CERT Amends DNS Flaw Fix

The Carnegie Mellon Software Engineering
(CERT/CC) Wednesday said that the previous fix it offered to
thwart buffer overflows in domain name system resolver
libraries may not be enough to safeguard certain software systems.

CERT/CC made the amendment as a follow-up to its June 28 announcement that
remote attackers could send malicious DNS responses that may exploit
vulnerabilities to execute arbitrary code or cause a denial-of-service
attack on a system.

Perpetrators could
hijack computers running certain vulnerable installed software products made
by high-profile vendors, including those made by Caldera, HP, IBM and Red Hat.

Flaws in the DNS are serious, as it is responsible for translating text-based Web addresses to numeric IP addresses.

CERT/CC said that when the advisory was first published, it was thought that a
caching DNS server that reconstructs DNS responses would prevent malicious
code from reaching systems with vulnerable resolver libraries.

“This workaround is not sufficient,” Cert/CC claimed. “It does not prevent some
DNS responses that contain malicious code from reaching clients, whether or
not the responses are reconstructed by a local caching DNS server. DNS
responses containing code that is capable of exploiting the vulnerabilities
described can be cached and reconstructed before being transmitted to
clients. Since the server may cache the responses, the malicious code could
persist until the server’s cache is purged or the entries expire.”

CERT/CC said the only real remedy to the flaw is to upgrade to a corrected
version of the DNS resolver libraries.

CERT/CC published two separate vulnerability notes with additional technical
details here and here.

CERT/CC credited Joost Pol of PINE-CERT, the FreeBSD Project, the NetBSD Project, and David Conrad of Nominum for information about the flaw.

DNS vulnerabilities have been common fare among CERT/CC advisories in the past year. Particularly hard hit was the Berkeley Internet Name Domain (BIND) DNS, which was found to be susceptible to DoS attacks in June. The BIND DNS Server is used on most name serving machines on the Internet.

BIND flaws were also detected in January 2001.

News Around the Web