Fixed: A Fundamental Security Issue on the internet

Photos

Safari on Windows XP

see larger image

uploaded by ShadowKris

Today is a special day in the history of the Internet.

CERT has issued an advisory for a major issue in the Internet Domain Name System, the software that translates memorable names into Internet Numbers. The most notable aspect of this event, aside from the seriousness of the problem, is the massive scale of the cooperation involved. Never before have so many different companies brought so many of their engineers together in an effort to solve the same problem at the same time. After several months of coordinated effort, all the affected vendors have patched their software. As of July 8th, 2008, they have all begun to release the patched software to their clients.

The problem was discovered accidentally by Dan Kaminsky of IO Active, a Computer Security firm. Mr. Kaminsky reports that he was not looking for vulnerabilities when he found the problem early this year. What he found was not a specific software flaw but rather a design issue that was present in all implementations of the domain name software.

The problem is that the design issue allows crackers to pollute the internal cache of names and numbers maintained by a DNS server. The effect of this would be that any user could type a name like AzerTech.net and, instead of getting the correct number for that name, would get a number that points to a different server. This could be used, for example, to cause your attempts to access your bank to instead take you to a look-alike server belonging to (somebody who does not work for your bank!)

To resolve the problem, Kaminsky began by reporting it to the major internet security authorities as usual. He reports in his blog, though, that the task of pulling together so many vendors would not have been possible without the help of Paul Vixie, author of many of the internet's RFCs (Request For Comments documents that form the specifications for the major protocols that combine to make the internet possible.) Paul Vixie is also the original author of BIND, (the Berkeley Internet Name Domain system,) the most commonly used DNS server on the Internet. BIND is the de facto standard for UNIX-like systems such as RedHat Linux. Kaminsky recounts that Vixie "knows everybody" and was able to get engineers from around the world to converge "on the Microsoft campus in March to coordinate their response." All of the vendors agreed on a synchronized release of patch software, on a single day, to minimize the possibility that crackers would be able to take advantage of the vulnerability.

Yesterday, July 8th, 2008, was that day!

An interview with Dan Kaminsky is available at securosis.com. This interview also contains many links to useful information.

The CERT advisory is available here:
http://www.kb.cert.org/vuls/id/800113.

It's a rather technical document that most people will not want to read - but the list of companies that were involved in solving the related problems is stunning in its length. It includes just about every company that releases hardware or software that talks on the internet.

Kaminsky has implemented a DNS Checker which is available on his blog. Look for "DNS Checker," the first item in the top-right corner of the page. Sadly, it reminded me that one of my servers is running an expired operating system that no longer receives security patches... it's time for me to upgrade!