Published:
27 May 2005
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0397 -- UNIRAS ALERT - 16/05
NISCC Vulnerability Advisory DNS - 589088
27 May 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Publisher: UNIRAS
Impact: Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2005-0038 CAN-2005-0037 CAN-2005-0036
Comment: Further information regarding vulnerable implementations of DNS is
available from the following site:
http://www.niscc.gov.uk/niscc/vulnAdv-en.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) ALERT - 16/05 dated 24.05.05 Time: 13:00
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- - ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------
Title
=====
NISCC Vulnerability Advisory DNS - 589088
Detail
======
NISCC Vulnerability Advisory 589088/NISCC/DNS
Vulnerability Issue in Implementations of the DNS Protocol
Version Information
- - -------------------
Advisory Reference 589088/NISCC/DNS
Release Date 24 May 2005
Last Revision 24 May 2005
Version Number 1.0
Acknowledgement
- - ---------------
This issue was identified by Dr. Steve Beaty from the Department of Mathematical and
Computer Sciences at the Metropolitan State College of Denver.
What is affected?
- - -----------------
The vulnerability described in this advisory affect the Domain Name System (DNS)
protocol. Many vendors include support for this protocol in their products and may be
impacted to varying degrees, if at all.
Please note that the information contained within this advisory is subject to
changes. All subscribers are therefore advised to regularly check the NISCC website
for updates to this notice.
Impact
- - ------
If exploited, this vulnerability could allow an attacker to create a Denial-of-Service
condition.
Severity
- - --------
The severity of this vulnerability varies by vendor; please see the 'Vendor Information'
section below for further information. Alternatively contact your vendor for product
specific information.
Summary
- - -------
A vulnerability affecting the Domain Name System (DNS) protocol was identified by Dr. Steve
Beaty from the Department of Mathematical and Computer Science of Metropolitan State
College of Denver.
The Domain Name System (DNS) protocol is an Internet service that translates domain
names into Internet Protocol (IP) addresses. Because domain names are alphabetic,
they're easier to remember, however the Internet is really based on IP addresses;
hence every time a domain name is requested, a DNS service must translate the name
into the corresponding IP address.
The vulnerability concerns the recursion process used by some DNS implementations to
decompress compressed DNS messages. Under certain circumstances, it is possible to cause the
DNS server to terminate abnormally.
All users of applications that support DNS are recommended to take note of this
advisory and carry out any remedial actions suggested by their vendor(s).
[Please note that revisions to this advisory will not be notified by email. All
subscribers are advised to regularly check the NISCC website
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.]
Details
- - -------
Under certain circumstances, it is possible to cause both DNS servers and DNS clients to
terminate abnormally by sending it malformed messages.
The text portions of DNS messages are specified by first giving the character count,
followed by the characters themselves. For example to specify 'test.test.com', the message
would look like '0x04test0x04test0x03com0x00' using 16-bit numbers. From RFC1035, Section
4.1.4 "Message Compression" specifies a way to create smaller messages so that they can
easily fit into a DNS UDP packet. Hence if the top two bits of the label length byte are 1,
the remaining 14 bits specify an offset from the beginning of the text on where the
remaining characters can be found. This way, redundant information can be removed and hence
create a smaller message.
Given this type of DNS message, the most obvious method to decode it is by using recursion.
However consider a message that contains a code that instructs the DNS process to go to an
illegal address once the end of the string is reached; if recursion is used to decode such a
message, some DNS implementation may enter into a loop and eventually exhaust the stack. If
this happens, then it would be possible for the DNS service to terminate and hence cause a
denial-of-service condition.
The following CVE IDs have been allocated for this vulnerability:
. CAN-2005-0036
. CAN-2005-0037
. CAN-2005-0038
Please refer to the 'Vendor Information' section for further details on how the CVE IDs are assigned.
Mitigation
- - ----------
Patch all affected implementations.
Solution
- - --------
Please refer to the 'Vendor Information' section of this advisory for platform specific
remediation.
Vendor Information
- - ------------------
A list of vendors affected by this vulnerability is not currently available. Please
visit the web site at http://www.niscc.gov.uk/niscc/vulnAdv-en.html in order to
check for updates.
Credits
- - -------
The NISCC Vulnerability Team would like to thank Dr. Steve Beaty, who identified this
vulnerability and reported it to NISCC, and who assisted NISCC in producing the test tools
for this issue.
The NISCC Vulnerability Team would also like to thank the vendors for their co-operation
in handling this vulnerability and to JPCERT/CC for co-ordinating this issue in Japan.
Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:
Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line
Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00
Fax +44 (0)870 487 0749
Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG
We encourage those who wish to communicate via email to make use of our PGP key. This is
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.
Please note that UK government protectively marked material should not be sent to the email
address above.
If you wish to be added to our email distribution list please email your request to
uniras@niscc.gov.uk.
What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure Security Co-ordination
Centre, please visit http://www.niscc.gov.uk.
Reference to any specific commercial product, process, or service by trade name, trademark
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or
favouring by NISCC. The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions contained within
this advisory. In particular, they shall not be liable for any loss or damage whatsoever,
arising from or in connection with the usage of information contained within this notice.
C 2005 Crown Copyright
<End of NISCC Vulnerability Advisory>
- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of the NISCC Vulnerability Team for
the information contained in this Briefing.
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQpMXCIpao72zK539AQHpawP/cvIgSk4CZwbZij4rjvr3VDnpVSnRcEya
mUdEMKE6zR5UgFyqIzbQ7RR+GihJW/QcuOxFrV2TlwQB+W7SJDUMPhmZoWs61vil
EWp9lDlBwXn2ZfSL4ktU0Xh7teag1i3cTds+Nv8wOSwrVJPrjOG337HUbqL8sBIa
OK0R77VvmMI=
=6ras
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQpaL+yh9+71yA2DNAQJZagP/ehvl1CaDJTRoO3jSnnmeKHtIzd7NNWWw
uCaYTKcYh5GF84mriJf6T3Zt6PcQVDBBNVZhuhQK8cjpQnKUMXrwv3tMb4DhNmX/
8No2fDpZpPGnoiO9XUKUF+80S6jAcE+tW3z3I7uZLLzVyorLjp/9nzJQQydFkhaa
2BoYeEigIao=
=a1Ma
-----END PGP SIGNATURE-----