A security researcher has responsibly disclosed a fundamental flaw within the Domain Name System (DNS), the addressing scheme behind the common names used on the Internet. Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site. The news was announced Tuesday.
Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said, "the severity is shown by the number of people who've gotten onboard with this patch."
He declined to name the flaw as that would give away details.
On March 31, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix.
Toward addressing the flaw, Kaminsky said the researchers all decided to conduct a synchronized, multivendor release. As part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco Systems, Sun Microsystems, and BIND are also expected to roll out patches later on Tuesday.
The coordinated release covers a wide variety of vendors. Art Manion of US-CERT (United States Computer Emergency Readiness Team) said vendors with DNS servers have been contacted, and there's a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.
Most systems will be patched automatically. However, those that are not will have 30 days to be patched manually before additional details are made public.
This issue also affects Internet service providers used by home users. In the coming days, ISPs are expected to apply the patch to their systems. Hardware routers used by home users should not be affected.
Kaminsky said he will release details in time for Black Hat 2008, on August 7 and 8 in Las Vegas. However, Microsoft in its security bulletin said its patch uses strongly random DNS transaction IDs, random sockets for UDP (User Datagram Protocol) queries, and updates the logic used to manage the DNS cache."
Kaminsky did confirm that the patches released today will increase DNS randomness: "Where we had 16-bit before, we now have 32 bits."
To check to see if your system is vulnerable, Kaminsky has provided a DNS checker.