Bugtraq mailing list archives
Gauntlet Advisory - DNS security holes
From: aleph1 () DFW NET (Aleph One)
Date: Wed, 7 May 1997 00:35:56 -0500
---------- Forwarded message ---------- Date: Fri, 25 Apr 1997 17:13:10 -0400 (EDT) From: John McMahon <mcmahon () tis com> Subject: Gauntlet Advisory - DNS security holes Recently, Secure Networks Incorporated released a "Security Advisory" detailing two potential security problems in the Domain Name Service (DNS) that is used on most systems on the Internet. We have analyzed the problems that they describe; this message is the result of that analysis. First, they describe a problem which is caused by use of easily predictable query identifiers by the DNS server. Because of this, it is possible to provide incorrect data to a DNS server - giving it an incorrect name to IP address mapping for example. Second, they describe a potential buffer overflow problem in applications that do not verify the length of the name returned by a DNS lookup - if the application provides for 512 bytes of name storage but the DNS returns 1024 bytes, a buffer overflow occurs. This could be used to execute arbitrary commands on a host being attacked. This more serious problem was addressed by a patch that TIS issued in late 1996. The DNS cache corruption problem is serious in that it may allow node spoofing or denial of service attacks. The attacker cannot change information about your internal networks, and the Gauntlet Firewall depends on IP addresses rather than hostnames for determining security policy. However, an attacker does have the ability to masquerade as a specific remote node to fool users inside the firewall into interacting with the wrong remote system. You should seriously consider implementing the fix. The buffer overflow problems are extremely serious. If you have not already done so, you should install the correction as soon as possible. The first problem can be corrected by providing more randomness in the selection of query identifiers. TIS is making available a corrected DNS server for each platform that the Gauntlet Firewall runs on. This corrected DNS server is available from ftp://ftp.tis.com/gauntlet/patches/3.2/named.patch (For Gauntlet Firewall 3.1 and 3.2). The second problem is corrected by ensuring that any application that uses the nameserver first verifies the length of the data returned. TIS has had a patch available for this problem since November 1996 - this patch is available from ftp://ftp.tis.com/gauntlet/patches/3.1/resolver.patch (For Gauntlet 3.1) and ftp://ftp.tis.com/gauntlet/patches/3.2/resolver.patch (For Gauntlet 3.2).
Current thread:
- Gauntlet Advisory - DNS security holes Aleph One (May 06)