INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. |
| PLATFORM: | Cisco IOS Software Cisco Network Registrar Cisco Application and Content Networking System Cisco Global Site Selector Used in Combination with Cisco Network Registrar Debian GNU/Linux 4.0 (etch) |
| DAMAGE: | DNS cache poisoning. |
| SOLUTION: | Upgrade to the appropriate version. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. Successful exploitation of the vulnerability described in this document may result in invalid hostname-to-IP address mappings in the cache of an affected DNS server. This may lead of this DNS server to contact with wrong provider of network services. |
| CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
9.3 7.7 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C) |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/s-341.shtml |
| ORIGINAL BULLETIN: | http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml |
| ADDITIONAL LINKS: | http://www.debian.org/security/2008/dsa-1617 http://www.debian.org/security/2008/dsa-1619 |
| CVE: | CVE-2008-1447 |
REVISION HISTORY:
08/18/2008 - revised S-341 to reflect changes Cisco has made in Cisco Security
Advisory Document ID: 107064 where they added a "Port Address
Translation Considerations" section to highlight the problems and
risks when DNS SErvers are behind network devices performing PAT,
and to add a link to Debian Security Advisories for DSA-1617-1 and
DSA-1619-1 for Debian GNU/Linux 4.0 (etch).
[***** Start Cisco Security Advisory Document ID: 107064 *****]
Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures
Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml.
This security advisory is being published simultaneously with announcements from other affected organizations.
[Expand all sections] [Collapse all sections]
Affected Products Products that cache DNS responses and process DNS messages with the recursion desired (RD) flag set may be vulnerable to a DNS cache poisoning attack depending on implementation of the DNS protocol. Products that process DNS messages with the RD flag set will attempt to answer the question asked on behalf of the client. A product is only affected if using a vulnerable implementation of the DNS protocol, the DNS server functionality for the product is enabled, and the DNS feature for the product is configured to process recursive DNS query messages.
Vulnerable Products Products Confirmed Not Vulnerable Details Vulnerability Scoring Details Impact Software Versions and Fixes Workarounds Obtaining Fixed Software Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Customers with Service Contracts Customers using Third Party Support Organizations Customers without Service Contracts Exploitation and Public Announcements The Cisco PSIRT is not aware of malicious use of the vulnerability described in this advisory. Full technical details about the nature of the vulnerability are publicly available and the Metasploit project has published two modules that can exploit this vulnerability.
Although DNS cache poisoning attacks are not new, security researcher Dan Kaminsky of IOActive recently presented a technique that makes DNS cache poisoning attacks more likely to succeed. Cisco would like to thank Dan Kaminsky for notifying vendors about his findings.
Note that vulnerability information for Cisco IOS Software is being provided in this advisory outside of the announced publication schedule for Cisco IOS Software described at http://www.cisco.com/go/psirt due to industry-wide disclosure of the vulnerability.
The multi-vendor advisory published by US-CERT is available at http://www.kb.cert.org/vuls/id/800113 
("VU#800113 - Multiple DNS implementations vulnerable to cache poisoning").
Status of this Notice: FINAL Distribution Revision History
[***** End Cisco Security Advisory Document ID: 107064 *****]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org