| The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them. |
|
 |
|
|
|
vulnerability note CVE-2012-1033 CVE-2012-1191 CVE-2012-1192
DNS, ISC BIND: no expiry of revoked names
Synthesis of the vulnerability
| When a domain name was revoked, an attacker can periodically query a recursive DNS server, in order to continuously renew data in the cache, which never expire. |
Severity: 2/4.
Creation date: 08/02/2012.
Revision date: 09/02/2012.
|
Impacted products
Description of the vulnerability
A DNS recursive server keeps previous replies in its cache. For example, if a user requests "www.phishing.com":
- his DNS server queries a server which is authoritative for ".com" : who is the DNS server of "phishing.com" ?
- it receives the reply "ns.phishing.com" with the IP address 10.0.0.1, and a TTL (expiration time) of one day
- it keeps it in its cache
- it queries 10.0.0.1 : what is the address of "www.phishing.com" ?
- it receives the reply, and keeps it in its cache, and then sends it back to the user
When another user queries "www.phishing.com", the values cached during one day are returned
If an authority decides to disable "phishing.com", the cached value is still used one day. After this date, the DNS server will query an authoritative server for ".com", which will reply that the domain does not exist.
However, an attacker can ensure that the "phishing.com" domain never expires from the cache of the DNS server. In order to do so, before the expiration of the TTL, the attacker has to:
- add in his DNS server (ns.phishing.com) a reverse resolution for 10.0.0.1, indicating for example "ns1.phishing.com", which is also an authoritative DNS server for "phishing.com"
- query the victim's recursive DNS server, for an inverse resolution of 10.0.0.1 (the reply will be ns1.phishing.com), which will be cached as the new DNS server of "phishing.com", with a TTL of one day
The "phishing.com" domain is thus valid during one more day.
When a domain name was revoked, an attacker can therefore periodically query a recursive DNS server, in order to continuously renew data in the cache, which never expire.
This vulnerability is due to a conception error in the DNS protocol. |
Share this bulletin
Complete Vigil@nce bulletin
Characteristics
Title: DNS, ISC BIND: no expiry of revoked names.
Keywords: BIND DNS TTL expiry names ns1 revoked.
Identifiers: BID-51898, BID-52558, CVE-2012-1033, CVE-2012-1191, CVE-2012-1192, CVE-2012-1193, CVE-2012-1194, CVE-2012-1570, VIGILANCE-VUL-11344, VU#542123.
|
Information sources
Solutions for this vulnerability
Supplements
Computer vulnerabilities tracking service
Vigil@nce provides computers vulnerabilities bulletins. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities.
|
