Multiple DNS implementations are vulnerable to a spoofing attack as described in the above vulnerability note and associated references. The vulnerability allows an attacker to send spoofed DNS replies and have them accepted by the DNS resolver which can give the attacker control over the DNS name to address resolution process.
Blue Coat Systems products are affected as listed below.
Successful attacks require the attacker to send a stream of spoofed DNS responses to the attacked device. In many cases this ability can be limited by network configuration. For example, configuring the device to resolve names by consulting a name server that is not vulnerable can reduce attack exposure significantly. In this configuration, the attacker would have to spoof packets from the configured nameserver, which may require the attacker to have access to the internal network.
In addition, some products use DNS in ways that mitigate the effects of DNS response spoofing. These are noted in the sections for the individual products below.
Note that details of the attack discovered by Dan Kaminsky have not been released and therefore it is difficult to assess the actual risk for a particular product.
Note also that the vulnerability assessment tool at www.doxpara.com gives results for the DNS client that is sending the queries over the Internet.
If a Blue Coat Systems product is configured to resolve via another DNS server, the tool will assess that server's vulnerability.
For more details and advice please see section III of the CERT note
Proxy SG: Source port and /or transaction ID is predictable
Fixed in: 220.127.116.11, 18.104.22.168
Director: Source port and/or transaction id is predictable.
Will be fixed in: 22.214.171.124, 126.96.36.199
ProxyAV: Does not implement the recommended countermeasures, but
uses DNS only to resolve names for updates. Downloading of
updates is protected by SSL (unless disabled) preventing
attacks based on spoofed DNS responses (other than denial
ProxyRA: Source port and/or transaction id is predictable.
Will be fixed in: 188.8.131.52
PacketShaper: Source port and/or transaction id is predictable.
Will be fixed in: 8.3.2, 8.4.0
iShaper: Source port and/or tansaction id is predictable
Will be fixed in: 8.3.2 (in-line plane)
SkyX Gateway (when Prefetch Server facility enabled): source port and/or transaction id is predictable. Will be fixed in: 7.0.5
ProxyClient: relies on host platform for DNS resolution
Reporter: relies on host platform for DNS resolution
Mobility: relies on host platform for DNS resolution
iShared: versions 3.2.3, 3.4, 3.6 and 3.7
K9 Web Protection: relies on host platform for DNS resolution