BIND, the dominant DNS server software on the Internet,
is vulnerable to a serious cache-poisoning attack that could enable
an attacker to fool users rather easily into visiting a
malicious Web site.
The attack, which is similar to other, previously disclosed
cache-poisoning techniques used against BIND and other DNS servers,
takes advantage of the fact that the DNS transaction ID numbers are
predictable in BIND 9. This weakness allows an attacker to then
trick a DNS server into caching his malicious DNS record as the
authentic record for a legitimate Web site. Then, as users visit
the site's legitimate URL, they would be served the attacker's page
instead of the one they were requesting. The possibilities for the
attacker at this point are myriad.
The new attack method was laid out in
a paper on
BIND 9 flaws by Amit Klein , chief technology officer of
security vendor Trusteer, who has done quite a bit of work on
Web-related threats in the past. Klein says that his technique
makes it much easier for attackers to poison the DNS server cache
than did previously known attacks. "The net effect is that
pharming attacks are feasible against BIND 9 caching DNS
servers, without the need to directly attack neither DNS servers
nor clients (PCs)," he writes in the paper.
Berkeley Internet Name Domain (BIND) is the de facto standard
for DNS server software, and has been in wide use on the Internet
for more than 20 years. BIND 9 is the latest version of the server,
and was rebuilt from the ground up in an effort to do away with
some of the earlier problems in the original code base. According
to Klein's paper, all versions of BIND from 9.0 through 9.4 are
vulnerable to the attack.
In the
SANS Internet
Storm Center's daily diary , ISC handler Johannes Ulrich said
the attack does not appear to be difficult to implement. "Once the
attacker knows the 'state' of the target's BIND install, it is
possible to forge a response. DNS uses UDP by default. Each query
sent by the DNS server includes a random transaction ID. The server
responding to the query will include this transaction ID so the
querying DNS server knows what query is answered by this particular
response. BIND always uses the same source port for its queries.
The attack appears to be quite feasible. Probably the main
difficulty will be to get the spoofed packet routed. But unless the
attackers network implements strict egress filtering, this is very
much a feasible attack. Best to patch your BIND server soon,"
Ullrich writes.
The Internet Systems Consortium, which maintains BIND, has
issued
a
new version of the software, BIND 9.4.1 , which corrects the
transaction ID predictability problem.