July 24th, 2008

Kaminsky suggests long-term fix will still have to be determined, but patch now, or pay soon

Posted by Nathan McFeters @ 2:30 pm

Categories: Black Hat, Black Hat Las Vegas, Complex Attacks, Exploit code, Hackers, Metasploit, Patch Watch, Research, Responsible disclosure, Vulnerability research, Zero-day attacks, ~Special Series~

Tags: CERT, DNS Server, Server, Kaminsky, Dan, Patches, Domain Names, Security, Internet, Nathan McFeters

I listened to the Black Hat webcast today to grab as much info as I could on this subject. The biggest thing that I heard from the whole talk is that the patch fixes things to a reasonable point, but that long-term, there will have to be more work done to prevent the issue. Before I get into the details, this was not an interview, I was simply taking shorthand notes, so I did my best to get direct quotes of what was said, but in some cases, this may not be 100% accurate, so, if any speakers from the webcast or readers of the blog see errors, please email me and I will quickly make the strike through and change.

Kaminsky said that,

The exploit is now 10s of thousands of times harder, but still possible. 1 in several hundred million to 1 in a couple billion.

and

If it took seconds to minutes before, it still could work, but now it’s days or hours at worst.

Click below to read the rest…

Kaminsky also talked about the adoption rate of the patch, saying that:

Original the data collection showed 86% of people testing their DNS servers were vulnerable (Kaminsky clarified saying this was within the first couple days after the patch, the 8th to the 12th). As of the last couple days, there is now 52% of DNS servers being tested that are still vulnerable.

Kaminsky said he was glad the number had come down, but that it was still very far from being an acceptable adoption rate and that people really needed to get patched. He stated:

Metasploit is going to destroy us.

We are in a lot of trouble, the attack is weaponized in the field, so everyone needs to patch, please!

Dan also commented on the early days of the disclosure and the patch itself, saying:

If an easy, more obvious fix was possible, we would have done it.

and

We did what we could to get people patched early, those that didn’t take advantage, I don’t blame, but we had to do what we could to give people an advantage [over attackers].

Dan was asked, “What have we learned?”, to which he responded:

This type of coordination was a good first step, but it wasn’t perfect, and it waits on the security community to judge, but core companies came together to get patched.

Dan also thanked the press for the coverage of this issue saying that without the coverage, he expects less people would’ve been patched.

With regards to the long term fix for this issue, all of the speakers (Dan, Jerry Dixon, Rich Mogull, and Joao Damas) commented on moving to DNSSEC, although they discussed some of the reasons it had not been adopted by the security community, including the extreme overhead, even comparing it to IPv6. The speakers suggested that they had thought about pushing for DNSSEC now, but due to difficulties implementing it, had to have go with the current patch to get something out now.

Another question that came up asked about using TCP only for DNS as a fix, which I have seen suggested on many mailing lists, to which Dan responded:

We don’t have enough capacity to have everyone run DNS on port 53 tcp, so that is not an effective solution.

Jeff Moss questioned Dan further on this, asking if doing this would basically cause a huge denial of service on the internet, and Dan seemed to believe it would.Webcast listeners also asked, “Do both clients and DNS servers need the patch?”, to which Dan responded:

There are situations where the client is vulnerable. It’s the difference between a sniper rifle and a nuke. Yes, I’m scared of the sniper rifle, but I’m more worried about the nuke. Clients are vulnerable per machine, where servers could be vulnerable per country.

Listeners also asked, “How effective was CERT with the process?”, to which Dan responded:

This is what I imagined working with CERT would always be. It wasn’t enough just to get the patch written, we had to get out there, CERT was tremendous with that. Now we are in step 3, getting the patch deployed.

Kaminsky commented on another listener’s questions about TTLs impact on the bug saying that the bug is significant, not just because if there is a query you get to win the race, but, because of TTL, now that the bug is in the cache and you win for a long time.

To clarify, Kaminsky also commented that the attack does not affect authoritative servers, it affects nameserver caches.

Kaminsky stated that patch makes the exploit now 10s of thousands of times harder, but still possible. He suggested that the likelihood of success is 1 in several hundred million to 1 in a couple billion.

Additionally, the group suggested that a second round of patches will be done for client side, but there will be a debate about the long term ways of fixing this issue.

Just in case you hadn’t heard it enough times already, PATCH NOW.

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.