nanog mailing list archives

Re: new DNS forwarder vulnerability

From: Paul Ferguson <fergdawgster () mykolab com>
Date: Sat, 15 Mar 2014 09:36:20 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

That's a good question, but I know that during the ongoing survey
within the Open Resolver Project [http://openresolverproject.org/],
Jared found thousands of CPE devices which responded as resolvers.

Further work needs to go into fingerprinting these devices to
determine the vendor, version, etc., but it is disturbing to see such
brokenness. :-/

- - ferg


On 3/15/2014 9:26 AM, Gary Baribault wrote:

Why would a CPE have an open DNS resolver from the WAN side?

Gary Baribault

On 03/14/2014 12:45 PM, Livingood, Jason wrote:

Well, at least all this CPE checks in for security updates every
night so this should be fixable. Oh wait, no, nevermind, they
don't. :-(


This is getting to be the vulnerability of the week club for home
gateway devices - quite concerning.

JL

On 3/14/14, 12:05 PM, "Merike Kaeo"
<merike () doubleshotsecurity com> wrote:

On Mar 14, 2014, at 7:06 AM, Stephane Bortzmeyer
<bortzmeyer () nic fr> wrote:

On Fri, Mar 14, 2014 at 01:59:27PM +0000, Nick Hilliard
<nick () foobar org> wrote a message of 10 lines which said:

did you characterise what dns servers / embedded kit were 
vulnerable?

He said "We have not been able to nail this vulnerability
down to a single box or manufacturer" so it seems the answer
is No.



It is my understanding  that many CPEs work off of same
reference implementation(s).  I haven't had any cycles for this
but with all the CPE issues out there it would be interesting
to have a matrix of which CPEs utilize which reference
implementation.  That may start giving some clues.

Has someone / is someone doing this?

- merike



- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMkgYQACgkQKJasdVTchbLR1AD9Ey+ISQtaVoJKReLZ6ZzHI7/4
91h+HIQgvazMAne+NMsA/3CCQVw9KG1U6oZdouKexi8ycVw1Y4d4poH+7Yfh4zEh
=bFpE
-----END PGP SIGNATURE-----

Current thread:

new DNS forwarder vulnerability Mark Allman (Mar 14)
- Re: new DNS forwarder vulnerability Nick Hilliard (Mar 14)
  - Re: new DNS forwarder vulnerability Stephane Bortzmeyer (Mar 14)
    - Re: new DNS forwarder vulnerability Merike Kaeo (Mar 14)
    - Re: new DNS forwarder vulnerability Nick Hilliard (Mar 14)
    - Re: new DNS forwarder vulnerability Livingood, Jason (Mar 14)
    - Re: new DNS forwarder vulnerability Gary Baribault (Mar 15)
    - Re: new DNS forwarder vulnerability Joe Greco (Mar 15)
    - Re: new DNS forwarder vulnerability Laszlo Hanyecz (Mar 15)
    - Re: new DNS forwarder vulnerability Paul Ferguson (Mar 15)
    - Re: new DNS forwarder vulnerability Wayne E Bouchard (Mar 14)
    - Re: new DNS forwarder vulnerability Jimmy Hess (Mar 15)