Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

DNS Cache Poisoning - Are You Safe?

The patch is out after a half year's research but you can still be vulnerable.


Get It

Try It

There's a deep rooted flaw in the Internet DNS system. The flaw can be exploited to create the most sophisticated phishing ever: you see the right URL and you're truly requesting the right URL but the DNS system still sends you off to a rogue IP.

The flaw also involves client code. It's been known for half a year. After a half year of extremely secretive work a patch has been released. But you may still be vulnerable.

To check now if you are still vulnerable click here.

Preliminary tests show that both OS X 10.4 and 10.5 are vulnerable through the latest security updates and Leopard version 10.5.4 and that earlier versions of OS X (Jaguar, Panther) are 'sometimes' vulnerable. No results yet available for 10.6 Snow Leopard.

Details Secret Until 6 August

Dan Kaminsky of DoxPara Research found the flaw half a year ago. Since then he's been working with people from all over the globe to analyse the flaw, come up with a way to patch it, and get the patches ready for everyone at once.

Dan Kaminsky will make the details of the vulnerability available 6 August 2008. This gives everyone time to patch the flaw. Fortunately the flaw is hard to trace even after the patch is applied so malware attacks should be held to an absolute minimum.

For the time being Kaminsky summarises the situation as follows.

  1. It's a bug found on many platforms.
  2. It's a design bug and so manifests itself identically on many platforms.
  3. Fixes for all major platforms were made available on the same day.
  4. 'This has not happened before. Everything is genuinely under control.'

After that you wait for Black Hat.

Affected Systems

According to CERT the following systems are affected.

3com, Akamai, Alcatel, Apple, AT&T, Avaya, Avici, BlueCat, Check Point, Cisco, Conectiva, Cray, D-Link, Data Connection, Debian, DragonFly BSD, EMC, Engarde Secure Linux, Ericsson, Extreme Networks, F5 Networks, Fedora, Force10, Foundry Networks, FreeBSD, Fujitsu, Gentoo, Gnu ADNS, GNU glibc, Hewlett-Packard, Hitachi, Honeywell, IBM, IBM Z Series, IBM eServer, Infoblox, Ingrian, Intel, ISC, Juniper, Linux Kernel Archives, Lucent, Luminous, Mandriva, Men & Mice, Metasolv, Microsoft, MontaVista, Motorola, Multinet, Multitech, NEC, NetApp, NetBSD, Netgear, Network Appliance, Nixu, NLnet Labs, Nokia, Nominum Vulnerable, Nortel, Novell, OpenBSD, Openwall, PowerDNS, QNX, Red Hat, Redback, Shadowsupport, Siemens, SGI, Slackware, Sony, Sun, SUSE, SCO, Trustix, Turbolinux, Ubuntu, Wind River Systems, ZyXEL.

Applying port randomisation should be enough to thwart hack attempts for now and Kaminsky's online test checks precisely this capability.

See Also
DoxPara: DNS Cache Poisoning Check
Dan Kaminsky/YouTube: Sarah on DNS
US-CERT: Vulnerability Note VU#800113
DoxPara Research: An Astonishing Collaboration

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.