Black Hat: DNS Flaw Much Bigger Than Thought

Speaking to a packed room of Black Hat conference attendees, Kaminsky, director of penetration testing for IOActive, said that in addition to being used for so-called cache poisoning attacks, the DNS vulnerability could also be used to exploit IPSec VPNs, SSL certification, automatic software update systems, spam filters and voice over IP systems.

But that's far from a complete list of the systems that could be affected, and Kaminsky repeatedly used the term "domino effect" in describing the vulnerability's far reaching potential to wreak havoc.

"The question is not how many things can you break with DNS, but how many things can't you break," Kaminsky said. "We're barely keeping hold of the secrets of why it's so important to patch."

Details of the DNS flaw surfaced in the blogosphere last month, and security experts said it could be used for cache poisoning, which allows attackers to trick DNS servers into redirecting Internet traffic to malicious Websites and engage in all types of nefarious behavior without users' knowledge.

This tactic could enable miscreants to take over .com, .net, and .org domains and see who's sending emails to whom, and also pick off any message they choose. Attackers could also accept emails, infect them, and forward them along, according to Kaminsky. Using a probabilistic approach to stopping the attack, Kaminsky and researchers from several major vendors developed and released a patch last month that addresses the vulnerability.

Researchers employed a technique known as source port randomization to make the attack exponentially more difficult to carry out, and were able to expand the number of DNS Time To Live (TTL) possibilities from 65,535 to somewhere between 163 million and 2.1 billion.

"The idea was, let's make it tens of thousands of times harder to carry out this attack," Kaminsky said.

However, TTL isn't a security feature, Kaminsky pointed out, and the fix can only be considered a stopgap until researchers can develop a more comprehensive patch. "There are many, many variants of this attack, and there are a ton of different paths that lead to doom," Kaminsky said.

In his presentation, Kaminsky shot down the popular belief that companies that have their DNS servers behind the firewall are protected from the vulnerability, and enumerated several ways that DNS lookups can happen inside the corporate network. These include links, images, and advertisements in Web browsers, email servers, and Web bugs in documents that "call home."

The good news is that 120 million broadband consumers are now protected from the DNS vulnerability through their service providers that have applied the patch. "There has been a remarkable amount of uptake on this patch," Kaminsky said. "Home users at this point more likely than not are behind a protected environment, and they're actually probably going to be more unsafe at work."

But in the Fortune 500, the situation is different: 70 percent of firms have applied the patch, but 15 percent haven't, while the remaining 15 percent have patched, but suffer from network address translation issues, according to Kaminsky.

For mail servers, 61 percent of Fortune 500 companies have patched, 17.25 percent haven't, and 21.75 have patched but have NAT issues.

George Kurtz, senior vice president and general manager of McAfee's Risk and Compliance business unit, was impressed by the breadth of different exploit scenarios that Kaminsky discussed in his presentation.

"When you hear about cache poisoning, most people think of attackers spoofing Websites, but when you go down the trail he laid out, it's about taking over IPSec VPNs, SSL certification, all automatic updates for the software, Skype. I think it's a watershed even in terms of the breadth of what he discussed," Kurtz told ChannelWeb in an interview at the event.