Published:
11 November 2004
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0721 -- UNIRAS ALERT - 40/04
Vulnerability Issues in Implementations of the DNS Protocol
11 November 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Publisher: UNIRAS
Impact: Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2004-0789
Original Bulletin: http://www.uniras.gov.uk/vuls/2004/758884/index.htm
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) ALERT - 40/04 dated 09.11.04 Time: 12:00
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- - ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------
Title
=====
Vulnerability Issues in Implementations of the DNS Protocol
Detail
======
NISCC Vulnerability Advisory 758884/NISCC/DNS
- - ---------------------------------------------
Vulnerability Issues in Implementations of the DNS Protocol
Version Information
- - -------------------
Advisory Reference 758884/NISCC/DNS
Release Date 9 November 2004
Last Revision 4 November 2004
Version Number 1.0
What is affected?
- - -----------------
The vulnerabilities described in this advisory affect the Domain Name System (DNS)
protocol. Many vendors include support for this protocol in their products and may be
impacted to varying degrees, if at all.
Please note that the information contained within this advisory is subject to
changes. All subscribers are therefore advised to regularly check the UNIRAS website
for updates to this notice.
Severity
- - --------
The severity of these vulnerabilities varies by vendor. Please see the vendor section
below for further information. Alternatively contact your vendor for product specific
information.
If exploited, these vulnerabilities could allow an attacker to create a Denial of
Service condition.
Summary
- - -------
Several vulnerabilities have been discovered within the Domain Name System (DNS)
protocol by two DNS experts, Roy Arends and Jakob Schlyter.
The Domain Name System (DNS) protocol is an Internet service that translates domain
names into Internet Protocol (IP) addresses. Because domain names are alphabetic,
they're easier to remember, however the Internet is really based on IP addresses;
hence every time a domain name is requested, a DNS service must translate the name
into the corresponding IP address.
NISCC wishes to advise users of the availability of a test tool that is designed to
confirm the existence of vulnerabilities in the DNS protocol.
All users of applications that supports DNS are recommended to take note of this
advisory and carry out any remedial actions suggested by their vendor(s).
[Please note that revisions to this advisory will not be notified by email. All
subscribers are advised to regularly check the UNIRAS website for updates to this
notice.]
Details
- - -------
The Domain Name System (DNS) is basically a database of host information. The DNS
protocol is utilised to identify servers by their IP addresses and aliases given their
registered domain name. The request is usually simple, including just the name of the
server. The response however can be quite complex, because it will contain all the
addresses and aliases that the server might have. A DNS query is sent to a name server
to provoke a response; a DNS response then either answers the query, refers
the requester to another set of name servers or signals some error condition. Please
refer to RFC 1034:Section 3.7, RFC 1034:Section 4.1, RFC 1034:Section 4.3.1 and
RFC 1035:Section 4.1.1 for further information on the query-response relationship
within the DNS protocol.
The relevant vulnerabilities are a result of liberal interpretation of the DNS protocol
by implementors. DNS uses a message format to provide a mechanism to resolve
domain names into IP addresses; a message can either be a 'query' or a 'response'. By
implementating the protocol in such a way in which a 'response' is allowed to be
answered with a 'response', this will cause messages to bounce back and forth
between the servers and hence cause a query-respose storm that can result in a
denial-of-service attack.
In addition, by sending these implementations a query that appears to originate from the
localhost on UDP port 53, the server will respond to itself and will keep
responding to these responses, hence entering a loop which can exhaust system
resources and hence result in a denial-of-service attack.
Further detail will be released as it becomes available.
This vulnerability has been assigned the CVE name CAN-2004-0789.
Solution
- - --------
Please refer to the Vendor Information section of this advisory for platform specific
remediation.
Vendor Information
- - ------------------
A list of vendors affected by this vulnerability is not currently available. Please
visit the web site at http://www.uniras.gov.uk/vuls/2004/758884/index.htm in order to
check for updates.
Credits
- - -------
The NISCC Vulnerability Team would like to thank Roy Arends, who discovered this issue and
reported it to NISCC, and Jakob Schlyter, who helped establish the initial list of
vulnerable implementations.
The NISCC Vulnerability Team would also like to thank the vendors for their co-operation
in handling this vulnerability.
Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:
Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line
Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00
Fax +44 (0)870 487 0749
Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG
We encourage those who wish to communicate via email to make use of our PGP key. This
is available from http://www.uniras.gov.uk/UNIRAS.asc
Please note that UK government protectively marked material should not be sent to the
email address above.
If you wish to be added to our email distribution list please email your request to
uniras@niscc.gov.uk.
What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure Security Co-ordination
Centre, please visit http://www.niscc.gov.uk/aboutniscc/index.htm.
Reference to any specific commercial product, process, or service by trade name,
trademark manufacturer, or otherwise, does not constitute or imply its endorsement,
recommendation, or favouring by NISCC. The views and opinions of authors expressed
within this notice shall not be used for advertising or product endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions contained within
this advisory. In particular, they shall not be liable for any loss or damage
whatsoever, arising from or in connection with the usage of information contained
within this notice.
C 2004 Crown Copyright
<End of NISCC Vulnerability Advisory>
- - ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via
EMail to: uniras@niscc.gov.uk
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts
- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Roy Arends and Jakob Schlyter for the information
contained in this Briefing.
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQZCttIpao72zK539AQFeYwP/WT/xeGAnesMAfglL+w97gmk3h/eJgKa8
VYZjUU7/YPgpu3ZjopQbXVQnwU9/Dd+an7mMcZTi2LllnvrW22Mxg+tkjVouW83R
32bTOhGG0ejJZUHEDX7lA9plqCUeDQACb8foRPUVtFS8w5FvZXlJnr36npR5DpdD
ViCfRPSgfLs=
=YbP3
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQZLe6ih9+71yA2DNAQKd5AP/bQsx38OqHV99QObXv2H9CoHm61m0Gm3g
r9MkyxqKH1Gx845DEEqdxRmrm6LzTaypayH2LWcEZrbaSgjn8ZI1ASlH0cft4+Vd
FSwJmdhKHd53UlXTr6De5gwjGBMhCUCYsit0oxPkMqWEMN2X8tbveMXqsGZJs3Jl
ZtqsOM82eSU=
=VOpu
-----END PGP SIGNATURE-----