There’s been a lot of talk about the DNS vulnerability (CVE-2008-1447) discovered by Dan Kaminsky. The exploit, as detailed by the Common Vulnerabilities and Exposures Database, allows remote attackers to spoof DNS traffic enabling the poisoning of DNS caches in order to send systems to malicious websites. This greatly increases the risk of phishing attacks or drive-by malware installation and essentially means that there would be no way to know if you’ve been directed to the authenticate site or a malicious copy. This vulnerability was caused by the insufficient randomness of DNS transaction IDs and source ports in DNS for both BIND based implementations as well as Windows systems.
Dan Kaminsky worked with major vendors such as Cisco, Sun and Microsoft in order to release co-ordinated patches which coincided with Microsoft’s regular patch Tuesday on 8th July. Kaminsky and the vendors kept the specifics under wraps to allow systems to be patched before the vulnerability could be exploited. He promised to release the details at the Black Hat ‘08 conference in Vegas on 2nd August.
However, the patches have now been reverse engineered and the attack weaponized and is in the wild. Even now that the attack is being exploited, major ISPs are still being slow to patch their DNS servers, and Apple has even failed to release patches for its implementation of BIND.
If you’re interested in testing your ISPs server to check if it’s patched, then Kaminsky has a tool on his DoxPara Research site to check for the flaw. However, as detailed on the Metasploit blog, even if you’re main DNS servers are patched, if these systems forward to an un-patched server you are still at risk. So, what should you do? If your ISP is still un-patched then Kaminsky recommends using OpenDNS. This is a DNS service that I switched to some time ago as their name resolution was faster than my ISPs, they are also patched and provide phishing filtering and even allow content rules and website blocking if required.
UPDATE: After more than 3 weeks, Apple has finally released a patch for Mac OS X, however this has only fixed the problem on servers and does not patch client systems.
