Security-Alerts mailing list archive (email@example.com)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FYI: Some Firewall Software Undoes DNS Patch Port Randomizing
-Some Firewall Software Undoes DNS Patch Port Randomizing (August 4, 2008)
Firewall vendors are "scrambling" to update their products to address a problem
in the software that undoes the source port randomization component of the
recently released DNS patches. The problem lies with some firewalls that do IP
address translation. The DNS patches have reportedly been causing some other
minor problems - particularly slowing down traffic on some servers.
[Editor's Note (Skoudis): This one could get ugly, folks. Widely available
tools exploit this flaw to trick software update features into installing
malware, and surely the bad guys have many other equally nasty tricks up their
sleeves. And, tomorrow (August 6), Dan Kaminsky will deliver his full
presentation, which will likely provide insights into optimizing the attack
even further. Patch your DNS servers... and push your firewall vendors on this
too. If your firewall unrandomizes the source port, someone can still poison
the DNS server behind the firewall. Ironically, such a firewall is actually
weakening security here, exposing your whole network to attack.
(Guest Editor and Internet Storm Center Handler Donald Smith): Actually it is
the PAT, Port Address Translation, function that is causing this issue. That
is often used in conjunction with NAT, Network Address Translation, but then
it should be called NAT/PAT. The functions are separate logical functions even
if used together in most NAT/PAT implementations.
- From http://isc.sans.org/diary.html?storyid=4687
"The patch will impact your server performance. Test carefully before patching
a very busy server. Internet Storm Center (isc.org) mentions 10,000 queries/sec
as a problem. "
- From http://isc.sans.org/diary.html?storyid=4777
"Home firewall NAT devices are also proving to be vulnerable as many don't seem
to randomize the source port."
- From http://isc.sans.org/diary.html?storyid=4780
Conclusion: So is this bad: yes, it is unless your DNS clients, name-servers
and the name-servers you forward to are up-to-date on patches, and your NAT
devices (routers, firewalls, etc) in between do not randomize source ports.]