DNS CACHE POISONING VULNERABILITY (CERT VU#800113)

Advisory Date

July 14, 2008

Advisory Severity

Unclear

Details

Description:
Multiple DNS implementations are vulnerable to a spoofing attack as described in the above vulnerability note and associated references. The vulnerability allows an attacker to send spoofed DNS replies and have them accepted by the DNS resolver which can give the attacker control over the DNS name to address resolution process.

Blue Coat Systems products are affected as listed below.

Mitigating factors:
Successful attacks require the attacker to send a stream of spoofed DNS responses to the attacked device. In many cases this ability can be limited by network configuration. For example, configuring the device to resolve names by consulting a name server that is not vulnerable can reduce attack exposure significantly. In this configuration, the attacker would have to spoof packets from the configured nameserver, which may require the attacker to have access to the internal network.

In addition, some products use DNS in ways that mitigate the effects of DNS response spoofing. These are noted in the sections for the individual products below.

Notes:
Note that details of the attack discovered by Dan Kaminsky have not been released and therefore it is difficult to assess the actual risk for a particular product.

Note also that the vulnerability assessment tool at www.doxpara.com gives results for the DNS client that is sending the queries over the Internet.

If a Blue Coat Systems product is configured to resolve via another DNS server, the tool will assess that server's vulnerability.

For more details and advice please see section III of the CERT note
VU#800113 (http://www.kb.cert.org/vuls/id/800113)

Affected Products:
Proxy SG: Source port and /or transaction ID is predictable
Fixed in: 4.2.8.6, 5.2.4.3

Director: Source port and/or transaction id is predictable.
Will be fixed in: 4.2.2.4, 5.2.2.5

ProxyAV: Does not implement the recommended countermeasures, but
uses DNS only to resolve names for updates. Downloading of
updates is protected by SSL (unless disabled) preventing
attacks based on spoofed DNS responses (other than denial
of service).

ProxyRA: Source port and/or transaction id is predictable.
Will be fixed in: 2.3.2.1

PacketShaper: Source port and/or transaction id is predictable.
Will be fixed in: 8.3.2, 8.4.0

iShaper: Source port and/or tansaction id is predictable
Will be fixed in: 8.3.2 (in-line plane)

SkyX Gateway (when Prefetch Server facility enabled): source port and/or transaction id is predictable. Will be fixed in: 7.0.5

Unaffected Products:
ProxyClient: relies on host platform for DNS resolution
Reporter: relies on host platform for DNS resolution
Mobility: relies on host platform for DNS resolution
iShared: versions 3.2.3, 3.4, 3.6 and 3.7
K9 Web Protection: relies on host platform for DNS resolution

Additional Information
http://www.kb.cert.org/vuls/id/800113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.us-cert.gov/cas/techalerts/TA08-190B.html

Severity: 
Unclear
Advisory Date: 
July 14, 2008
Advisory Publish Time: 
11/13/2008 - 09:49