Slashdot Mirror
Massive, Coordinated Patch To the DNS Released
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."
http://www.doxpara.com/
Your name server, at 65.24.7.3, appears vulnerable to DNS Cache Poisoning.
Sweet!
FTA Update: Dan just released a "DNS Checker" on his site Doxpara.com to see if you are vulnerable to the issue.
in other news
Sooooooo, Im supposed to run a random file on my network to check an unknown DNS issue...this just reminds me all too much of those "download our program to fix all your antispyware issues" alerts.
And finally the obligatory profit usage:
1. Find a vulerability
2. Dont tell anyone what said vulnerability is.
3. Release malware in the form of a "Patch" to "Fix" the issue exploiting thousands of servers.
4. ???
5. PROFIT!
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
If you're using a Linux DNS server that's open source, why don't you just read through the source code and find out what changed, I mean, psht, it's so easy?
Yes, I'm being sarcastic.
I'm (sort of) a native German speaker, in which "DNA" is abbreviated "DNS" ("DesoxyribonukleinsÃure" with "sÃure" being "acid").
Needless to say, my first impression of the headline was way more futuristic than what is there.
Power corrupts the few, while weakness corrupts the many.
> Microsoft's own DNS implementation is also affected
Did anyone else notice that today is Tuesday?
It's easy, you just look for a comment like: /* BEGIN bug causing possible MASSIVE future EXPLOIT. */
It could also be near something like //fsck it, I'm going to lunch
use your turn signal! you people act like it's divulging information to the enemy
Uhm...
DJB-ware is now in _public_ _domain_. That's even more liberal than the BSD license.
So, update your /etc/hate file with newer facts...
Recommendation is more CERTS, as they will help with the sand breath.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
If I was a hacker I would look for that comment to find an exploit in the first place. And other like
// this is ugly, but it seems to work
// remember to fix this later
// whoever wrote this sucks
In other words, if you're stupid enough not to change your password, you're going to get your router hacked. No fucking shit, Sherlock.
Ahhh the joys of default passwords. I remember my high school's implementation of network security which had a few default passwords just waiting be found via lycos... or was it hotbot back then?
Either way when it was discovered I was assuming control of my work station to increase screen resolution to effectively use the IDE they had provided, well they slapped me on the wrist and brought me back down to 640x480 for security reasons of course. When I said fuck it and wrote a program that changed the resolution for me with the skills I had been taught in that class... Oddly enough instead of a passing grade my school year dramatically shortened. ie Explusion.
Stupidity and default passwords ftw!
On the Oregon Cost born and raised, On the beach is where I spent most of my days
Oh, the only one your *really* need to look for is // should never happen
although // drunk now, fix later
is also good.
Socialism: a lie told by totalitarians and believed by fools.
it is good to have a sysadmin who can write programs in binary
I'd like to meet one of these sysadmins. I've written system stuff in C and other stuff in Pascal, C++ and Perl over the years but the guy that can write direct to binary must really know his stuff. Just think, his keyboard only needs two keys!
Note that DJBDNS (and derivatives) are not affected, since it uses randmoized source ports for DNS resolving.
Also not affected: DJBDNS's IPv6 and IXFR functionality, since Dan didn't want to bother implementing them.
Dewey, what part of this looks like authorities should be involved?
Its a problem in the protocol. So the only systems that would not be vulnerable are those that did -not- follow the specs. Guess Windows is safe, since Microsoft never follows the specs :)
Attention all DJB software fans, here's another chance to champion the superiority of DJB's software.
Yup, and we even have the time, as we are not busy patching our servers!
When an absolute statement is modified with an adverb, the statement is not generally true. Examples:
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Nope. It's a cashing nameserver. That's why I'm rich and you're not. :-P
My blog
No, its binary, real men solder a telegraph device to the motherboard, and just push down for 1, up for 0, Really, really fast!
What are we going to do tonight Brain?
Have you ever seen the oppositte? A bunch of coders trying to be sys-admins.. scary! Was the first admin at a software dot-com, they wanted to know why the network, consisting of a dozen $50 100MB "Switches" they got a staples daisy chained together were so slow.. I can understand their idea, as in theory, it should work, but in reality it doesn't. (kinda like when I program. It always compiles, doesn't always work...)
What are we going to do tonight Brain?
Don't forget to include positive commentary on the licensing and patch status.
Anyone who champions DJB software already has to bear the burden of running qmail. It doesn't get much worse than that already.
In the free world the media isn't government run; the government is media run.
We are all duly impressed with your superhuman abilities. We recognize that you are a superior form of human being, and should really be placed in your rightful place as Emporer of Earth. We are but children compared to the greatness that is you.
from http://www.kb.cert.org/vuls/id/800113: "The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID."
Just put the real seed back into the code.
obrant: and who the frak releases advisories in DOC format in the 21st century?
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
/* John was hit by a bus last week :( I have no idea what he was doing here, I'll just return 1 and hope for the best.. */
which is totally what she said
No. This last week, as often happens, I blindly wandered through the hours in a haze of narcotics and alcohol, vomiting onto my co-workers and randomly saying "whuth day is ih..??". This culminated in me forgetting that it is the second Tuesday in July and therefore due to a long and boring story, the one time in the year where I am meant to come home and cook dinner for the start of a romantic evening with my beloved wife. I think it was rather the straw that broke the camel's back, and she's just this minute left me for a tall Puerto Rican calendar designer. He always knows what day it is.
Oooooh wait, you mean like patch tuesday? Gotcha..
which is totally what she said
" Everybody else is being patched to the level of security that we djbdns users have always had. Not to be *too* smug, of course."
Bingo.
If we were being smug we'd say something like "what do you expect when cert advisories are published as doc files?".
Need Mercedes parts ?
Reportedly, djb wears all black, not all-aluminum. If I were you, I'd start wearing all black also.
Don't piss off The Angry Economist