Vigil@nce: DNS, cache poisoning
July 2008 by Vigil@nce
An attacker can predict DNS queries in order to poison the DNS
client or cache (caching resolver).
– Gravity: 3/4
– Consequences: data creation/edition
– Provenance: internet server
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 09/07/2008
– Identifier: VIGILANCE-VUL-7937
IMPACTED PRODUCTS
– Cisco IOS [confidential versions]
– Debian Linux [confidential versions]
– DNS
– Dnsmasq [confidential versions]
– ISC BIND [confidential versions]
– Juniper JUNOS [confidential versions]
– Juniper JUNOSe [confidential versions]
– Microsoft Windows 2000 [confidential versions]
– Microsoft Windows 2003 [confidential versions]
– Microsoft Windows 2008
– Microsoft Windows XP [confidential versions]
– Netscreen ScreenOS [confidential versions]
– OpenSolaris [confidential versions]
– Red Hat Enterprise Linux [confidential versions]
– Sun Solaris [confidential versions]
– Sun Trusted Solaris [confidential versions]
DESCRIPTION
The DNS protocol defines a 16 bit identifier to associate an
answer to its query. When attacker predicts this identifier and
the UDP port number, he can send fake answers and thus poison the
DNS cache.
Most implementation use a fixed port number. If attacker captures
a sequence of queries, he thus only have to guess the 16 bits
identifier to send a malicious answer, which will be stored in the
DNS cache. A recent study showed that these identifiers were
easily predictable.
An attacker who captured DNS packets can therefore poison the DNS
cache/client and redirect all users to a malicious site.
CHARACTERISTICS
– Identifiers: 107064, 239392, 6702096, 953230,
cisco-sa-20080708-dns, CSCso81854, CVE-2008-1447,
draft-ietf-dnsext-forgery-resilience-05, DSA-1603-1, DSA-1604-1,
DSA 1605-1, MS08-037, PSN-2008-06-040, RHSA-2008:0533-01,
TA08-190B, VIGILANCE-VUL-7937, VU#800113
– Url: https://vigilance.aql.fr/tree/1/7937