September 4th, 2007

Cache poisoning flaw is death knell for BIND 8

Posted by Ryan Naraine @ 12:49 pm

Categories: Botnets, Browsers, Data theft, Exploit code, Hackers, Metasploit, Open source, Passwords, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: BIND, Internet Software Consortium, Flaw, ISC, BIND 9, Ryan Naraine

The Internet Software Consortium has pulled the plug on support for Version 8 of the BIND (Berkeley Internet Name Domain) DNS implementation after the discovery of a serious vulnerability that could lead to cache poisoning attacks.

The flaw, publicly discussed in a paper by Trustee’s Amit Klein, could allow a remote attacker with the ability to predict DNS query IDs and respond with arbitrary answers to poison DNS caches.

The ISC has responded with an interim patch for BIND 8 but, in a blunt advisory, the non-profit group says the older version of the DNS server is being put out to pasture.

“BIND 8 remains a relic of software architecture and coding practice from a different time,” the group said in an alert. “As such, it is not secure in today’s Internet. After years of patching and workarounds, we know it will never be.”

“We’ve already said that BIND 8 will never support DNSSEC and related new security features. But what is more important to consider is this: An administrator who simply stands still and never upgrades will eventually put systems at risk. New problems continue to be discovered at the limits of possibility for fixing them,” it added.

The ISC’s recommend is for user to immediately migrate to BIND 9:

There has never been a root-level exploit against BIND 9. BIND 9 was intrinsically designed to resist cache poisoining attacks; BIND 8, due to architectural decisions made when it was designed and released in the mid-1990s”, is not as resistant. Attackers are constantly evolving their tactics to exploit caching and other performance features that modern nameservers require. BIND 9’s architecture allows far better resistance to known attacks and modification to meet new ones than BIND 8’s does.

Recent discoveries of inherent weaknesses in BIND 8’s cache handling in forwarders and random number generation in query IDs cannot be patched reliably or configured around. The workarounds available are “turn off DNS service” or “upgrade to BIND 9″. We’re choosing to admit this to our users and support migration to BIND 9.

Even so, as discussed in Klein’s paper, BIND 9 is not entirely safe from similar (theoretical) attacks against its algorithm.

“While not a feasible attack as-is, the existence of such attack and the potential for it to be later improved with further research makes BIND 9 insecure as well,” Klein warned.