Zero Day

Ryan Naraine and Dancho Danchev

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio

March 6th, 2009

Dan Bernstein confirms DJBDNS security hole, pays $1,000

Posted by Ryan Naraine @ 7:26 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Open source, Passwords, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research

Tags: Security Hole, DNS, Dan Bernstein, Dan J. Bernstein, Third-party DNS Service, Domain Names, Security, Viruses And Worms, Internet, Ryan Naraine

Dan J. Bernstein has acknowledged an exploitable security flaw in his djbdns software and has made good on a public security guarantee — to pay $1000 to the first person to publicly report a verifiable security hole in the latest version of the popular DNS name server.

Bernstein (left), described the flaw vulnerability as a “violation of the expected security policy in a reasonable situation” and awarded the bounty to Matthew Dempsky, the researcher who discovered and reported the issue.

[ SEE: How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability ]

Here’s the gist of Bernstein’s public acknowledgement:

If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

Bernstein, a cryptographer who is also responsible for qmail, said the next release of djbdns will be backed by a new security guarantee.

He recommended that users exposed to the attack scenario apply the patch created by Dempsky.

The patch is also recommended for other users; it corrects the bug without any side effects.

Also see this Slashdot discussion.

Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.