH : 6 octets
UDH : 05 04 0B 84 23 F0
UDH ELEMENTS : 05 - Appl. port addressing 16bit
4 (0x04) Bytes Information Element
09200 : SOURCE port is: allocated by IANA
02948 : DESTINATION port is: allocated by IANA
--- DATA ----------------------
05 04 0B 84 23 F0
USER DATA (TEXT) : %®?ꯂ´„jE
symantec…Symantec
Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
Unix-like systems) and MSVCRT (used with Microsoft's MSVC for
Windows) are shown to be easily predictable, thus enabling an
E. The tool sends multiple fake replies with different TXIDs to increase
the
probability of hitting the correct TXID. This is useful in reducing the time
needed to generate a "hit". For a server that does not randomize the source
port
number, the maximum number of iterations needed is 65546 (an average would
be
32768). However, by sending 10 to 15 TXIDs, for example, the probability of
making a "hit" is higher in a shorter time; an average of ~3000 iterations
are
===============
1) Introduction
===============
Doomsday (aka deng) is an open source port of the original Doom code
with tons of enhancements and addons which make it the most advanced
port at the moment.
#######################################################################
> [*] >> ADDRESS: A.B.C.D PORT: 48178
> [*] >> ADDRESS: A.B.C.D PORT: 48178
> [*] >> ADDRESS: A.B.C.D PORT: 48178
> [*] >> ADDRESS: A.B.C.D PORT: 48178
> [*] >> ADDRESS: A.B.C.D PORT: 48178
> [*] FAIL: This server uses static source ports and is vulnerable to poisoning
>
> msf auxiliary(bailiwicked_host) > set SRCPORT 0
> SRCPORT => 0
>
> msf auxiliary(bailiwicked_host) > run
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] FAIL: This server uses static source ports and is vulnerable to poisoning
msf auxiliary(bailiwicked_host) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_host) > run
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
This update changes Debian's dnsmasq packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
This update also switches the random number generator to Dan
(REXML) could cause a Ruby application using the REXML module to use
an excessive amount of CPU and memory via XML documents with large
XML entitity definitions recursion (CVE-2008-3790).
The Ruby DNS resolver library used predictable transaction IDs and
a fixed source port when sending DNS requests. This could be used
by a remote attacker to spoof a malicious reply to a DNS query
(CVE-2008-3905).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
* The p_exec_query() function in src/dns_query.c does not properly
handle many entries in the answer section of a DNS reply, related to
a "dangling pointer bug" (CVE-2008-4194).
* The default value for query_port_start was set to 0, disabling UDP
source port randomization for outgoing queries (CVE-2008-1447).
Impact
======
An attacker could exploit the second weakness to poison the cache of
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
II. Problem Description
The BIND DNS implementation does not randomize the UDP source port when
doing remote queries, and the query id alone does not provide adequate
randomization.
III. Impact
exhaustion in rexml.
CVE-2008-3905
Tanaka Akira discovered that the resolv module uses sequential
transaction IDs and a fixed source port for DNS queries, which
makes it more vulnerable to DNS spoofing attacks.
For the stable distribution (etch), these problems have been fixed in
version 1.9.0+20060609-1etch3. Packages for arm will be provided later.
Problem Description:
A vulnerability has been discovered in Avahi before 0.6.24, which
allows remote attackers to cause a denial of service (crash) via a
crafted mDNS packet with a source port of 0 (CVE-2008-5081).
The updated packages have been patched to prevent this.
_______________________________________________________________________
References:
Hi Fernando+list
I'm glad to see that someone takes aim at this issue.
However, it seems that your proposal only attempts to address one
consequence of predictable TCP source ports, namely blind TCP attacks
(in all fairness, it appears that the object of your proposal is to
solve the blind TCP attacks, rather than the issue of predictable TCP
source ports; I look at it the other way around...). Naturally this is a
major outcome, but there are still other consequences, perhaps less
severe, such as traffic analysis. For example, the nave (and as
> Because its just a 16-bit field. DNS is broken. Cache poisoning will
> happen. Those are the facts on the ground. The only argument left
> is the degree of brokenness.
Perhaps. Even so, adding, as you (and many others) suggested previously,
UDP source port (strong) randomization, in combination with strong
transaction ID randomization would make poisoning way way harder than
where it is today. Instead of 16 bits, you'd have ~30 bits of (strong)
randomness. That's much better, and there's no reason I see why it can't
be implemented today.
Next Page>>
|
