Nearly two weeks ago security researcher Dan Kaminsky, in coordination with US-CERT,
critical vulnerability in DNS (define)
that could cripple parts of the Internet. At the time of disclosure, Kaminsky refused to
provide full details of the vulnerability in hopes that users of DNS would have 30 days
to patch their servers. As it turns out, they only got 13 days.
Kaminsky admitted today on a Black Hat webcast that there is now a valid attack in the
wild that exploits the DNS vulnerability. The attack is now available as a module for the
point and click Metasploit framework making exploitation simple for script kiddies to try
With the attack in the wild, millions of recursive DNS servers that have not yet been
patched for the flaw could be at risk from the cache poisoning attack.
“It doesn’t matter who leaked the exploit, we have an actual extant threat to the
network and it’s a big deal,” Kaminsky said. “I don’t care who said what when. Now it
doesn’t matter, what matters is people need to patch. We’re in a lot of trouble. This
attack is being weaponized out in the field.”
Kaminsky admitted that he made an unreasonable request of security researchers to not
try and produce exploit code for the vulnerability. He applauded the fact that most of
the security community had respected his request.
In terms of how many people have been able to patch for the vulnerability, Kaminsky
shared some insights. Based on data from a tool that Kaminsky posted on July 8th, when
the first patches for the DNS server were made available, 86 percent of people that came
to his site were vulnerable. As of July 24th that number had dropped down to 52
“52 percent is not perfect and maybe it’s not good enough but we had to try,” Kaminsky
No active exploit?
Kaminsky noted that some organizations might have refused to patch their DNS servers
since there was no active exploit and because Kaminsky did not release full details. That
excuse no longer exists as the code is in Metasploit today. Metasploit is a freely
available tool that allows a researcher to plug in modules that can be used to execute
attacks through a simple interface.
Additionally, not all types of DNS servers are at risk. Kaminsky’s flaw only affects
what is known as recursive DNS servers that provide domain lookup information.
Authoritative DNS servers that provide the core DNS infrastructure at VeriSign and large
domain vendors like GoDaddy were never at risk.
The patches for the DNS flaw that have been pushed out by multiple vendors including
Microsoft, ISC BIND, Cisco and others are not the ultimate solution for the problem that
Kaminsky discovered. Kaminsky admitted that DNSSEC (define)
is the ultimate solution for the problem. DNSSEC provide additional security extensions
to DNS to ensure authenticity.
Joao Damas, senior programming manager at ISC said on the same webcast that the only
thing that provides full security for the problem is DNSSEC.
“You should go for the patches first,” Damas said. “But after that is done there is a
real need to put pressure on for DNSSEC.”
Article courtesy of InternetNews.com