Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2008-1447 (CRITICAL DNS vuln) - have you patched for this security issue?

From: Doug Pearson <dodpears () INDIANA EDU>
Date: Wed, 23 Jul 2008 11:36:28 -0400
If you patched or otherwise mitigated for CVE-2008-1447[1], aka the
Kaminsky DNS finding, and have considered that even a patched DNS
infrastructure behind a force-to-single-port NAT may still be
vulnerable[2], and have evaluated ALL DNS infrastructure at your
institution (don't forget any scattered departmental servers!), then you
can probably ignore this note - have a good day!

If you're not in that set of folks, then you need to patch and mitigate
as soon as possible.

Unpatched/unmitigated organizations will place their business and users
at great risk. As disclosed by folks in the know, exploitation will be
trivial.

It's expected that security researcher Dan Kaminsky will publish
vulnerability details at the Black Hat Convention on August 6th. By that
time, it's also expected that the details will be independently
discovered. In fact, a recent post to the Matasano blog, and
subsequently removed[3], may have publicly disclosed technical
underpinnings of the vulnerability.

ISC published a document[4] describing a mitigation technique using DNS
forwarding. The mitigation works for unpatched infrastructure and for
the NAT derandomization issue.

A couple of tools[5] have been made available to help system
administrators quickly analyze that status of their DNS servers.


Regards,

Doug Pearson
Technical Director, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630


[1] Vulnerability references
http://www.kb.cert.org/vuls/id/800113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.us-cert.gov/cas/techalerts/TA08-190B.html

[2] NAT issue
http://blogs.iss.net/archive/dnsnat.html

[3] Matsano blog posting
http://isc.sans.org/diary.html?storyid=4765

[4] Mitigation based on DNS fowarding
http://www.isc.org/sw/bind/docs/forwarding.php

[5] Tools to check your infrastructure
http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html
https://www.dns-oarc.net/oarc/services/porttest


-o0o-
Previous By Date Next
Previous By Thread Next

Current thread: