[nsp-sec] DNS vulnerability CVE-2008-1447/VU#800113

Zot O'Connor zoto at microsoft.com
Tue Jul 8 14:34:16 EDT 2008 

Our bulletin is live here:


http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

We have a SWI blog here:
http://blogs.technet.com/swi/archive/2008/07/08/ms08-037-more-entropy-in-the-dns-resolver.aspx





Zot O'Connor
MSRC Ecosystem Strategy Team
Partner Outreach
(425) 722-7575


-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Florian Weimer
Sent: Tuesday, July 08, 2008 10:44 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] DNS vulnerability CVE-2008-1447/VU#800113

----------- nsp-security Confidential --------

Hi teams,

today, countermeasures for a DNS protocol vulnerability have been
announced by several vendors.  Unlike previous vulnerabilities
involving weak transaction IDs, this is the real thing: a protocol
issue which is very difficult to fix completely.  The countermeasure
recommended at this stage is UDP query source port randomization.  It
does not completely eliminate the vulnerability, but it makes
exploitation attempts more noisy and noticeable because an attacker
needs to send literally billions of packets.

If anybody tries to attack a resolver without source port
randomization, the only thing you will notice is that wrong data is in
the cache. 8-( If you use source port randomization and you get
attacked, you'll see a flood of correctly-formatted DNS packets over a
period of several hours.  Due to the nature of the underlying protocol
vulnerability, it is very difficult to create generic IDS signatures,
even though it's possible to spot specific attack tools (should one
ever be released, which is not clear at this point).

Dan Kaminsky will describe how to exploit the protocol issue in his
talk at Blackhat in August.

I don't know how much detail will be available before that from the
vendors, so please use published material as a reference, and not this
mailing list posting.

If you've got any questions regarding this vulnerability, feel free to
ask.  I'm under a socially enforced NDA not to disclose the root cause
at this stage (you may look at my posting in February to nsp-sec-d for
a clue; it was written before I knew about Dan's discovery), but apart
from that, I'm glad to help.  This is a critical vulnerability, and
you should really make sure that you fix your resolvers.

Florian
--
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list