Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaminsky DNS Bug Claimed Fixed By 1-Character Patch

Posted by kdawson on from the but-it's-the-right-character dept.

An anonymous reader writes "According to a thread on the bind-users mailing list, there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere. As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to successfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle. Source port randomization is nice, but removing the root cause of the attack's effectiveness is better."
Update: 08/29 20:11 GMT by KD : Dan Kaminsky sent this note: "What Gabriel suggests is interesting and was considered, but a) doesn't work and b) creates fatal reliability issues. I've responded in a post here."

7 of 120 comments (clear)

  1. Not the first time! by supernova_hq · · Score: 2, Interesting

    This is not the first time a huge security vulnerability was fixed by changing a single character!

    From what I remember, the SSL vulnerability we saw a while ago was caused by a single excess comment mark (well, maybe two if it was a double forward slash

    1. Re:Not the first time! by jellomizer · · Score: 2, Interesting

      There are a lot of bugs fixed by changing 1 character... It is a very common occurrence. Either you comment out a feature that isn't needed but causing a problem. Or change a default variable or a constant to a different value.
      Eg origional code (Just making it up on the fly) of a possible security hole bug:

      char x[9];
      // x is populated by a char* variable
        for (register int i=0; i <= 9; i++) {
      //doing some stuff on x[i]
        }

      Now anyone with any C experience will realize that we have the possibility of an overflowed buffer. Now what is the fix, I see 2 of them that can fix the problem with 1 character change.
      I could change = to by removing the =
      or I could change 9 to 8 in the for loop.
      Chances are for the most cases this code may go missed for a while, and the program will run great for years. Perhaps the char* input command limited they keyboard to 8 letters forcing the 9th to be null all the time. Then the code was changed to work for the web and its keyboard limit code was removed with a QuaryString value, without the check or the check stupidly done in Javascript or HTML maxlength. But still it is a security consern and can be fixed with 1 character and if you look at any CS 101 class you will see how common this error is. Espectially if they swap back and forth from VB to C

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Allegedly... by drmofe · · Score: 3, Interesting

    ....Paul Vixie is no longer allowed to commit code to BIND. Can this vulnerability be traced to code that he DID write originally?

  3. Re:What about other DNS servers ? by Anonymous Coward · · Score: 3, Interesting

    Bind is effectively the reference implementation, so probably, or they made the same mistake at any rate. That's not surprising, this is a very subtle bug that requires knowledge of the Kaminsky attack to recognise. It's worth pointing out however that djbdns had source-port randomisation from the start as a defensive measure, and thus remained very resistant to this attack.

  4. Re:OSS wins again by somersault · · Score: 4, Interesting

    This has more to do with an oversight in the DNS standard - doesn't have anything to do with any single implementation. Windows, Linux, and any other networked system that uses DNS are equally affected.

    Besides, it doesn't matter if your operating system is Open Source. You can write closed or open source software on any platform you want, and just because the source is available does not necessarily mean that bugs will be noticed and fixed. This situation just shows that even if there are no 'bugs' in an implementation of a standard, the original design may still be flawed.

    I haven't been following this situation very closely, so perhaps I'm a bit off with the details, but I'd be happy for someone to put me right if that's the case.

    Favouring cached DNS records seems to me to not be a spectacular idea for all situations. It depends on the length of the TTL setting on your DNS server though. I'm not sure what expiry time would be sensible for an ISP to use. You have to balance the fact that you want to up to date records with the amount of overhead that will be generated by all the DNS traffic.

    --
    which is totally what she said
  5. Re:Not getting much love in the mailing list by Nigel+Stepp · · Score: 2, Interesting

    Ha! I feel like that is the same guy who wrote a text editor that runs in ring 0 or something and halts multitasking.

    Anyone remember that guy? There was a huge usenet fight about it on some linux newsgroup in the 90s.

    Anyway, he had exactly the same reasoning style.

    --
    4096R/EF7BAFA6 79E1 DF98 D09D 898F 9A11 F6F0 DDDC 23FA EF7B AFA6
  6. Re:What about other DNS servers ? by Anonymous Coward · · Score: 2, Interesting

    +1 Insightful

    This is what the DNS books I've read say happens. When I first started playing with DNS I was always surprised and could never explain why my updated records became active before the old record's TTL expired. Sounds like a bug that's been needing to be fixed for a long time now.