"DNS Forgery Pharming" Attack Against BIND 9

Monley writes "Help Net Security is running a story about a severe flaw in BIND's implementation that allows fraudsters to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. (Here are HTML and PDF versions of the paper.) Using this vulnerability, fraudsters can remotely forge DNS responses and direct users to fraudulent websites, which can steal the user's sign-in credentials and do other mischief. The flaw was discovered by security researcher and Trusteer's CTO, Amit Klein." The ISC has released a patch to BIND 9.

Re:Yes but...

Only clueless (windows) admins will install and run bind nowayday. There you go...

Re:New

[e9th]

This weakness of BIND has been griped about for TEN YEARS!

http://www.openbsd.org/advisories/res_random.txt http://cr.yp.to/djbdns/forgery-cost.txt

Re:Complexity breeds problems.

[Kreggan]

Frankly, yes. The basic concepts of a DNS server are fairly straightforward, but as demonstrated by this attack, the devil is in the details. This attack uses reasonably advanced cryptanalysis, and exploits the predictable behaviour of DNS clients. I suspect that this attack would also have been mitigated by the use of DNSSEC, but the roll-out of that has been held up for years - and DNSSEC itself introduces even more cryptographic complexity.

Re:wow...

OpenBSD's patched and native Bind9 is immune to this attack and has been for many years.

Re:Don't Diss Bind

[SaDan]

http://www.microsoft.com/technet/security/Bulletin /MS07-029.mspx

What was that again?

Re:Jeezus freaking A Christ

[TheRaven64]

Probably because BIND has to be cross-platform. I'm sorry to break this to you Matt, but some people use inferior operating systems without good random number generation function.