LAS VEGAS -- Speaking to more than 1,000 security professionals at the Black Hat briefings, Dan Kaminsky outlined more than a dozen ways the DNS cache poisoning flaw could be used to cause widespread damage on internal and external servers.
Kaminsky's presentation Wednesday marked the first time the full details of the vulnerability were revealed since it was publicly disclosed July 8 in a massive coordinated patch release by multiple DNS vendors.
Kaminsky, director of penetration testing at IOActive Inc., said the vulnerability enables attackers to move beyond standard server or browser attacks and into attacks on applications that pull data from the Web -- making a DNS request -- without using a browser. Email, Voice over Internet Protocol (VoIP) and analytical applications are vulnerable to the poisoning attack. Authentication servers, back-end databases and even service-oriented architectures (SOA) are at risk since they are directed by DNS, even though they may be behind a firewall.
"There's a reason why so many people had so many things to speculate about, because there's a ton of different paths that lead to doom," Kaminsky said.
IT administrators had a good reason to deploy patches quickly, Kaminsky said. An attack can be carried out in seconds by flooding the DNS server with requests until a legitimate answer is received. The technique also involves redirecting the name server to an IP address set up by the attacker, and the use of bailiwick checking to dupe the server into believing the queried domain is legit.
The good news is that 70% of Fortune 500 email servers have been patched, as well as 61% of other servers. Still, more work needs to be done, he said. The vulnerability exposed the degree to which security best practices have been ignored, Kaminsky said. Even if a patch is fully deployed, there are other ways unencrypted IP traffic can be sniffed by an attacker, he said.
"DNS should not have been capable of this much damage," Kaminsky said. "Why was such a stupid simple bug capable of breaking this many things?"
Other attack scenarios make website verification and application updates vulnerable. Kaminsky highlighted the threat to SSL certificates, which are dependent on DNS. He called the certificate system poorly managed and mostly ignored by end users. With an exception to Microsoft updates, many vendor updates are dependent on DNS for verification, he said.
Microsoft, Cisco Systems Inc., Internet Systems Consortium Berkeley Internet Name Domain (ISC BIND) and other vendors met at a secret summit in March to figure out how to repair the issue. Ultimately, the vendors agreed to issue a critical design patch that implements port randomization to correct the problem. Instead of randomizing on a transaction ID field of 16 bits, it now randomizes using 27-30 bits, greatly reducing the odds of someone successfully carrying out an attack, Kaminsky said. The session proved that vendors can cooperate despite competition and have a productive result, he said.
"We had a choice back at our summit in March," Kaminsky said. "We could either do point fixes or we could drop the sledge hammer and finally raise the odds from one out of 65,000 to one out of hundreds of millions."
Behind the scenes, DNS vendors and security experts are still racing to come up with a more permanent fix.
Rodney Joffe, senior vice president and senior technologist at NeuStar, a DNS vendor. Joffe sits on the Security and Stability Committee of the Internet Corporation for Assigned Names and Numbers (ICANN), and has worked on DNS security issues for years at ICANN meetings. He said it has been clear behind the scenes of how challenging it is to solve the DNS cache poisoning flaw. Although the current patch solves the problem temporarily, vendors need to push for a more permanent fix, he said.
Joffe is advocating for DNSSEC, a 12-year-old protocol that allows for the trusted signing of DNS answers.
"Over coming months and days it's going to drop down to hours and seconds again for attackers to pull off a successful exploit as they get more bandwidth available," Joffe said. "It's going to be race between getting DNSSEC deployed and getting machines and more bandwidth."