Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2005 > NISCC Vulnerability Advisory DNS - 589088

May 2005

NISCC Vulnerability Advisory DNS - 589088

ID: 00433
Ref: 16/2005
Date: 24 May 2005:13:31:45
Version: 1
Title: NISCC Vulnerability Advisory DNS - 589088
Abstract: The vulnerability concerns the recursion process used by some DNS implementations to decompress compressed DNS messages. Under certain circumstances, it is possible to cause the DNS server to terminate abnormally.

NISCC Vulnerability Advisory 589088/NISCC/DNS

Vulnerability Issue in Implementations of the DNS Protocol

Version Information
- -------------------
Advisory Reference 589088/NISCC/DNS
Release Date 24 May 2005
Last Revision 24 May 2005
Version Number 1.0

Acknowledgement
- ---------------
This issue was identified by Dr. Steve Beaty from the Department of Mathematical and
Computer Sciences at the Metropolitan State College of Denver.

What is affected?
- -----------------
The vulnerability described in this advisory affect the Domain Name System (DNS)
protocol. Many vendors include support for this protocol in their products and may be
impacted to varying degrees, if at all.

Please note that the information contained within this advisory is subject to
changes. All subscribers are therefore advised to regularly check the NISCC website
for updates to this notice.

Impact
- ------
If exploited, this vulnerability could allow an attacker to create a Denial-of-Service
condition.

Severity
- --------
The severity of this vulnerability varies by vendor; please see the 'Vendor Information'
section below for further information. Alternatively contact your vendor for product
specific information.

Summary
- -------
A vulnerability affecting the Domain Name System (DNS) protocol was identified by Dr. Steve
Beaty from the Department of Mathematical and Computer Science of Metropolitan State
College of Denver.

The Domain Name System (DNS) protocol is an Internet service that translates domain
names into Internet Protocol (IP) addresses. Because domain names are alphabetic,
they're easier to remember, however the Internet is really based on IP addresses;
hence every time a domain name is requested, a DNS service must translate the name
into the corresponding IP address.

The vulnerability concerns the recursion process used by some DNS implementations to
decompress compressed DNS messages. Under certain circumstances, it is possible to cause the
DNS server to terminate abnormally.

All users of applications that support DNS are recommended to take note of this
advisory and carry out any remedial actions suggested by their vendor(s).

[Please note that revisions to this advisory will not be notified by email. All
subscribers are advised to regularly check the NISCC website
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.]

Details
- -------
Under certain circumstances, it is possible to cause both DNS servers and DNS clients to
terminate abnormally by sending it malformed messages.

The text portions of DNS messages are specified by first giving the character count,
followed by the characters themselves. For example to specify 'test.test.com', the message
would look like '0x04test0x04test0x03com0x00' using 16-bit numbers. From RFC1035, Section
4.1.4 "Message Compression" specifies a way to create smaller messages so that they can
easily fit into a DNS UDP packet. Hence if the top two bits of the label length byte are 1,
the remaining 14 bits specify an offset from the beginning of the text on where the
remaining characters can be found. This way, redundant information can be removed and hence
create a smaller message.

Given this type of DNS message, the most obvious method to decode it is by using recursion.
However consider a message that contains a code that instructs the DNS process to go to an
illegal address once the end of the string is reached; if recursion is used to decode such a
message, some DNS implementation may enter into a loop and eventually exhaust the stack. If
this happens, then it would be possible for the DNS service to terminate and hence cause a
denial-of-service condition.

The following CVE IDs have been allocated for this vulnerability:

# CAN-2005-0036
# CAN-2005-0037
# CAN-2005-0038

Please refer to the #Vendor Information# section for further details on how the CVE IDs are assigned.

Mitigation
- ----------
Patch all affected implementations.

Solution
- --------
Please refer to the 'Vendor Information' section of this advisory for platform specific
remediation.

Vendor Information
- ------------------
A list of vendors affected by this vulnerability is not currently available. Please
visit the web site at http://www.niscc.gov.uk/niscc/vulnAdv-en.html in order to
check for updates.

Credits
- -------
The NISCC Vulnerability Team would like to thank Dr. Steve Beaty, who identified this
vulnerability and reported it to NISCC, and who assisted NISCC in producing the test tools
for this issue.

The NISCC Vulnerability Team would also like to thank the vendors for their co-operation
in handling this vulnerability and to JPCERT/CC for co-ordinating this issue in Japan.

Contact Information
- -------------------
The NISCC Vulnerability Management Team can be contacted as follows:

Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line

Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00

Fax +44 (0)870 487 0749

Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP key. This is
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.

Please note that UK government protectively marked material should not be sent to the email
address above.

If you wish to be added to our email distribution list please email your request to
uniras@niscc.gov.uk.

What is NISCC?
- --------------
For further information regarding the UK National Infrastructure Security Co-ordination
Centre, please visit http://www.niscc.gov.uk.

Reference to any specific commercial product, process, or service by trade name, trademark
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or
favouring by NISCC. The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained within
this advisory. In particular, they shall not be liable for any loss or damage whatsoever,
arising from or in connection with the usage of information contained within this notice.

© 2005 Crown Copyright



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |