Gauntlet Advisory - DNS security holes

Aleph One (aleph1@DFW.NET)
Wed, 07 May 1997 00:35:56 -0500

---------- Forwarded message ----------
Date: Fri, 25 Apr 1997 17:13:10 -0400 (EDT)
From: John McMahon <mcmahon@tis.com>
Subject: Gauntlet Advisory - DNS security holes

Recently, Secure Networks Incorporated released a "Security Advisory"
detailing two potential security problems in the Domain Name Service (DNS)
that is used on most systems on the Internet. We have analyzed the
problems that they describe; this message is the result of that analysis.

First, they describe a problem which is caused by use of easily
predictable query identifiers by the DNS server. Because of this,
it is possible to provide incorrect data to a DNS server - giving
it an incorrect name to IP address mapping for example.

Second, they describe a potential buffer overflow problem in
applications that do not verify the length of the name returned by
a DNS lookup - if the application provides for 512 bytes of name
storage but the DNS returns 1024 bytes, a buffer overflow occurs.
This could be used to execute arbitrary commands on a host being
attacked. This more serious problem was addressed by a patch that
TIS issued in late 1996.

The DNS cache corruption problem is serious in that it may allow
node spoofing or denial of service attacks. The attacker cannot
change information about your internal networks, and the Gauntlet
Firewall depends on IP addresses rather than hostnames for
determining security policy. However, an attacker does have the
ability to masquerade as a specific remote node to fool users
inside the firewall into interacting with the wrong remote system.
You should seriously consider implementing the fix. The buffer
overflow problems are extremely serious. If you have not already
done so, you should install the correction as soon as possible.

The first problem can be corrected by providing more randomness
in the selection of query identifiers. TIS is making available a
corrected DNS server for each platform that the Gauntlet Firewall
runs on. This corrected DNS server is available from
ftp://ftp.tis.com/gauntlet/patches/3.2/named.patch (For Gauntlet
Firewall 3.1 and 3.2).

The second problem is corrected by ensuring that any application
that uses the nameserver first verifies the length of the data
returned. TIS has had a patch available for this problem since
November 1996 - this patch is available from
ftp://ftp.tis.com/gauntlet/patches/3.1/resolver.patch (For Gauntlet 3.1)
and ftp://ftp.tis.com/gauntlet/patches/3.2/resolver.patch (For Gauntlet 3.2).