Mulitple Vendors DNS Spoofing Vulnerability:SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
MSのDNSのパッチに時をあわせてBINDもパッチを出しているそうです。
影響範囲がものすごく広くて、81プロダクト・・・そりゃリゾルバの動き変えたらそうなるわ・・・
Today, Microsoft was just one vendor releasing a patch for its DNS server. The Internet Systems Consortium (www.isc.org) published a very similar patch for its own DNS server, BIND.
InfoSec Handlers Diary Blog - Multiple Vendors DNS Spoofing Vulnerability
The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked:
InfoSec Handlers Diary Blog - Multiple Vendors DNS Spoofing Vulnerability
- who sent the response? Was it the DNS server we sent the request to?
- for this particular response, do we have an outstanding request?
- each request uses a unique and random query ID. The response has to use the same query ID.
- The response has to be sent to the same port from which the request was sent.
かなり影響があって、範囲もでかいみたい・・・
InfoSec Handlers Diary Blog - Multiple Vendors DNS Spoofing VulnerabilityHow bad is it?
If you run a caching DNS server, patch it soon. I wouldn't say "today, while ignoring sane patch management". But check with your vendor and follow their guidance. The world is not going to end today. It will in fact end in 2 1/2 years from today (different story ;-) ). But this is something you have to fix soon. Right now, the US-CERT advisory lists about 80 vulnerably products.
Eventually we all may have to break down and fix DNS. DNSSEC is an extension to DNS asking for cryptographic authentication. However, it requires a PKI infrastructure which at this point doesn't exist. There is not much to be gained from implementing DNSSEC on your own (but by all means: try it out and see how it works).
MS08-037を当てるとクライアントとサーバのリゾルバが変わって、ランダムソースポートでDNSに接続してトランザクションIDとソースポートの両方を知らないと間違ったリプライを返せないようにしたそうです。
Increasing the entropy makes it more difficult for attackers to spoof DNS replies. Today, we released MS08-037 to further increase the difficulty of spoofing DNS transactions. We modified the DNS client and server resolvers to send requests from a random source port. Previously, an attacker would need to only guess the correct transaction ID. After applying MS08-037, an attacker will need to guess both the transaction ID and source port in order to successfully spoof a DNS reply. In short, randomized source ports for DNS transactions adds another unique piece of information to DNS transactions, which makes spoofing more difficult.
http://blogs.technet.com/swi/archive/2008/07/08/ms08-037-more-entropy-in-the-dns-resolver.aspx
関連URL
- US-CERT Technical Cyber Security Alert TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
- Security Vulnerability Research & Defense : MS08-037 : More entropy for the DNS resolver
- SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
- US-CERT Technical Cyber Security Alert TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
- Security Vulnerability Research & Defense : MS08-037 : More entropy for the DNS resolver
- Widescale DNS flaw discovered
- DNSSECの早期導入を:BIND9のパッチ公開、DNSキャッシュポイズニング攻撃に対処 - ITmedia エンタープライズ
- セキュリティホール memo
- DNSSECの早期導入を:BIND9のパッチ公開、DNSキャッシュポイズニング攻撃に対処 - ITmedia エンタープライズ
- DNS に重大な脆弱性、複数のサーバーに影響 - japan.internet.com Webテクノロジー
- 複数のDNSサーバー製品にキャッシュ・ポイズニングのぜい弱性―パッチ適用を:ITpro
- JVNTA08-190B: 複数の DNS 実装にキャッシュポイズニングの脆弱性
- 複数のDNSサーバにキャッシュポイズニング攻撃を許す脆弱性〜JPCERT/CCが警告:Enterprise:RBB TODAY (ブロードバンド情報サイト) 2008/07/09
- DNS脆弱性の修正パッチ、複数ベンダーから同時リリース:ニュース - ZDNet Japan
- 複数のDNSサーバー製品にキャッシュ・ポイズニングのぜい弱性―パッチ適用を:ITpro
- 複数のDNSサーバ製品に、DNSキャッシュを汚染される脆弱性--JPCERT/CCが警告:ニュース - CNET Japan