DNS flaw: a historical case
Date : July 31, 2008
This article explains why this flaw is beyond the norms, more specifically regarding responsible disclosure.
1/ Why is this flaw important?
Several elements make this flaw important.
1.1 Big consequences
First of all, the impacts and the consequences of this flaw are important since it allows an attacker to redirect all the traffic of the users of a vulnerable DNS server towards malicious web sites (DNS cache poisoning).
Then, it impacts the majority of DNS servers and clients connected to the Internet, which makes the application of patches difficult (due to the number of devices that must be updated).
Last, this flaw interests cybercriminals because it enables to redirect victims to fake web sites. Multiple attack scenarios are possible, and in particular phishing.
2/ An unusual handling
The technical details of this vulnerability, discovered in February 2008, had been kept secret many months. A group of individuals composed of the discoverer, US-CERT team members and major editors worked together and decided the best solution to fix then publish this flaw.
July 8th 2008 has been chosen as the release date for patches, with the wish in mind to keep secret the technical details. This is precisely this point that excited the curiosity of researchers, who raced to analyse and investigate the problem. Meanwhile, Dan Kaminsky (the discoverer of the flaw), was challenged on his discovery by DNS gurus. He wanted to insist on the gravity of this vulnerability, and during his exchanges, he probably released by mistake precious technical information. On July 22nd, technical details of this flaw were finally known.
At this point, everything went very fast. Exploits have been released on July 24th and first attacks have been reported on July 29th.
3/ Patch deployment status
Now the difficulty stands in the worldwide application of patches; the
threat will be present as long as only one DNS server remains vulnerable. On
July 8th, around 85% of servers were vulnerable (source : "DoxPara
Research"). On July 25th, 13
days later, this score would be 52% according to DoxPara and 66% according to
the Austria CERT (http://www.cert.at/static/cert.at-0802-DNS-patchanalysis.pdf). This progression is
significant, but it also shows that there are still many vulnerable DNS servers
(at least more than a half).
Conclusions
We do not have sufficient feedback and technical details are still to be disclosed to fully understand this flaw. One thing is sure is that all did not happen as "scheduled" (http://www.doxpara.com/?p=1162). The made mistakes must now be analysed and the many issues raised by the discovery and the responsible disclosure of this kind of vulnerability must be tackled. One major issue is the difficulty to apply patches at such a large scale (issue already known but stressed in the DNS case).
We now wait for 7th of August, when Dan Kaminsky will disclose the details of the vulnerability, at the BlackHat conference (http://www.blackhat.com).
We also remind you that available security patches for this flaw must be applied as soon as possible on all the vulnerable devices.
For more information
- Dan Kaminsky official website: http://www.doxpara.com/
- Crisys response hub "DNS flaw" : https://wws.cert-ist.com/fra/hub/failledns