NISCC Vulnerability Advisory 758884

NISCC Vulnerability Advisory 758884/NISCC/DNS

Vulnerability Issues in Implementations of the DNS Protocol

Version Information

Advisory Reference	758884/NISCC/DNS
Release Date	9 November 2004
Last Revision	9 November 2004
Version Number	1.0

What is Affected?

The vulnerabilities described in this advisory affect the Domain Name System (DNS) protocol. Many vendors include support for this protocol in their products and may be impacted to varying degrees, if at all.

Please note that the information contained within this advisory is subject to changes. All subscribers are therefore advised to regularly check the UNIRAS website (http://www.uniras.gov.uk/vuls/2004/758884/index.htm) for updates to this notice.

Severity

The severity of these vulnerabilities varies by vendor. Please see the vendor section below for further information. Alternatively contact your vendor for product specific information.

If exploited, these vulnerabilities could allow an attacker to create a Denial of Service condition.

Summary

Several vulnerabilities have been discovered within the Domain Name System (DNS) protocol by two DNS experts, Roy Arends and Jakob Schlyter.

The Domain Name System (DNS) protocol is an Internet service that translates domain names into Internet Protocol (IP) addresses. Because domain names are alphabetic, they're easier to remember, however the Internet is really based on IP addresses; hence every time a domain name is requested, a DNS service must translate the name into the corresponding IP address.

NISCC wishes to advise users of the availability of a test tool that is designed to confirm the existence of vulnerabilities in the DNS protocol.

All users of applications that support DNS are recommended to take note of this advisory and carry out any remedial actions suggested by their vendor(s).

Details

The Domain Name System (DNS) is basically a database of host information. The DNS protocol is utilised to identify servers by their IP addresses and aliases given their registered domain name. The request is usually simple, including just the name of the server. The response however can be quite complex, because it will contain all the addresses and aliases that the server might have. A DNS query is sent to a name server to provoke a response; a DNS response then either answers the query, refers the requester to another set of name servers or signals some error condition. Please refer to RFC 1034:Section 3.7, RFC 1034:Section 4.1, RFC 1034:Section 4.3.1 and RFC 1035:Section 4.1.1 for further information on the query-response relationship within the DNS protocol.

The relevant vulnerabilities are a result of liberal interpretation of the DNS protocol by implementors. DNS uses a message format to provide a mechanism to resolve domain names into IP addresses; a message can either be a 'query' or a 'response'. By implementating the protocol in such a way in which a 'response' is allowed to be answered with a 'response', this will cause messages to bounce back and forth between the servers and hence cause a query-respose storm that can result in a denial-of-service attack.

In addition, by sending these implementations a query that appears to originate from the localhost on UDP port 53, the server will respond to itself and will keep responding to these responses, hence entering a loop which can exhaust system resources and hence result in a denial-of-service attack.

Vendor specific information will be released as it becomes available and if vendor permission has been received. Subscribers are advised to check the following URL regularly for updates:

http://www.uniras.gov.uk/vuls/2004/758884/index.htm

[Please note that updates to this advisory will not be notified by email.]

This vulnerability has been assigned the CVE name CAN-2004-0789.

Mitigation

Patch all affected implementations.

Solution

Please refer to the Vendor Information section of this advisory for platform specific remediation.

Vendor Information

The following vendors have provided information about how their products are affected by these vulnerabilities.

Please note that JPCERT/CC have released a Japanese language advisory for this vulnerability which contains additional information regarding Japanese vendors.This advisory is available at http://jvn.jp/niscc/NISCC-758884.html.

Axis	JH Software	Sprint
Cisco	Juniper	VeriSign
DNRD	Men & Mice	WindRiver
Hewlett-Packard	MyDNS
JDNSS	Posadis

Axis

The DNS issues that Roy Arends had identified in Axis products have now been eliminated.

The affected products and firmware release version are:
Axis 2400+ Network Video Server - Release 3.13
Axis 2401+ Network Video Server - Release 3.13
Axis 2460 Network DVR - Release 3.13

Axis 2100 Network Camera - 2.42 (Currently release candidate and will be official soon)
Axis 2110 Network Camera - 2.42 (Currently release candidate and will be official soon)
Axis 2120 Network Camera - Release 2.42 (Currently release candidate and will be official soon)
Axis 2420 Network Camera - Release 2.42

The firmware releases can be downloaded from Axis Support page http://www.axis.com/techsup/firmware.php.

Cisco

Cisco Systems is evaluating the vulnerabilities identified by NISCC #758884. Should an issue be found, Cisco will release a Security Advisory. The most up-to-date information on all Cisco product security issues may be found at http://www.cisco.com/go/psirt/.

DNRD

Not vulnerable from version 2.11 and above.

Hewlett-Packard

HP has determined that we are not impacted by this vulnerability.

JDNSS

The JDNSS team would like to thank NISCC for notifying us of the possible vulnerabilities; our testing shows JDNSS is not vulnerable to these exploits.

JH Software

JS Software products are not vulnerable to this vulnerability.

Juniper

Juniper Networks products are not susceptible to this vulnerability.

Men & Mice

The Men & Mice Suite, which is a DNS and IP management suite, is not affected by this vulnerability.
QuickDNS Server, a DNS server for Mac OS 8 and 9 which is no longer sold by Men & Mice, was updated to address this vulnerability in the following versions and on the following dates:

3.5.2 released October 10, 2001
2.2.3 released October 22, 2001

MyDNS

MyDNS 0.10.1 and all later versions are not vulnerable.

Posadis

Posadis have updated their product to guard against this vulnerability. For more detail, please visit Posadis Security Advsiory at http://www.posadis.org/security/pos_adv_006.txt.

Sprint

Sprint products are not susceptible to this vulnerability.

VeriSign

VeriSign is pleased to notify NISCC that the vulnerability in ATLAS identified by Roy Arends has been corrected. New code addressing the issue was deployed in late January, 2004.

Wind River

Wind River's response to Vulnerability Advisory 758884/NISCC/DNS:
Wind River does not ship a DNS server with its products and therefore we believe that we are not vulnerable to the attacks specified in this vulnerability report.

Acknowledgements

NISCC wishes to thank the following:

�	Roy Arends for his contributions to this advisory.
�	Jakob Schlyter, who helped establish the initial list of vulnerable implementations.
�	JPCERT/CC for their assistance in co-ordinating this disclosure in Japan.

References

Related RFC
	RFC 1034
		http://www.faqs.org/rfcs/rfc1034.html
	RFC 1035
		http://www.faqs.org/rfcs/rfc1035.html
Related Advisories
	CERT/CC
		http://www.kb.cert.org/vuls/id/887766
	JPCERT/CC
		http://jvn.jp/niscc/NISCC-758884.html

Contact Information

The NISCC Vulnerability Management Team can be contacted as follows:

Email	vulteam@niscc.gov.uk (Please quote the advisory reference in the subject line.)
Telephone	+44 (0)870 487 0748 Extension 4511 (Monday to Friday 08:30 - 17:00)
Fax	+44 (0)870 487 0749
Post	Vulnerability Management Team NISCC PO Box 832 London SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP key. This is available from http://www.uniras.gov.uk/UNIRAS.asc.

Please note that UK government protectively marked material should not be sent to the email address above.

If you wish to be added to our email distribution list, please email your request to uniras@niscc.gov.uk.

What is NISCC?

For further information regarding the UK National Infrastructure Security Co-Ordination Centre, please visit the NISCC web site at: http://www.niscc.gov.uk/aboutniscc/index.htm

Reference to any specific commercial product, process or service by trade name, trademark manufacturer or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice.

Revision History

9 November 2004:

Initial release (1.0)

Axis
	The DNS issues that Roy Arends had identified in Axis products have now been eliminated. The affected products and firmware release version are: Axis 2400+ Network Video Server - Release 3.13 Axis 2401+ Network Video Server - Release 3.13 Axis 2460 Network DVR - Release 3.13 Axis 2100 Network Camera - 2.42 (Currently release candidate and will be official soon) Axis 2110 Network Camera - 2.42 (Currently release candidate and will be official soon) Axis 2120 Network Camera - Release 2.42 (Currently release candidate and will be official soon) Axis 2420 Network Camera - Release 2.42 The firmware releases can be downloaded from Axis Support page http://www.axis.com/techsup/firmware.php.
Cisco
	Cisco Systems is evaluating the vulnerabilities identified by NISCC #758884. Should an issue be found, Cisco will release a Security Advisory. The most up-to-date information on all Cisco product security issues may be found at http://www.cisco.com/go/psirt/.
DNRD
	Not vulnerable from version 2.11 and above.
Hewlett-Packard
	HP has determined that we are not impacted by this vulnerability.
JDNSS
	The JDNSS team would like to thank NISCC for notifying us of the possible vulnerabilities; our testing shows JDNSS is not vulnerable to these exploits.
JH Software
	JS Software products are not vulnerable to this vulnerability.
Juniper
	Juniper Networks products are not susceptible to this vulnerability.
Men & Mice
	The Men & Mice Suite, which is a DNS and IP management suite, is not affected by this vulnerability. QuickDNS Server, a DNS server for Mac OS 8 and 9 which is no longer sold by Men & Mice, was updated to address this vulnerability in the following versions and on the following dates: 3.5.2 released October 10, 2001 2.2.3 released October 22, 2001
MyDNS
	MyDNS 0.10.1 and all later versions are not vulnerable.
Posadis
	Posadis have updated their product to guard against this vulnerability. For more detail, please visit Posadis Security Advsiory at http://www.posadis.org/security/pos_adv_006.txt.
Sprint
	Sprint products are not susceptible to this vulnerability.
VeriSign
	VeriSign is pleased to notify NISCC that the vulnerability in ATLAS identified by Roy Arends has been corrected. New code addressing the issue was deployed in late January, 2004.
Wind River
	Wind River's response to Vulnerability Advisory 758884/NISCC/DNS: Wind River does not ship a DNS server with its products and therefore we believe that we are not vulnerable to the attacks specified in this vulnerability report.