The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Protocol DNS

vulnerability CVE-2015-2809

mDNS: information disclosure and DDos

Synthesis of the vulnerability

An attacker can query the mDNS service, in order to obtain sensitive information about the network, or to amplify a denial of service attack.
Impacted products: Avahi, DNS protocol, Synology DSM.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Creation date: 01/04/2015.
Identifiers: CVE-2015-2809, VIGILANCE-VUL-16510, VU#550620.

Description of the vulnerability

The mDNS (Multicast DNS) protocol allows local computers to discover services available on their networks.

However, some mDNS implementations accept to reply to Unicast queries coming from outside their network.

An attacker can therefore query the mDNS service, in order to obtain sensitive information about the network, or to amplify a denial of service attack.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 14318

DNS, Windows 2008 DNS: distributed denial of service via Root Hints

Synthesis of the vulnerability

An attacker can use the DNS Service of Windows 2008 (or any other service returning Root Hints), in order to trigger a distributed denial of service.
Impacted products: Windows 2008 R0, Windows 2008 R2, DNS protocol.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 26/02/2014.
Identifiers: VIGILANCE-VUL-14318.

Description of the vulnerability

A DNS service can be configured to be authoritative for a domain.

When a client queries a non recursive DNS service for a domain it is not authoritative for, the RFC 1034 suggests the server to return the list of root DNS servers ("root hints"). However, this behavior can be used for an amplification attack, because the size of the Root Hints reply is larger than the size of the DNS query.

The ISC Bind DNS server thus chose to not return Root Hints. However, the Windows DNS service returns Root Hints.

An attacker can therefore use the DNS Service of Windows 2008 (or any other service returning Root Hints), in order to trigger a distributed denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-1033 CVE-2012-1191 CVE-2012-1192

DNS, ISC BIND: no expiry of revoked names

Synthesis of the vulnerability

When a domain name was revoked, an attacker can periodically query a recursive DNS server, in order to continuously renew data in the cache, which never expire.
Impacted products: BIG-IP Hardware, TMOS, Fedora, HP-UX, BIND, McAfee Email and Web Security, Windows 2008 R0, openSUSE, DNS protocol, RHEL, Slackware, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 6.
Creation date: 08/02/2012.
Revision date: 09/02/2012.
Identifiers: BID-51898, BID-52558, c03577598, CERTA-2012-AVI-663, CVE-2012-1033, CVE-2012-1191, CVE-2012-1192, CVE-2012-1193, CVE-2012-1194, CVE-2012-1570, ESX410-201211001, ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, ESX410-201211407-SG, FEDORA-2013-1176, FEDORA-2013-1204, FEDORA-2013-1301, FEDORA-2013-6279, FEDORA-2013-6316, openSUSE-SU-2012:0863-1, openSUSE-SU-2012:0864-1, RHSA-2012:0716-01, RHSA-2012:0717-01, SOL15481, SSA:2012-166-01, VIGILANCE-VUL-11344, VMSA-2012-0016, VU#542123.

Description of the vulnerability

A DNS recursive server keeps previous replies in its cache. For example, if a user requests "www.phishing.com":
 - his DNS server queries a server which is authoritative for ".com" : who is the DNS server of "phishing.com" ?
 - it receives the reply "ns.phishing.com" with the IP address 10.0.0.1, and a TTL (expiration time) of one day
 - it keeps it in its cache
 - it queries 10.0.0.1 : what is the address of "www.phishing.com" ?
 - it receives the reply, and keeps it in its cache, and then sends it back to the user
When another user queries "www.phishing.com", the values cached during one day are returned

If an authority decides to disable "phishing.com", the cached value is still used one day. After this date, the DNS server will query an authoritative server for ".com", which will reply that the domain does not exist.

However, an attacker can ensure that the "phishing.com" domain never expires from the cache of the DNS server. In order to do so, before the expiration of the TTL, the attacker has to:
 - add in his DNS server (ns.phishing.com) a reverse resolution for 10.0.0.1, indicating for example "ns1.phishing.com", which is also an authoritative DNS server for "phishing.com"
 - query the victim's recursive DNS server, for an inverse resolution of 10.0.0.1 (the reply will be ns1.phishing.com), which will be cached as the new DNS server of "phishing.com", with a TTL of one day
The "phishing.com" domain is thus valid during one more day.

When a domain name was revoked, an attacker can therefore periodically query a recursive DNS server, in order to continuously renew data in the cache, which never expire.

This vulnerability is due to a conception error in the DNS protocol.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-4448 CVE-2011-3552

Windows, Java: poisoning the DNS cache

Synthesis of the vulnerability

An attacker can open numerous UDP ports, in order to facilitate a DNS cache poisoning attack.
Impacted products: HP-UX, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, Java OpenJDK, Java Oracle, DNS protocol, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data creation/edition, data flow.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 20/10/2011.
Identifiers: BID-50281, c03266681, CVE-2010-4448, CVE-2011-3552, HPSBUX02760, javacpuoct2011, RHSA-2012:0006-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100805, VIGILANCE-VUL-11087.

Description of the vulnerability

The DNS protocol is used to obtain the IP address associated to a computer name:
 - the client sends a query coming from an UDP source port on 16 bit, and containing a TXID identifier of 16 bit
 - the server replies to the UDP source port, with the TXID received in the query
An attacker, who spoofs a DNS reply packet thus has to guess 32 bit, in order to poison the client DNS cache.

However, if an attacker runs a malicious program on the client which opens most UDP ports, the DNS resolver then uses the remaining free ports. The attacker thus only has to guess the 16 bits of TXID.

This malicious program can be run by an unprivileged local attacker (on an Windows computer shared between several users). This malicious program can also be a Java applet located on a web site visited by the victim.

On Windows, the local attacker is allowed to flush the DNS cache between each trial. He can thus retry as many times as necessary until he guesses the TXID.

An attacker can therefore open numerous UDP ports, in order to facilitate a DNS cache poisoning attack.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-1447

DNS: cache poisoning

Synthesis of the vulnerability

An attacker can predict DNS queries in order to poison the DNS client or cache (caching resolver).
Impacted products: ProxyRA, ProxySG par Blue Coat, IOS by Cisco, Cisco Router, Debian, Dnsmasq, BIG-IP Hardware, TMOS, Fedora, FreeBSD, MPE/iX, Tru64 UNIX, HP-UX, AIX, BIND, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, Mandriva Linux, Mandriva NF, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows XP, NetBSD, NetScreen Firewall, ScreenOS, NLD, Netware, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, DNS protocol, RHEL, Slackware, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 3/4.
Consequences: data creation/edition.
Provenance: internet server.
Creation date: 09/07/2008.
Revisions dates: 22/07/2008, 24/07/2008, 25/07/2008.
Identifiers: 107064, 239392, 240048, 6702096, 7000912, 953230, BID-30131, c01506861, c01660723, CAU-EX-2008-0002, CAU-EX-2008-0003, CERTA-2002-AVI-189, CERTA-2002-AVI-200, cisco-sa-20080708-dns, CR102424, CR99135, CSCso81854, CVE-2008-1447, draft-ietf-dnsext-forgery-resilience-05, DSA-1544-2, DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1619-2, DSA-1623-1, FEDORA-2008-6256, FEDORA-2008-6281, FEDORA-2009-1069, FreeBSD-SA-08:06.bind, HPSBMP02404, HPSBTU02358, HPSBUX02351, MDVSA-2008:139, MS08-037, NetBSD-SA2008-009, powerdns-advisory-2008-01, PSN-2008-06-040, RHSA-2008:0533-01, RHSA-2008:0789-01, SOL8938, SSA:2008-191-02, SSA:2008-205-01, SSRT080058, SSRT090014, SUSE-SA:2008:033, TA08-190B, TLSA-2008-26, VIGILANCE-VUL-7937, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VU#800113.

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate an answer to its query. When attacker predicts this identifier and the UDP port number, he can send fake answers and thus poison the DNS cache.

Most implementation use a fixed port number, which increases the probability of a poisoning success. As there is only one chance of success during the TTL period, and as the poisoning does not work for each trial, this direct and old attack is not practical.

However, instead of poisoning the answer record, the attacker can poison additional records. Indeed, when the DNS client asks the address of www.example.com, the DNS server returns:
  www.example.com A 1.2.3.4 (answer)
  example.com NS dns.example.com (authoritative)
  dns.example.com A 1.2.3.5 (additional)

An attacker can therefore force the client to ask the resolution of several names (via a web page containing images for example): aaa.example.com, aab.example.com, ..., aaz.example.com. In his answers, the attacker then always provides the same additional malicious answer (www.example.com A 5.6.7.8). Even if, for example, only aab.example.com is poisoned, its additional record (www.example.com = 5.6.7.8) will be stored in the cache.

An attacker can therefore poison the DNS cache/client and redirect all users to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 5947

DNS: denial of service via UDP echo services

Synthesis of the vulnerability

An attacker can generate a message loop between a DNS server and UDP services such as echo.
Impacted products: BIND, DNS protocol.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 23/06/2006.
Identifiers: VIGILANCE-VUL-5947.

Description of the vulnerability

When a DNS server receives a malformed request, it returns a DNS packet indicating a format error.

Some UDP services automatically return UDP packets answering a received packet:
 - echo : 7/udp
 - daytime : 13/udp
 - chargen : 19/udp
 - time : 37/udp
 - kpasswd (Kerberos) : 464/udp

An attacker can spoof an UDP packet to one of these services, with DNS server own IP as source IP address. An infinite loop then occurs.

The latest version of Bind ignores queries originating from these ports in order to avoid this kind of attack.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2006-2072 CVE-2006-2073 CVE-2006-2074

DNS: vulnerabilities of some implementations

Synthesis of the vulnerability

Several implementations of DNS protocol are affected by the same vulnerabilities.
Impacted products: Arkoon FAST360, Juniper E-Series, JUNOSe, DNS protocol, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 25/04/2006.
Identifiers: 144154, 144154/NISCC/DNS, 31AK-2006-02-FR-1.0_FAST_DNS_DOS, BID-17691, BID-17692, BID-17693, BID-17694, CQ 72492, CVE-2006-2072, CVE-2006-2073, CVE-2006-2074, CVE-2006-2075, CVE-2006-7054, PSN-2006-04-017, VIGILANCE-VUL-5796, VU#955777.

Description of the vulnerability

The DNS protocol is used to associate an IP address to a name, or to obtain MTA mail servers of a domain.

The OUSPG group of Oulu University (Finland) published a test suite named PROTOS DNS. This test suite contains several thousand malformed DNS packets.

When some products receive these packets, errors occur (buffer overflow or denial of service).

Depending on products, these vulnerabilities lead to code execution or to a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2006-0987 CVE-2006-0988

DNS: denial of service using recursive servers

Synthesis of the vulnerability

An attacker can poison the cache of a recursive DNS server, then use it to overload a network.
Impacted products: AIX, DNS protocol.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/03/2006.
Revision date: 21/03/2006.
Identifiers: CVE-2006-0987, CVE-2006-0988, VIGILANCE-VUL-5656.

Description of the vulnerability

A recursive DNS server answers to queries related to domains for whose it is not authoritative.

An attacker can setup a DNS server for whose it is authoritative. He can then create zones containing long data. The EDNS0 extension (RFC 2671) permits to create messages of more than 512 bytes.

The attacker can then send a query related to his domain to a recursive DNS server. This recursive DNS server then stores in its cache data coming from attacker's DNS server.

The attacker then spoofs several queries related to his domain and sends them to the recursive DNS server. This DNS server answers to the spoofed address, with data it has in its cache.

Thus, the attacker can send a thousand queries of 60 bytes, and the recursive server sends thousand responses of several kbytes to the spoofed address. The recursive DNS server is thus used as an amplifier.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2005-0036 CVE-2005-0037 CVE-2005-0038

DNS : déni de service lors de la décompression de messages

Synthesis of the vulnerability

Certaines implémentations du protocole DNS ne gèrent pas correctement les messages compressés.
Impacted products: IOS by Cisco, Cisco Router, DNS protocol.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 24/05/2005.
Identifiers: BID-13729, CERTA-2005-AVI-175, CERTA-2005-AVI-181, CISCO20050524a, Cisco CSCeh59380, Cisco CSCeh63819, Cisco CSCsa67666, Cisco CSCsa67687, CSCsa67687, CVE-2005-0036, CVE-2005-0037, CVE-2005-0038, V6-DNSDECOMPLOOPDOS, VIGILANCE-VUL-4978.

Description of the vulnerability

Le protocole DNS définit une méthode de compression permettant de supprimer les segments redondants. Par exemple, un message peut contenir :
  www.domaine.dom
  dns.domaine.dom
Dans ce cas, la deuxième référence à "domaine.com" peut simplement renvoyer à l'offset de la première.

Cependant, certaines implémentations ne vérifient pas correctement les offsets. Ceux ci peuvent pointer vers l'offset courant afin de créer une boucle infinie. Ils peuvent aussi pointer après la fin des données afin de provoquer un déni de service.

Un attaquant distant peut donc émettre un paquet DNS compressé illicitement afin de mener un déni de service sur certaines implémentations du protocole.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 4285

DNS spoofing en envoyant des réponses DNS

Synthesis of the vulnerability

Un attaquant distant peut envoyer des réponses DNS illicites qui seront acceptées par certaines implémentations, notamment par Windows XP et 2000.
Impacted products: Windows 2000, Windows XP, DNS protocol.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 16/07/2004.
Revision date: 17/08/2004.
Identifiers: V6-WINXPDNSIDPORT, VIGILANCE-VUL-4285.

Description of the vulnerability

La RFC 1035 définit le protocole DNS.

Avant d'accepter une réponse, un resolver/client DNS devrait vérifier :
 1- l'adresse IP source
 2- l'adresse IP destination
 3- le port UDP source
 4- le port UDP destination
 5- le checksum UDP
 6- l'identifiant DNS (transaction ID)
 7- le champ question (doit être le même que celui posé dans la requête)
 8- le champ réponse (doit répondre à la question)

La RFC 1035 n'impose que les critères 4 et 6, pour diverses raisons qui sont légitimes et documentées dans les RFC, mais très rarement nécessaires.

Certaines implémentations prennent en compte la sécurité et vérifient les 8 critères (Linux). Windows XP/2000 suit la RFC en n'imposant que les critères 4 et 6.

Dans l'absolu, ce choix d'implémentation ne pose pas de réel problème de sécurité (4 milliards de combinaisons), mais Windows utilise pour ses requêtes :
 - soit un identifiant constant (1) et un numéro de port s'incrémentant (nouvelle connexion de la pile TCP/IP)
 - soit un identifiant s'incrémentant et un numéro de port constant (service client toujours actif)
Cette vulnérabilité a été présentée dans le bulletin VIGILANCE-VUL-4060.

Lorsqu'un parc informatique est équipé de nombreuses machines Windows, un attaquant peut augmenter ses chances de réussite. En effet, il peut pré-générer une réponse qu'il enverra à toutes les machines. Ainsi, à l'aide de peu de ressources, la probabilité de corrompre un ou plusieurs cache DNS devient non négligeable.

Cette variante de la mise en oeuvre de la vulnérabilité VIGILANCE-VUL-4060 permet donc à un attaquant de corrompre le cache DNS de plusieurs machines.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Protocol DNS: