Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
Cisco has released free software updates that address these vulnerabilities.
Impact
Successful exploitation of the vulnerability described in this document may result in invalid hostname-to-IP address mappings in the cache of an affected DNS server. This may lead users of this DNS server to contact the wrong provider of network services. The ultimate impact varies greatly, ranging from a simple denial of service (for example, making www.example.com resolve to 127.0.0.1) to phishing and financial fraud.
Details
The Domain Name System is an integral part of networks that are based on TCP/IP such as the Internet. Simply stated, the Domain Name System is a hierarchical database that contains mappings of hostnames and IP addresses. The DNS protocol is part of the TCP/IP protocol suite and allows DNS clients to query the DNS database to resolve hostnames to IP addresses. A DNS server is an application that implements the DNS protocol and that has the ability to respond to queries made by DNS clients. When handling a query from a DNS client, a DNS server can look into its portion of the global DNS database (if the query is for a portion of the DNS database for which the DNS server is authoritative), or it can relay the query to other DNS servers (if it is configured to do so and if the query is for a portion of the DNS database for which the DNS server is not authoritative.) Because of the processing time and bandwidth that is associated with handling a DNS query, most DNS servers locally store responses that are received from other DNS servers. The area where these responses are stored locally is called a "cache." Once a response is stored in a cache, the DNS server can use the locally stored response for a certain time (called the "time to live") before having to query DNS servers again to refresh the local (cached) copy of the response. A DNS cache poisoning attack is an attack in which an entry in the DNS cache of a DNS server is changed so the IP address associated with a hostname in the cache does not point to the correct place. For example, if www.example.com is mapped to the IP address 192.168.0.1 and this mapping is present in the cache of a DNS server, an attacker who succeeds in poisoning the DNS cache of this server may be able to map www.example.com to 10.0.0.1 instead. If this happens, a user who is trying to visit www.example.com may end up contacting the wrong web server. Although DNS cache poisoning attacks are not new, a security researcher recently presented a technique that allows an attacker to mount successful DNS cache poisoning attacks with low complexity tools and low traffic requirements. This technique exploits a weakness in most implementations of the DNS protocol. The fundamental implementation weakness is that the DNS transaction ID and source port number used to validate DNS responses are not sufficiently randomized and can easily be predicted, which allows an attacker to create forged responses to DNS queries that will match the expected values. The DNS server will consider such responses to be valid. The following Cisco products that offer DNS server functionality have been found to
• Cisco IOS Software: The vulnerability documented in Cisco bug ID CSCso81854 ( registered customers only) .
• Cisco Network Registrar: The vulnerability documented in Cisco bug ID CSCsq01298 ( registered customers only) .
• Cisco Application and Content Networking System (ACNS): The vulnerability documented in Cisco bug ID CSCsq21930 ( registered customers only) .
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml.
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Cisco Security Advisory
Description: A vulnerability was reported in Cisco IOS and other Cisco products that provide DNS services. A remote user can spoof the system.
The domain name system (DNS) service does not use sufficiently random DNS transaction ID values and/or random UDP sockets to process queries. A remote user can send specially crafted DNS queries and responses to the target service to spoof responses and insert records into the DNS cache. This may cause traffic on the target system to be redirected to arbitrary IP addresses specified by the remote user.
Cisco IOS devices that are configured as a DNS server are affected.
• Cisco IOS Software: The vulnerability documented in Cisco bug ID CSCso81854 ( registered customers only) .
• Cisco Network Registrar: The vulnerability documented in Cisco bug ID CSCsq01298 ( registered customers only) .
• Cisco Application and Content Networking System (ACNS): The vulnerability documented in Cisco bug ID CSCsq21930 ( registered customers only) .
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml.
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Cisco Security Advisory
Description: A vulnerability was reported in Cisco IOS and other Cisco products that provide DNS services. A remote user can spoof the system.
The domain name system (DNS) service does not use sufficiently random DNS transaction ID values and/or random UDP sockets to process queries. A remote user can send specially crafted DNS queries and responses to the target service to spoof responses and insert records into the DNS cache. This may cause traffic on the target system to be redirected to arbitrary IP addresses specified by the remote user.
Cisco IOS devices that are configured as a DNS server are affected.
Cisco has assigned Cisco Bug ID CSCso81854 to this vulnerability.
Cisco Network Registrar, Cisco Application and Content Networking System (ACNS), and the Cisco Global Site Selector (GSS) products are also affected.
Impact: A remote user can spoof the DNS service, causing traffic to be redirected to arbitrary hosts.
Solution: The vendor has issued a fix.
Impact: A remote user can spoof the DNS service, causing traffic to be redirected to arbitrary hosts.
Solution: The vendor has issued a fix.
A patch matrix is available in the vendor's advisory.
securitytracker.com
see also:
Jul 8 2008 Cisco IOS DNS Query Port Entropy Weakness Lets Remote Users Spoof the System
Jun 10 2008 (Cisco Issues Fix for IOS) Net-snmp SNMPv3 Authentication Bug Lets Remote Users Bypass Authentication
May 21 2008 Cisco IOS SSH Service Bug Lets Remote Users Deny Service
Mar 26 2008 Cisco IOS OSPF/MPLS VPN Bug Lets Remote Users Deny Service
Mar 26 2008 Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak Lets Remote Users Obtain VPN Traffic
Mar 26 2008 Cisco IOS Bugs in Virtual Private Dial-up Network PPTP Connection Termination Let Remote Users Deny Service
Mar 26 2008 Cisco IOS UDP Router Services Bug on IPv4/IPv6 Devices Lets Remote Users Deny Service
Mar 26 2008 Cisco IOS Data-link Switching Bug Lets Remote Users Deny Service
Arris Cadant C3 CMTS Remote DoS Vulnerability
ZDI-07-036: June 11th, 2007
CVE-2007-2796
Affected Vendors: Arris
Affected Products: Cadant C3 CMTS
Vulnerability Details
This vulnerability allows remote attackers to cause a denial of service on vulnerable Arris Cadant C3 CMTS systems. Authentication is not required to exploit this vulnerability.
The flaw exists due to mishandling of IP options. When an unknown or bad option is specified, the C3 will terminate disabling all service that is handled by that CMTS. The vulnerability can be triggered with a single malformed IP packet.
The flaw exists due to mishandling of IP options. When an unknown or bad option is specified, the C3 will terminate disabling all service that is handled by that CMTS. The vulnerability can be triggered with a single malformed IP packet.
Vendor Response
Arris has issued an update to correct this vulnerability. More details can be found at:
http://www.arrisi.com/contact_us/support/
Disclosure Timeline
2007-02-23 - Vulnerability reported to vendor
2007-06-11 - Coordinated public release of advisory
