DNS software flaw puts Net connected systems at risk

A flaw in software that supports the Internet's DNS (Domain Name System) for translating text-based Web addresses to numeric IP (Internet Protocol) addresses can put Internet-connected systems at risk, experts warned.

The flaw lies in two versions of the DNS resolver library, which is not only used in DNS servers, but also in network hardware such as routers and switches, said Joost Pol, a security consultant at Pine Internet BV in The Hague, Netherlands, on Monday.

"This code was written a long time ago and distributed for free, it is widespread," said Pol, who wrote the first alert on the issue last week. "This is essential software that runs on the client and on the server."

Affected are the Berkeley Internet Name Domain (BIND) DNS resolver library, developed by the Internet Software Consortium, and the Berkeley Software Distribution (BSD) DNS resolver library, according to an advisory released on Friday by the U.S.-based Computer Emergency Response Team Coordination Center (CERT/CC).

A buffer overflow vulnerability in the libraries could allow a remote attacker to take over systems using the affected software by sending a malformed DNS response, according to CERT/CC. After a successful attack on a router, for example, an attacker could tap or divert traffic, said Pol.

Administrators should immediately check if their systems use any of the vulnerable DNS resolver libraries and, if so, upgrade those, Pol said, adding that this is not a simple job.

"This is living hell for an administrator," he said.

It is not just a question of checking which systems are vulnerable -- including server operating systems, DNS servers, e-mail servers, switches and routers -- and then simply applying a patch. The vulnerable library could be embedded in an application, which means an administrator has to recompile the application, said Pol.

Only if applications dynamically link to the DNS resolver library can the issue be solved by just updating the library, said Pol.

A solution suggested by CERT/CC is shielding vulnerable systems by setting up an additional DNS server as a gatekeeper. This local caching DNS server will prevent malicious DNS responses from reaching systems using vulnerable DNS resolver libraries by reconstructing DNS responses, CERT/CC said.

Pol however feels DNS caching can only be a temporary solution.

"There will always be a point that the additional DNS server is switched off, for example when a new system administrator comes in," he said.

Products that use the vulnerable DNS resolver libraries include the various BSD operating systems and products from Cray Inc., Network Appliance Inc. and the Internet Software Consortium, according to a list compiled by CERT/CC.

Microsoft Corp. says it does not use the affected libraries in its software, according to the list, but Pol has his doubts.

"A lot of BSD code was used in Windows 2000, but if you believe Microsoft, you have no problem," he said.

No exploit script to take advantage of the DNS resolver library flaws is currently in public circulation, according to Pol and various advisories addressing the issue. But it won't be long until computer crackers come up with one, Pol warned. "I think work is being done on exploits right now."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?