New version of BIND fixes cache poisoning vulnerability
Internet Systems Consortium, Inc. (ISC) has fixed a security vulnerability in its widely distributed BIND name server which makes it relatively easy for an attacker to manipulate a name server's cache (cache poisoning). This bug would make it possible to insert entries and to resolve names against arbitrary IP addresses: techniques used in [ticker:uk_57938 'pharming' attacks] to direct a user's browser to a fake website.
As a rule, configuration errors are responsible for successful cache poisoning attacks. However in this case the problem lies in incorrect implementation of the DNS transaction ID generator. Whereas in the early days of DNS, in order to manipulate a DNS transaction between two systems, an attacker needed to know only the original source port of the vulnerable system, the introduction of transaction IDs meant that he also needed to guess this ID. These IDs are usually generated randomly. Under BIND 8 there were problems with pseudo-random IDs, making it possible to guess a valid transaction ID with a probability of 1 in 600. Version 9 used an improved pseudo random number generator (PRNG).
Unfortunately, as Amit Klein explains in a security advisory, the random numbers generated by the proprietary PRNG in BIND 9 are not particularly random. This increases the chance of correctly guessing the number enormously. Depending on the type of attack, the probability of correctly predicting an ID is around 10 per cent. The attacker can send 10 queries with 10 predicted IDs - one of them is likely to match. To make this prediction the attacker must collect previous transaction IDs, for which he requires his own "authoritative" name server for a domain. This generally presents little problem for fraudsters.
Amit Klein's analysis of the bug includes a description of the sequence of an attack. Klein also raises the question of why the leading provider of name servers has still not managed to implement a more secure algorithm since the discovery of the dangers of predictable IDs 10 years ago.
All versions of BIND 9 are affected. ISC recommends updating to version BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. In addition, ISC has indicated that there is an error in the access control list in the default installation which allows recursive queries. The report includes details of a workaround.
- BIND Vulnerabilities, security advisory from ISC
- BIND 9 DNS Cache Poisoning, security advisory from Amit Klein
- DNS forgery pharming using BIND 9 cache poisoning (executive summary), security advisory from Amit Klein