Massive, Coordinated Patch To the DNS Released

tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."

Oh cool!

[RockMFR]

http://www.doxpara.com/ [doxpara.com]

Your name server, at 65.24.7.3, appears vulnerable to DNS Cache Poisoning.

Sweet!

Sinisterness

[COMON$]

FTA The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible.

FTA Update: Dan just released a "DNS Checker" on his site Doxpara.com to see if you are vulnerable to the issue.

in other news

Sooooooo, Im supposed to run a random file on my network to check an unknown DNS issue...this just reminds me all too much of those "download our program to fix all your antispyware issues" alerts.

And finally the obligatory profit usage:

1. Find a vulerability

2. Dont tell anyone what said vulnerability is.

3. Release malware in the form of a "Patch" to "Fix" the issue exploiting thousands of servers.

4. ???

5. PROFIT!

Re:Oh cool!

[brunascle]

http://www.doxpara.com/

Your name server, at 65.24.7.3, appears vulnerable to DNS Cache Poisoning.

In fact, we arent even www.doxpara.com, we just hacked your name server. That's how we know.

Re:Sinisterness

[StreetStealth]

Still, it's not exactly like you clicked a banner with a lame attempt at a bouncing, fake window telling you your DNS software was in immediate need of a fix and that this combination patch and shopping buddy would fix it.

Re:More independent verification needed

[Anpheus]

If you're using a Linux DNS server that's open source, why don't you just read through the source code and find out what changed, I mean, psht, it's so easy?

Yes, I'm being sarcastic.

Finally...!

[JackassJedi]

I'm (sort of) a native German speaker, in which "DNA" is abbreviated "DNS" ("DesoxyribonukleinsÃure" with "sÃure" being "acid").
Needless to say, my first impression of the headline was way more futuristic than what is there.

Re:More independent verification needed

[dvice_null]

> Microsoft's own DNS implementation is also affected

Did anyone else notice that today is Tuesday?

Re:Finally...!

[Anonymous Coward]

With humour like that, I can see where the two world wars came from...

Re:More independent verification needed

[InlawBiker]

It's easy, you just look for a comment like: /* BEGIN bug causing possible MASSIVE future EXPLOIT. */

Re:More independent verification needed

[74nova]

It could also be near something like //fsck it, I'm going to lunch

Re:Let the DJBing begin!

[Cyberax]

Uhm...

DJB-ware is now in _public_ _domain_. That's even more liberal than the BSD license.

So, update your /etc/hate file with newer facts...

Re:So give a layman explanation

[smittyoneeach]

Recommendation is more CERTS, as they will help with the sand breath.

Re:More independent verification needed

[Dan667]

If I was a hacker I would look for that comment to find an exploit in the first place. And other like

// this is ugly, but it seems to work
// remember to fix this later
// whoever wrote this sucks

Re:not that big of a problem

[negRo_slim]

In other words, if you're stupid enough not to change your password, you're going to get your router hacked. No fucking shit, Sherlock.

Ahhh the joys of default passwords. I remember my high school's implementation of network security which had a few default passwords just waiting be found via lycos... or was it hotbot back then?

Either way when it was discovered I was assuming control of my work station to increase screen resolution to effectively use the IDE they had provided, well they slapped me on the wrist and brought me back down to 640x480 for security reasons of course. When I said fuck it and wrote a program that changed the resolution for me with the skills I had been taught in that class... Oddly enough instead of a passing grade my school year dramatically shortened. ie Explusion.

Stupidity and default passwords ftw!

Re:More independent verification needed

[lgw]

Oh, the only one your *really* need to look for is // should never happen

although // drunk now, fix later

is also good.

Re:More independent verification needed

[es330td]

it is good to have a sysadmin who can write programs in binary

I'd like to meet one of these sysadmins. I've written system stuff in C and other stuff in Pascal, C++ and Perl over the years but the guy that can write direct to binary must really know his stuff. Just think, his keyboard only needs two keys!

Re:DJBDNS not affected.

[Just Some Guy]

Note that DJBDNS (and derivatives) are not affected, since it uses randmoized source ports for DNS resolving.

Also not affected: DJBDNS's IPv6 and IXFR functionality, since Dan didn't want to bother implementing them.

Re:Finally...!

[Koiu Lpoi]

"sÃure"

Welcome to the fail that is "no unicode on slashdot". Enjoy your stay.

Re:My first response is to call Bullshit

[Shados]

Its a problem in the protocol. So the only systems that would not be vulnerable are those that did -not- follow the specs. Guess Windows is safe, since Microsoft never follows the specs :)

Re:Let the DJBing begin!

[Anders]

Attention all DJB software fans, here's another chance to champion the superiority of DJB's software.

Yup, and we even have the time, as we are not busy patching our servers!

Re:Reverse Engineering?

[HTH NE1]

When an absolute statement is modified with an adverb, the statement is not generally true. Examples:

• "does not immediate[ly] reveal"
  
• "isn't directly possible"
  
• "the statement is not generally true"

Re:not that big of a problem

[morgan_greywolf]

Nope. It's a cashing nameserver. That's why I'm rich and you're not. :-P

Re:More independent verification needed

[QuantumRiff]

No, its binary, real men solder a telegraph device to the motherboard, and just push down for 1, up for 0, Really, really fast!

Re:More independent verification needed

[QuantumRiff]

Have you ever seen the oppositte? A bunch of coders trying to be sys-admins.. scary! Was the first admin at a software dot-com, they wanted to know why the network, consisting of a dozen $50 100MB "Switches" they got a staples daisy chained together were so slow.. I can understand their idea, as in theory, it should work, but in reality it doesn't. (kinda like when I program. It always compiles, doesn't always work...)

Re:Let the DJBing begin!

[myowntrueself]

Don't forget to include positive commentary on the licensing and patch status.

Anyone who champions DJB software already has to bear the burden of running qmail. It doesn't get much worse than that already.

Re:More independent verification needed

[Tekzel]

We are all duly impressed with your superhuman abilities. We recognize that you are a superior form of human being, and should really be placed in your rightful place as Emporer of Earth. We are but children compared to the greatness that is you.

ok, who let the Debian guys loose again?

[spir0]

from http://www.kb.cert.org/vuls/id/800113 [cert.org]: "The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID."

Just put the real seed back into the code.

obrant: and who the frak releases advisories in DOC format in the 21st century?

Re:More independent verification needed

[somersault]

/* John was hit by a bus last week :( I have no idea what he was doing here, I'll just return 1 and hope for the best.. */

Re:More independent verification needed

[somersault]

No. This last week, as often happens, I blindly wandered through the hours in a haze of narcotics and alcohol, vomiting onto my co-workers and randomly saying "whuth day is ih..??". This culminated in me forgetting that it is the second Tuesday in July and therefore due to a long and boring story, the one time in the year where I am meant to come home and cook dinner for the start of a romantic evening with my beloved wife. I think it was rather the straw that broke the camel's back, and she's just this minute left me for a tall Puerto Rican calendar designer. He always knows what day it is.

Oooooh wait, you mean like patch tuesday? Gotcha..

Re:Any name server?

[rs79]

" Everybody else is being patched to the level of security that we djbdns users have always had. Not to be *too* smug, of course."

Bingo.

If we were being smug we'd say something like "what do you expect when cert advisories are published as doc files?".

Re:Any name server?

[Russ Nelson]

Reportedly, djb wears all black, not all-aluminum. If I were you, I'd start wearing all black also.