> In message <Pine.LNX.3.95.970422142917.16221A-100000@borg.sventech.com>, Johann
> es Erdfelt writes:
> >Since SNI has released that paper and stole all of the thunder out of my
> >advisory, I'll post a couple of things in addition to their advisory.
> >There's a couple of things in this post and it's semi long.
>
> I don't know that I'd be too concerned about having all your thunder
> stolen... I'm reminded of the 5th USENIX UNIX Security Symposium.
>
> >There's a MUCH easier way of caching RR's. As long as the nameserver is
> >older than 4.9.5+P1 which is > 90% of the net. I explained it in a paper I
> >wrote last year I sent it off to Paul Vixie to get a reply (and possibly a
> >patch) to the problem. The problem is basically this: BIND will cache
> >ANYTHING that it gets in the return packet. This advisory was
> >partially leaked to nanog and is known to have been leaked to a number
> >of other people. Here it is from my original advisory (complete with
> >spelling and grammar mistakes):
>
> ... so how is all of this different from Bellovin's original 1990
> paper?
>
> <URL:http://penguin.cso.uiuc.edu/~lemson/securitysymp/session7.html>
> <URL:http://www.usenix.org/publications/library/proceedings/security95/bellovin.html>
Not much other than the fact that it's still present on the internet. I
was reminded by Gene Spafford that a student has written a thesis on the
subject. All of the vulnerabilities the have been presented in the past 2
days have been known about. The main problem is that a large majority of
name servers out there are vulnerable to the problem. SNI's advisory
explains different problems, which while known about, are STILL a problem
even in the latest revision of BIND.
What I really neglected to mention (and forgot to quote) was that all of
the problems have been known about. When I first wrote my advisory, I
didn't know of the other research that has gone into BIND/DNS. I did find
some information, however not nearly as much as has been pointed out to me
since I made the original post.
When I sent the original email to Paul Vixie, I received a some what luke
warm reception. That of which would seem he had known of these problems
before hand. On Feb 14, I received this back from Paul Vixie after
submitting the initial advisory:
thanks for your note. i will have this looked into.
After a week, I sent some more email asking for some more information on
the problem. If a patch had been developed. When it would be released.
This is the reply I received back from Bob Halley (another lead worker on
BIND):
"Recent releases of BIND (e.g. 4.9.5, the 8.1 test releases) have been
doing more consistency and validity checking of the answer and
authority sections. In response to your report, I've also added
checking for the additional data section. This will eventually go out
as a patch to 4.9.5, and will be in the next test release of 8.1.
Until the DNS security extensions (e.g. digitally signed zone data
using strong cryptography) are available and widely deployed, it is
not possible to prevent a sufficiently determined attacker from adding
RRs to the cache (at least for zones the server isn't authoritative
for). The improvements we've been adding do make it harder. The
improvements will also help protect against broken nameservers."
I assumed after this a patch would be out soon. After two month's, there
is still yet to be a patch. That was the main reason for the original
post. For all intensive purposes, DNS on the Internet is run by BIND.
Every version of BIND had atleast one serious security problem with it. As
time went on, I eventually came up with same conclusions as SNI had and
made an even more recent version of my advisory. Warning that most of the
Internet was still vulnerable. I waited for the patch that Bob Halley had
alluded to, to be released before I mentioned anything to the fact.
As you can see by SNI's original post, this has caused a bit of an uproar.
Basically, those other papers didn't exist. Although I have already
conceded to the fact that my original search for any information was a
little less than optimal, the majority of the Internet did not know of
this particular vulnerability.
As an overview of my rambling, these problems are old, there are known of.
Not very many people knew of the problem. I was unaware at first of the
problem, SNI was apparentely unware of the second problem I described.
Apparentely the workers of BIND were either a) unaware as well or b)
didn't think it was necessary to release a patch to fix these problems.
I'm not sure which it was, but it was a still problem up until yesterday.
JE