Posted on November 20, 2021 at 8:35 AM
Security researchers have discovered a new vulnerability in the DNS system that leaves providers at risk of network attacks.
According to researchers at the University of California, Riverside, the threat actors that exploit the bug can potentially have access to the connection in the nameserver and the DNS resolver. This allowed them to alter the IP addresses linked to different web domains.
The vulnerability has been designated as CVE-2021-20322, and the research was presented at the ACM Conference in South Korea.
The Vulnerability Affects Linux Kernels And DNS Software
Researchers at the University of California Zhiyun Qian, Keyu Man, and Xin’an Zhou said the threat actors can become the man-in-the-middle attacker after redirecting traffic to their server. This will allow them to eavesdrop and tamper with the communications sent over to the original server.
The latest vulnerability has an impact on popular DNS software such as dnsmasq, Unbound, and BIND running on top of Linux. It also affects Linux kernels. However, the flaw does not affect DNS software that runs on operating systems Windows or FreeBSD.
DNS cache poisoning is a method where the DNS resolver’s cache receives the corrupt data, allowing the DNS queries to return an incorrect response for a trusted domain. As a result. The users are sent to the wrong address containing malicious data.
The attack was initially known as the Kaminsky attack, named after Dan Kaminsky, the researchers that discovered it in 2008.
SAD DNS relies on ICMP “port unreachable” message to determine which internal port is used. It is used for routing error and diagnostic responses in an IP network, with its rate-limiting feature providing a method for restricting the amount of bandwidth used.
Generally, a typical attack involves the threat actor sending several spoofed UDP probes that contain the victim’s forged source address. These can be noticeable enough to set up the rate timing, using the method to guess the transaction ID and narrow down the open ports.
In the previous attack methods, the threat actor uses UDP probes to find out whether a UDP port is open or closed. However, this recently discovered DNS cache poisoning attack explores the side channel directly via ICMP redirect packets or ICMP frag.
The Attack Does Not Require Feedback From An ICMP
The researchers also noted that a threat actor does not need to depend on the feedback from an ICMP probe to carry on with their threats. Even when the ICMP probe’s processing remains silent, the attack could still be possible as long as there is some shared resource.
The current research builds on the earlier attacks that they discovered and called “SADDNS.” It demonstrates that the rate limit on the UDP system could be utilized for inferring the port for nameserver connections.
Also, the main point is the fact that a shared resource can be used to deliver spoofed probes and determine which ephemeral port is utilized. Sadly, it’s not clear how many more of those side channels are still active in the network stack.
Some Mitigating Techniques Are Available
The main goal of the attack is to utilize the small number of slots in the global exception cache to find out whether there was an update after the batch of ICMP probes.
The researchers provided some mitigation techniques that can be used to prevent the attacks. These include setting the socket option IP-PMTUDISC_OMIT, redirecting the ICMP redirect message, or randomizing the caching structure. The first strategy directs the operating system to reject the ICMP frag messages.
The researchers added that DNS is one of the oldest and fundamental protocols on the internet that still supports many services and network applications. However, it was designed without placing more emphasis on security, which makes it vulnerable to certain types of attacks. One of the major forms of attacks it suffers is the very common DNS cache poisoning attacks, according to the researchers.
Additionally, the researchers noted that retrofitting strong security features has proven to be very difficult over the years.
The new SAD DNS cache poisoning attack leaves about 38% of the domain name servers vulnerable. This allows threat actors to easily redirect traffic that was initially meant for legitimate websites. Once the traffic is redirected to servers under their control, they can inject malicious DNS records into a DNS cache, the researchers noted.