As many of you have noticed, US-CERT has issued a new security advisory VU#800113 on July 8 2008 according to which all BIND versions are vulnerable to cache poisoning. This vulnerability only affects BIND servers in which recursion has been enabled. For further information on this vulnerability, please see US-CERT’s full advisory here.

Following, please find a summary of how this vulnerability affects Nixu Products:

Nixu NameSurfer Suite

The proprietary primary DNS server included in Nixu NameSurfer Suite IS NOT affected by this vulnerability. Secure64 DNS and/or NSD servers run as DNS secondaries to Nixu NameSurfer Suite ARE NOT affected. BIND servers run as DNS secondaries to Nixu NameSurfer Suite are affected ONLY if recursion has been enabled in them.

For users that have enabled recursion on BIND servers run as DNS secondaries to Nixu NameSurfer primary, we recommend that BIND servers are updated to the latest version.

Nixu SNS (Secure Name Server)

The BIND version included in Nixu SNS was affected by this vulnerability if recursion was enabled. To address this issue, all users running Nixu SNS in which automated software updates have been enabled, have received a patched version of BIND (9.2.4-28.0.1.el4) on July 9 2008 by 7am GMT/2am EST that addresses the vulnerability announced in VU#800113 advisory.

All in all, I think we have covered our bases rather nicely.

General Notes

More generally, although this vulnerability has attracted a lot of attention this time around, the DNS cache poisoning attack technique used to exploit this vulnerability has been known for quite some time. And interestingly enough, there have been no real-life reports of incidents in which this technique (providing false name resolution to recursive DNS servers by spoofing the address of an authoritative DNS server and guessing the right transaction ID) would have been used. Of course, it may have been difficult to spot that, but still…

As one of my tech savvy colleagues at Nixu stated (hello Juhani! ), perhaps the most interesting thing about this entire episode was the fact that Dan Bernstein suggested the security improvements included in the latest BIND releases (as well as certain other caching DNS products) already some years ago when this attack technique was first discovered. However, it took a bit of time and the involvement of Dan Kaminsky and Paul Vixie to make this vulnerability a mainstream news item – and before that, having most caching DNS server vendors reacting to this issue. Please visit Doxpara Research’s website for further details.

Of course, it’s always a big positive when there’s a push for people to update their DNS servers. After all, not everyone does that as often as they should. But software updates aside, I think there might also be another political agenda at play here. As ISC stated in their summary on this vulnerability:

“A weakness in the DNS protocol may enable the poisoning of caching recurive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack (emphasis is mine).”

Do they mean to say it’s high time for everyone to get their DNSSEC plans straight?