Subject: Re: DNS Cache Poisoning vulnerability (CVE-2008-1447, VU#800113)

Re: DNS Cache Poisoning vulnerability (CVE-2008-1447, VU#800113)

From: Josh Carroll <josh.carroll_at_gmail.com>
Date: Mon, 14 Jul 2008 15:28:35 -0400

> No, this vulnerability as far as I can tell was the _combination_ of
> a static query-source port and a non-random transaction id.

I thought this particular CERT was for only the source port. There was
a different vulnerability notification about the TXID a while ago.
Certainly, the combination of the two being predictable is the real
problem. Even with the fixes to randomize the source port for queries
every time and for the TXID, there is still a potential (albeit, less
likely so now) for cache poisoning. DNSSEC is apparently the "right"
answer to this problem.

> Historically BIND's default behavior was to use UDP port 53 for all
> outgoing queries. I believe BIND9 changes this to a dynamic address
> by _default_, but could be overwritten using 'query-source port 53'
> in the configuration. The problem with the dynamic address BIND used,
> as far as I can tell, is that it was only determined at startup and
> never changed.

Exactly, the port was random, but was reused.

> to determine that... The source-port randomization, as Daniel said
> is being handled by the OS for c-ares (not sure how 'random' it is,
> it could potentially be an area for improvement if it is possible
> to change).

I can test it here, I just know that the source port randomization in
FreeBSD did not affect the port being used by bind, at least on
7.0-RELEASE. This is probably a "varies by OS" type of scenario. My
opinion (and that's all it is, my humble opinion) is that bind (or any
resolver) needs to do the right thing and randomize its source address
and not rely on the underlying OS to do the randomization.

Anyway, thanks for looking more closely into the issue. Much appreciated!

Josh
Received on 2008-07-14