Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2005 > Symantec - security gateway DNS redirection

March 2005

Symantec - security gateway DNS redirection

ID: 00221
Ref: 200/2005
Date: 17 March 2005:15:10:08
Version: 1
Title: Symantec - security gateway DNS redirection
Abstract:
Vendors affected: Symantec
Operating systems affected: Symantec
Applications affected: Symantec
Title
=====

Symantec - security gateway DNS redirection

Detail
======

PLEASE NOTE - The following is a plain text copy of a Symantec Security Response
web page, which is located at:
http://securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html



SYM05-005
March 15, 2005
Symantec security gateway DNS redirection
Revision History
None

Risk Impact
High

Overview
Symantec released a hotfix addressing a DNS cache poisoning and redirection issue
reported on March 4, 2005 that impacts some Symantec security gateways products
identified below. Affected Symantec security gateway products configured as a DNS
caching server or as a primary DNS server were experiencing problems with name
resolution whereby hostnames lookups to common sites were resolving to bogus
addresses. In-depth analysis of this incident and the stance of Symantec#s
security gateway products provided details that allowed Symantec to harden DNSd
even further against unknown attack vectors for this class of attack.

Affected Components
Symantec Gateway Security 5400 Series, v2.x
Symantec Gateway Security 5300 Series, v1.0
Symantec Enterprise Firewall, v7.0.x (Windows and Solaris)
Symantec Enterprise Firewall v8.0 (Windows and Solaris)
Symantec VelociRaptor, Model 1100/1200/1300 v1.5

Details
Affected Symantec security gateways include a DNS proxy, called DNSd, which can
be configured to function as a DNS caching server (default) or as a primary DNS
server. Under specific conditions, DNSd may be susceptible to DNS cache poisoning.
DNS cache poisoning occurs when incorrect or false DNS records are inserted into
a DNS server#s cache tables, overwriting a valid name server record with its own
DNS server address. Subsequent queries for a targeted site would then be redirected
to the rogue DNS server, which would respond with its own addresses for those
lookups, preventing users from accessing the legitimate site. In this case,
reporting on this activity from the Internet Storm Center, SANS,
http://www.isc.sans.org, indicated that some users were being redirected to web
sites that attempted to download spyware/adware modules to the users browsers.
Shortly after the abnormal activity was initially reported, the offending IP
addresses were blocked by their ISP until the offending DNS servers# configuration
was corrected.

According to information posted on the Internet Storm Center, non-Symantec product
users reported similar activity so this malicious action appears not to have been
limited to Symantec security gateway products.

Note: DNSd is not required for the operations of the affected Symantec security
gateway products. This issue does not affect users whose security policy does not
include use of DNSd. However, Symantec recommends even users who do not use DNSd
download and apply the appropriate hotfix in the event that DNSd may be enabled at
some future date.

Symantec Response
Symantec posted hotfix updates on March 4, 2005 that address the initial issue
being reported by ISC and a small number of Symantec customers.

An updated hotfix was released on March 14, 2005 that further hardens the DNSd for
protection against an additional potential vector identified by Symantec engineers
during our post-analysis of this incident. Symantec recommends customers immediately
apply the latest hotfix for their affected product versions to protect against this
type of threat. Product specific hotfixes are available via the Symantec Enterprise
Support site http://www.symantec.com/techsupp.

On March 7, 2005 Symantec Security Response also released adware detection, http://securityresponse.symantec.com/avcenter/venc/data/adware.abxtoolbar.html,
Adware.ABXToolbar, for the attempted browser helper object download. Symantec products
that support expanded threats can now detect this version of adware.

CVE
A CVE Candidate name has been requested from the Common Vulnerabilities and Exposures
(CVE) initiative for this issue. This advisory will be revised accordingly upon receipt
of the CVE Candidate name.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.


- --------------------------------------------------------------------------------

Symantec takes the security and proper functionality of its products very seriously.
As founding members of the Organization for Internet Safety (OISafety), Symantec
follows the principles of responsible disclosure. Symantec also subscribes to the
vulnerability guidelines outlined by the National Infrastructure Advisory Council
(NIAC). Please contact secure@symantec.com if you feel you have discovered a potential
or actual security issue with a Symantec product. A Symantec Product Security team
member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document outlining
the process we follow in addressing suspected vulnerabilities in our products. We
support responsible disclosure of all vulnerability information in a timely manner
to protect Symantec customers and the security of the Internet as a result of
vulnerability. This document is available from the location provided below.

Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com. The Symantec Product Security PGP key can be obtained
from the location provided below.



- --------------------------------------------------------------------------------

Copyright (c) 2005 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not
edited in any way unless authorized by Symantec Security Response. Reprinting the whole
or part of this alert in any medium other than electronically requires permission from
secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing
based on currently available information. Use of the information constitutes acceptance
for use in an AS IS condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered
trademarks of Symantec Corp. and/or affiliated companies in the United States and other
countries. All other registered and unregistered trademarks represented in this document
are the sole property of their respective companies/owners.


Last modified on: Tuesday, 15-Mar-05 16:02:12
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |