Flaw in BIND 8 Weakens the DNS Software
The Internet Software Consortium is discouraging the use of Version 8 of the Berkeley Internet Name Domain or BIND DNS software after discovering a serious flaw in it, which on exploitation could trigger attacks of cache poisoning.
The flaw that has been made public through a research paper by Amit Klein, CTO of the security vendor Trusteer Ltd. could allow an attacker to corrupt the DNS caches if he is able to guess the IDs of DNS query and provide answers.
BIND 8 is now nothing but a memory of coding practice and software architecture from the past, the consortium said in a warning. In today's Internet, BIND 8 is quite insecure. And years of workarounds and patching have confirmed that it will forever be so, the group said.
According to Infoblox's annual research in 2006, there were approximately 14% of DNS servers still using BIND 8.
Despite its potential danger, BIND 8 continues to be a popular DNS server. Therefore, this type of attack targets a large number of Internet users, wrote Amit Klein in a research paper. PC World reported this on September 5, 2007.
Klein wrote that BIND 8 uses a weak algorithm to produce transaction IDs. These are unorganized serial numbers that allow the algorithm to determine if someone is feeding false information in answering the queries. Because of this weakness, by observing some of the queries, it is possible to guess the transaction ID, Klein explained.
Equipped with that, an attacker could push incorrect information into the DNS server thus poisoning an address against a particular domain stored in the server's memory. Therefore, when users of that DNS server send traffic to a certain Website, it may get diverted to a different server having a fraudulent site. Such a deceptive process is called 'pharming'.
Though there is a patch available to fix the BIND 8 flaw, the Internet Software Consortium presses users to update it to Version 9.4, which they can download for free.
However, BIND 9.4 is also vulnerable to attacks even though it has a better transaction ID algorithm, Klein wrote.
Related article: Flaw For PayPal Website, Opportunity For Fraudsters
» SPAMfighter News - 21-09-2007