[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

About DNS again


I have got a couple of messages stating that I am wrong and that the
resolver vulnerability sent to list by Oliver Friedrichs (oliver secnet com)
is a new one. Our discussion with Oliver outlined that even though it is
possible that this vulnerability was discussed during BOFs at conferences
such as LISA, SANS and NETSEC, neither a summary was ever made public, nor a
detailed description of attack was ever given.

The SNI Security Advisory posted to linux-security provided not only a really 
good summary with an explanation of attacks targetting the resolver but also
provided a detailed description of them.

I appologise for blindly assuming that readers of the mailing list were
aware of these problems. 

The following is an extract from the follow up message sent by Oliver
Friedrichs <oliver secnet com> (used with permission)

> The argument that I make (and the argument explaining the reason why we
> assumed it was new), is that Paul Vixie himself was not aware of this
> problem until we notified him.  This is not to mention that CERT was not
> aware of the problem either.  The other interesting fact is that the BIND
> resolver, up until the latest official release (and beta releases), has
> been vulnerable to this attack.  The fix apparantly being made by fluke,
> after incorporating IPv6 support.
> I have also never seen any other reference to this anywhere else (yes
> there has been alot of talk about h_name problems in various places,
> causing string buffer overflows, yet not the h_length problem).
> I also feel it is important to point out that, this bug whether new or old
> has not been addressed. Even if the bug was discussed at SANS or elsewhere 
> it does not change the fact that it is a very serious, very immediate 
> threat.  Effecting everything from personal workstations to corporate 
> firewalls.  Discussing it, e-mailing about it, or any other type of 
> communication in limited forums will end with the bug still being a 
> problem. With this in mind, we released the advisory.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]