Fix for DNS software hole released

[InfoSec News <isn () C4I ORG>]

http://www.infoworld.com/articles/hn/xml/01/01/29/010129hnhole.xml?p=br&s=6

By Stephen Lawson
Monday, Jan. 29, 2001 5:19 am PT

A VULNERABILITY RECENTLY discovered in the software used in most DNS
(Domain Name System) servers may be the most serious security threat
yet found on the Internet, allowing hackers effectively to shut down
ISPs and corporate Web servers as well as steal confidential data.

The flaw in two widely used versions of BIND (Berkeley Internet Name
Domain), distributed free by the Internet Software Consortium (ISC),
could be exploited immediately by unscrupulous programmers if they can
write a program to take advantage of it, said Jim Magdych, security
research manager at the Computer Vulnerability Emergency Response Team
(Covert) at PGP Security, a Network Associates business. Developing
this might take only a few days, he said.

Covert and ISC, along with Carnegie-Mellon University's Computer
Emergency Response Team (CERT) Coordination Center, will announce on
Monday a fix for the vulnerability, and plan by that time to have the
fix available on ISC's Web page, www.isc.org. The flaw was discovered
a few weeks ago, Magdych said in a telephone interview Sunday.

"If this just showed up in the wild, it could have a pretty serious
impact on the Internet at large," Magdych said.

The vulnerability exists in versions 4 and 8 of BIND, the software
used in "the vast majority" of DNS servers, though not in the recently
released Version 9, Magdych said.

DNS servers translate the commands used to access Internet resources,
such as Web URLs and e-mail addresses, into numbered IP addresses. The
TSig (Transaction Signatures) vulnerability lets hackers take control
of DNS servers and command them to redirect or block Internet requests
sent to them.

A TSig attack could have effects similar to those of the
denial-of-service attacks that kept users from reaching Microsoft Web
sites last week, or even more serious effects, Magdych said. For
example, hackers could take over a financial Web site, recreate the
site's log-in screen, and direct user names and passwords to a server
where they could be stolen.

Skilled hackers who break in to corporate DNS servers could block or
redirect e-mail and even sabotage access to corporate databases over
Internet-based company intranets.

"This is probably the most significant vulnerability to date in BIND,"
Magdych said. "It's really important that everyone who's affected by
this either applies the patch or upgrades to BIND 9."

All hackers will need to do is write a program that sends certain
messages as requests to DNS servers. The messages would be interpreted
as commands that would open up the server to exploitation.

Although the vulnerability is a subtle one, there are hackers who
could act on it quickly if made aware of it, Magdych said.

"When a new vulnerability is discovered, it's just a matter of time
before someone develops a program to exploit that vulnerability. Those
exploits are then distributed by the community of crackers," or
unscrupulous hackers, Magdych said.

"It's certainly not going to be something that takes months. Among our
adversaries there are some very talented individuals," he said.

Installing the patch to BIND versions 4 and 8 probably would require a
few hours or more, depending on the number of DNS servers in the
network, Magdych said. He advised that ISPs and corporations not jump
the gun and shut their DNS servers down cold, unless an exploitation
program is found in the wild, he added.

Although Web intrusions such as denial-of-service attacks so far have
been more common in the United States, hacking activity in Asia is
increasing, a computer security consultant in Hong Kong said.

The lower incidence of such attacks in the region doesn't guarantee
the safety of any one company, said K.L. To, general manager of Skynet
Consultants, in Hong Kong.

Smart IS managers "don't trust statistics," To said. Still, he added,
IS managers who are serious about security still are in a minority in
Hong Kong.

Once a hacker finds this type of vulnerability, it can become common
knowledge "overnight," he said.

"Children with HK$38 [$4.87] in their pockets can go out to the
bookstore and buy a hacker's guide with a print manual and a CD-ROM
attached. ... It's that level of seriousness," To said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".