More on the DNS Vulnerability

Since my post on this issue yesterday and also Andy Whelan’s post to the ISSA Ireland’s newslist, a number of people have come back to me offline with regards to the current status within the Irish Internet space.  It seems that a number of ISPs, 16 apparently, have not yet patched their DNS servers.  But the biggest challenge appears to be organisations ensuring that their DNS servers are patched.

Here is an excerpt from an email I recieved that highlights the challenges;

“we’re patched and we have been notifying our clients who have dns servers non-patched.  There is also a worldwide effort by “non-for-profit security organisations” to alert ISP abuse desks, although whether they act or the sysadmins act on the email is anyone’s guess.

There are 35 ISP in INEX (https://www.inex.ie/about/memberlist), a quick look through a “special list – as of 21/07/2008″ shows there were 16 ISPs with DNS servers in their range vulnerable.
The irish ISP’s have patched their main DNS servers, but the problem seems to be their clients who run their own DNS servers, have servers in hosting centres or rogue departmental servers hidden away the IT security teams don’t know about.”

More details are emerging of the nature of this problem (hat tip to Security4all) and active exploit tools are now being used.  So in short;

  • The criminals have a major opportunity to steal more money,
  • They have automated tools to achieve that goal
  • They will find vulnerable DNS servers
  • They will exploit those servers
  • If you have a vulnerable DNS server they will exploit it!

So to those 16 ISPs, patch your systems ASAP.  If your normal maintenance window is still a number of weeks away then consider using an emergency window instead.  Talk to your upstream ISPs and ensure they also patch their servers.

To those of you who manage or look after your own DNS servers you need to get the finger out and patch them.

3 Comments

  1. Mark says:

    Brian,

    This DNS vulnerability is an issue as were the many DNS vulnerabilities over the past 8 years. It is concerning that certain ISPs in Ireland haven’t patched but are you really surprised? The patch that most vendors have rolled out doesn’t resolve the issue, it merely makes the a successful attack less likely as the randomness has been increased.

    I think DK is an excellent security researcher, very impressive but I don’t agree with how the vulnerability was published – a little bit of showboating with a ‘carrot’ approach for others to examine DNS, find more vulnerabilites and join him at Black Hat. Surely allowing Cert or another independent body to manage the release would have been better?

    The other interesting fact is – the Infocon threat level has remained at Green? This implies the DNS threat is less of an issue than the Debian Keygen issue in mid-May?

    BTW, how’s the Irish Cert fight coming on?

  2. Brian Honan says:

    @Mark

    >>Surely allowing Cert or another independent body to manage the release would have been better?

    Actually in the US the CERT coordinated the release of the patch and the notifications. The biggest problem was the ego posturing by various people afterwards trying to get one up on each other on the back of the vulnerability. By calling into question Dan Kaminsky’s analysis of the vulnerability it blew the whole thing out of the water. In my book if this thing is serious enough for all major vendors to work together with CERT to release a patch then the matter needs no discussion, simply action to resolve it. Once that happens then lets have the cat fight.

    >>the Infocon threat level has remained at Green? This implies the DNS threat is less of an issue than the Debian Keygen issue in mid-May?

    Infocon changes in the threat status changes significantly. The ISC is monitoring the situation and if the number of active attacks increase you may see the Infocon status change.

    >>BTW, how’s the Irish Cert fight coming on?
    It has been quite busy and positive in the past few weeks (hence my lack of posting and replying to comments due to time constraints). So keep an eye out for news on that project over the coming while.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.