A graphic for the Metasploit Framework, which published code for the DNS vulnerability late last July.Speaking at the Black Hat security conference in Las Vegas, security researcher Dan Kaminsky warned that a critical vulnerability in the internet’s worldwide DNS (Domain Name System) infrastructure is worse than initially thought.
Kaminsky initially came forward early last month to disclose the existence of a critical security bug in most of the world’s DNS servers. The bug allows hackers to silently redirect web surfers to an alternate, possibly malicious, web site when a user’s web browser queries a poisoned DNS for the address of a given internet domain, like www.microsoft.com.
“Every network is at risk,” said Kaminsky, who described the flaw as one of the biggest internet security holes since 1997.
Kaminsky says the extent of this flaw – details of which he promised to withhold until later this month, until they were suddenly leaked and then retracted by bloggers at security firm Matasano in July – allows far more than simple website redirection. Since the internet is highly reliant on its DNS infrastructure – to the point where SSL certificates authenticate against it – the flaw allows for a staggeringly wide variety of attacks: poisoned DNS entries could allow hackers to silently redirect attempts to log in to FTP, mail, and Telnet servers, or fool systems like Windows Update into downloading from servers under hackers’ control.
“There are a ton of different paths that lead to doom,” said Kaminsky to his attendees of his standing-room only presentation on Wednesday.
According to Kaminsky, the ISPs of roughly 42 percent of broadband consumers around the world have patched their DNS servers, and approximately 70 percent of the world’s Fortune 500 are protected. Of that remaining 30 percent, roughly half of the companies Kaminsky surveyed encountered difficulties patching their systems, while the other half has put in little or no issue to fix their systems.
When details of the flaw were released, Kaminsky simply told server operators to “patch. Today. Now. Yes, stay late.”
Wired’s Threat Level reports that Kaminsky spent more than an hour running through the variety of systems that are vulnerable to attack, noting that a hacked DNS server produces a “domino effect” amongst linked systems. He is aware of at least fifteen ways it could be used – but notes that more are likely to turn up the longer its studied.
Despite the urgency, however, there have been few, reports of the vulnerability surfacing in the wild. This is despite the exploit code being made available for the widely-used Metasploit Framework, which allows both researchers and hackers alike easy access to a variety of attacks. One such incident, published July 30 on the official Metasploit blog, notes a successful attempt to poison AT&T’s Austin, Texas DNS servers to redirect Google surfers to a page that served up hidden advertisements.
Kaminsky posted a simple test on his website DoxPara, which allows visitors to determine if their DNS servers are vulnerable to attack.
