Latest BIND (Open-source Resolver Code) Security Flaw discovered…

Dan Kaminsky is a premier “white-hat hacker” and researcher at IOActive. Dan delved deep into the code and uncovered a security flaw with BIND software, which is common also to Microsoft’s DNS code, and Beta patches have been released for both codes.

This has caused some frenzied activity world-wide for IT professionals charged with locating and updating all their servers running either code. Although it is a recursive-level exploit, most will likely opt to update authoritative servers as well, and they will likely have to go through this all again in a couple of weeks when the final versions of the patches are released.

Some experts are calling this perhaps the most significant DNS exploit in the past 10 years, and is most likely to capture the attention of hackers who wish to compromise or control computers. It may be glib to suggest this, yet it is true that avoiding the use of open-source resolver code for your mission-critical DNS applications, in general, is one way to side-step issues like these.

The Internet gets a patch, as DNS bug is fixed
NetworkWorld.com – Southborough,MA,USA
The Internet Software Consortium’s open-source BIND (Berkeley Internet Name Domain) software runs on about 80 percent of the Internet’s DNS servers.
See all stories on this topic

Major fix to DNS vulnerability impacts Windows, Debian
BetaNews – USA
The real vulnerability is not in Windows or Linux but in BIND, the most widely deployed DNS software everywhere. A security feature in BIND creates a
See all stories on this topic

DNS at Risk From Multivendor Cache Poisoning
InternetNews.com – USA
Unix and Linux distributions widely use the open source BIND DNS server, which ISC manages. Kaminsky, who takes credit for discovering the flaw,
See all stories on this topic

Major DNS flaw could disrupt the Internet
NetworkWorld.com – Southborough,MA,USA
He says Yahoo was vulnerable because it uses an older version of BIND but had committed to upgrading to BIND 9.0. Kaminsky says there’s a way to check for
See all stories on this topic

ISC Acts Quickly to Shield BIND User Base
Market Wire (press release) – USA
In addition to patches for the current versions of BIND9, ISC has also released beta versions of upcoming maintenance releases, BIND 9.5.1b1 and BIND
See all stories on this topic

Debian Security Advisory – bind9 (DSA-1604-1)
Help Net Security – Croatia
The BIND 8 legacy code base could not be updated to include the recommended countermeasure (source port randomization, see DSA-1603-1 for details).
See all stories on this topic

Debian Security Advisory – bind9 (DSA-1603-1)
Help Net Security – Croatia
This update changes Debian’s BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the
See all stories on this topic

[USN-622-1] Bind vulnerability
Bugtraq: [USN-622-1] Bind vulnerability.
www.derkeiler.com: Bugtraq – http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq

USN-622-1: Bind vulnerability
By KeesCook
Details follow: Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Bind. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and
Ubuntu – news, usn – http://www.ubuntu.com/taxonomy/term/1+2/0

This entry was posted on Wednesday, July 9th, 2008 at 2:22 pm and is filed under DNS Performance, DNS Reliability, DNS Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Latest BIND (Open-source Resolver Code) Security Flaw discovered…”

  1. Daniel Says:
    July 23, 2008 at 7:21 pm | Reply

    Thanks for writing about this topic – the more awareness there is the better off everyone will be. Open source code has it’s place – but it’s not DNS resolution. BIND and other BIND based codes were fine as the internet grew – at this point they’ve outlived their functionality, save for informational sites, and perhaps blogs. Any transactional website that still operates on a BIND based resolver code at this point is a hair’s breadth from criminal negligence in my opinion.
    With as much private information that is flowing across the internet today companies have a responsibility to protect the users of their sites. By not transitioning to a more secure code they are putting consumers at risk – period. Where does the liability fall if my identity is stolen as the result of this flaw? Certainly my bank will not accept responsibility if I never even touch their infrastructure. Do I want to do business with a company that is not securing every aspect of their network? Probably not. Users need to be aware of the risks they face – is there a way to find out if a company that I do business with has updated with this patch?

    This flaw has the potential to put a serious kink in consumer confidence with regard to e-commerce and much of the other business that happens online today. We can’t let this issue get swept under the rug.

    Sorry for the rant – but I believe in limiting government regulation of the web, in companies just doing the right thing because it’s the right thing to do. If we show the government that we can take care of ourselves, they’ll have no cause to step in and start making demands. If companies fail to protect the people – the government will have a cause to get involved.

    I feel strongly about this issue because it’s an important one – I don’t rant about everything – just the big stuff… :-)

    Thanks again – and I look forward to more great insight.

  2. AlexM Says:
    August 16, 2008 at 10:51 am | Reply

    Your blog is interesting!

    Keep up the good work!

Leave a Reply