RealTime IT News

CERT Amends DNS Flaw Fix

The Carnegie Mellon Software Engineering Institute (CERT/CC) Wednesday said that the previous fix it offered to thwart buffer overflows in domain name system resolver libraries may not be enough to safeguard certain software systems.

CERT/CC made the amendment as a follow-up to its June 28 announcement that remote attackers could send malicious DNS responses that may exploit vulnerabilities to execute arbitrary code or cause a denial-of-service attack on a system.

Perpetrators could hijack computers running certain vulnerable installed software products made by high-profile vendors, including those made by Caldera, HP, IBM and Red Hat.

Flaws in the DNS are serious, as it is responsible for translating text-based Web addresses to numeric IP addresses.

CERT/CC said that when the advisory was first published, it was thought that a caching DNS server that reconstructs DNS responses would prevent malicious code from reaching systems with vulnerable resolver libraries.

"This workaround is not sufficient," Cert/CC claimed. "It does not prevent some DNS responses that contain malicious code from reaching clients, whether or not the responses are reconstructed by a local caching DNS server. DNS responses containing code that is capable of exploiting the vulnerabilities described can be cached and reconstructed before being transmitted to clients. Since the server may cache the responses, the malicious code could persist until the server's cache is purged or the entries expire."

CERT/CC said the only real remedy to the flaw is to upgrade to a corrected version of the DNS resolver libraries.

CERT/CC published two separate vulnerability notes with additional technical details here and here.

CERT/CC credited Joost Pol of PINE-CERT, the FreeBSD Project, the NetBSD Project, and David Conrad of Nominum for information about the flaw.

DNS vulnerabilities have been common fare among CERT/CC advisories in the past year. Particularly hard hit was the Berkeley Internet Name Domain (BIND) DNS, which was found to be susceptible to DoS attacks in June. The BIND DNS Server is used on most name serving machines on the Internet.

BIND flaws were also detected in January 2001.