Search:

April 2006

NISCC - Vulnerability Issues in Implementations of the DNS Protocol

ID: 00311
Ref: 307/06
Date: 25 April 2006:12:57:17
Version: 1

Title: NISCC - Vulnerability Issues in Implementations of the DNS Protocol
Abstract: The vulnerabilities described in this advisory affect implementations of the Domain Name System (DNS) protocol. Many vendors include support for this protocol in their products and may be impacted to varying degrees, if at all.
Vendors affected: multiple
Operating systems affected: multiple
Applications affected: multiple

Title
=====
NISCC - Vulnerability Issues in Implementations of the DNS Protocol

Detail
======

NISCC Vulnerability Advisory 144154/NISCC/DNS

Vulnerability Issues in Implementations of the DNS Protocol

Version Information
- -------------------
Advisory Reference 144154/NISCC/DNS
Release Date 25 April 2006
Last Revision 25 April 2006
Version Number 1.0

Acknowledgement
- ---------------
The DNS Test Tool was created by the Oulu University Secure Programming Group
(OUSPG) from the University of Oulu in Finland.

What is affected?
- -----------------
The vulnerabilities described in this advisory affect implementations of the
Domain Name System (DNS) protocol. Many vendors include support for this protocol
in their products and may be impacted to varying degrees, if at all.

Please note that the information contained within this advisory is subject to
changes. All subscribers are therefore advised to regularly check the NISCC
website (http://www.niscc.gov.uk) for
updates to this notice.

Impact
- ------
If exploited, these vulnerabilities could cause a variety of outcomes including,
for example, a Denial-of-Service (DoS) condition. In most cases, they can expose
memory corruption, stack corruption or other types of fatal error conditions. Some
of these conditions may expose the protocol to typical buffer overflow exploits,
allowing arbitrary code to execute or the system to be modified.

Severity
- --------
The severity of this vulnerability varies by vendor. Please see the 'Vendor
Information' section below for further information. Alternatively, contact your
vendor for product specific information.

Summary
- -------
During 2002 the Oulu University Secure Programming Group (OUSPG) discovered a number
of implementation specific vulnerabilities in the Simple Network Management Protocol
(SNMP). Further work has been done to identify implementation specific
vulnerabilities in related protocols that are used in critical infrastructure. The
DNS protocol, which is the primary naming system used on the Internet, was studied
as part of this program of work.

DNS is an Internet service that translates domain names into Internet Protocol (IP)
addresses and vice versa. Because domain names are alphabetic, they're easier to
remember, however the Internet is really based on IP addresses; therefore every time
a domain name is requested, a DNS service must translate the name into the
corresponding IP address.

OUSPG has developed a PROTOS DNS Test Suite for DNS implementations and employed it
to validate their findings against a number of products from different vendors.
NISCC has contacted multiple vendors whose products support the DNS protocol and
provided them with the test tool to allow them to test their implementations. NISCC
believes that most of the relevant vendors who provide support for the DNS protocol
have been covered by this advisory.

[Please note that revisions to this advisory will not be notified by email. All
subscribers are advised to regularly check the NISCC website
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.]

Details
- -------
DNS is a system that stores information associated with domain names in a distributed
database on networks, such as the Internet. The domain name system associates many
types of information with domain names, but most importantly, it provides the IP
address associated with the domain name. It also lists mail exchange servers accepting
e-mail for each domain.

The OUSPG DNS Test Suite covers a limited set of information security and robustness
related implementation errors for the DNS protocol.

The factors behind choosing DNS included:

* DNS is a fundamental infrastructure of the Internet, and most Internet applications
are dependent on it.

* DNS implementations are ubiquitous, present in servers, end-user equipment such as
personal computers and mobile phones, and in routers and firewalls. Therefore DNS may
be a potential attack vector in a variety of scenarios against a variety of
systems and infrastructure components.

* There are no free, publicly available robustness test suites to evaluate DNS
implementations.

The material contained in the test suite covers basic queries, dynamic updates, basic
responses and zone transfers. However please be aware that the test material does not
cover cache poisoning or address spoofing vulnerabilities.

There are three sets of test materials available with the tool; these are specifically
designed for the following scenarios:

1. The Query Material -> [queries, dynamic DNS updates] -> DNS server
2. The Response Material -> [query replies] -> DNS server
3. The Response Material -> [query replies] -> DNS stub resolver (client)
4. The Zone Transfer Material -> [zone transfers] -> secondary DNS server

The test material simulates hostile input to the DNS implementation by sending invalid
and/or abnormal packets. Therefore by applying the OUSPG DNS Test Suite to a variety of
products, several vulnerabilities can be revealed that can have varying effects.

Mitigation
- ----------
Patch all affected implementations.

Solution
- --------
Please refer to the 'Vendor Information' section of this advisory for platform specific
remediation.

Vendor Information
- ------------------
A complete list of vendor responses to this vulnerability is available on our website.
Please visit the website at http://www.niscc.gov.uk/niscc/vulnAdv-en.html in order to view
the latest vendor statements.

Credits
- -------
The NISCC Vulnerability Management Team would like to thank OUSPG for producing the DNS
Test Tool.

The NISCC Vulnerability Management Team would also like to thank the vendors for their
co-operation in handling this vulnerability and to JPCERT/CC for co-ordinating this issue
in Japan.

Contact Information
- -------------------
The NISCC Vulnerability Management Team can be contacted as follows:

Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line

Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00

Fax +44 (0)870 487 0749

Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP key. This is
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.

Please note that UK government protectively marked material should not be sent to the email
address above.

If you wish to be added to our email distribution list please email your request to
uniras@niscc.gov.uk.

What is NISCC?
- --------------
For further information regarding the UK National Infrastructure Security Co-ordination
Centre, please visit http://www.niscc.gov.uk.

Reference to any specific commercial product, process, or service by trade name, trademark
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or
favouring by NISCC. The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained within
this advisory. In particular, they shall not be liable for any loss or damage whatsoever,
arising from or in connection with the usage of information contained within this notice.

C 2006 Crown Copyright