Coreflood/AFcore Trojan Analysis
SecureWorks Advisory - Multiple DNS Implementations Vulnerable to Cache Poisoning
The SecureWorks Threat Intelligence Service is aware of a recently announced vulnerability that affects a large part of the Domain Name System (DNS) infrastructure underpinning the Internet. DNS implementations from many major vendors have been confirmed vulnerable to a DNS cache poisoning attack, including Microsoft, Cisco Systems and ISC BIND.
DNS implementations from many other vendors are also likely vulnerable to this issue, however US-CERT has not received confirmation from these vendors. This is a new variant of previously disclosed DNS cache poisoning vulnerabilities. Complete details are not available at the time of this writing. US-CERT is tracking this issue as VU#800113, which corresponds to CVE-2008-1447.
US-CERT Vulnerability Note #800113 contains a more complete technical description of the vulnerability. A DNS cache poisoning attack involves an attacker introducing forged DNS information into the cache of a caching nameserver. DNS cache poisoning attacks have been known for some time, and related issues with the DNS protocol specification and its implementations are publicly known. New research has reportedly led to the development of extremely effective techniques to exploit cache poisoning vulnerabilities. Because of this, DNS software makers have reached consensus on implementing DNS source port randomization as a mitigation.
An attacker with the ability to successfully poison a DNS cache can cause the clients of a nameserver to contact potentially malicious hosts when resolving domain names. Using this mechanism, web, email and other potentially sensitive network traffic can be redirected to hosts controlled by the attacker.
The SecureWorks Counter Threat Unit™ is recommending that organizations immediately identify their systems that are vulnerable to this attack, and deploy vendor-supplied patches to vulnerable systems as soon as possible.
Dan Kaminsky, the researcher who discovered this vulnerability, has released a web-based tool to determine if your DNS infrastructure can be exploited in this fashion. This tool is available at http://doxpara.com/.
US-CERT Vulnerability Note #800113 includes a list of vendors whose products are confirmed to be or are potentially affected by this vulnerability. This list includes links to vendor supplied mitigation instructions and patches, and can be used to plan corrective action for organizations operating their own DNS infrastructure.
Mitigation strategies include:
- Restrict which sources can request DNS recursion
- Filter network traffic at your network perimeters
- Run a local DNS cache
- Disable DNS recursion
These suggested mitigations may not be feasible or appropriate in all operating environments, and may have varying levels of effectiveness at mitigating the risk.
For your convenience, below are direct links to advisories from some of the major vendors affected:
- ISC BIND - http://www.isc.org/sw/bind/bind-security.php
- Cisco Systems - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080708-dns
- Debian GNU/Linux - http://www.debian.org/security/2008/dsa-1603
- Juniper Networks - https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-06-040&viewMode=view[Registered Customers Only]
- Microsoft - http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
- Red Hat - https://rhn.redhat.com/errata/RHSA-2008-0533.html