Newly discovered DNS vulnerabilities put millions of devices at risk

A recently discovered set of Domain Name System (DNS) vulnerabilities puts a wide range of home routers at risk, with an estimated millions of individual drives affected. This new collection of vulnerabilities raises new questions about the inherent security of DNS, more than a decade after the infamous “Kaminsky Attack” that threatened nearly every website on the Internet through a universal nameserver vulnerability.

Seven new DNS vulnerabilities collectively threaten millions of devices

As with the exploit discovered by Kaminsky in 2008, the new DNS vulnerabilities make use of “cache poisoning” to redirect traffic from a legitimate URL to one controlled by an attacker. The attack targets router caches that store numeric IP addresses linked to domain names, entering DNS query communications between the router and DNS server, and sending faulty IP addresses that seem legitimate to the router. A compromised router would cause the victim to go to an IP address planted by the attacker after typing in a legitimate domain name.

The attack focuses on transaction ID numbers (TXIDs), the measure designed to protect these communications between the router and the upstream DNS server. This was the core of the Kaminsky Attack, which was “patched” through various measures, such as making 16-bit TXID numbers 32-bit to greatly increase the amount of time it would take for an attacker to determine them. The seven new attacks affect the widely used DNS forwarding software DNSMasq and have found new ways to bypass the measures implemented to improve the security of TXID numbers. Three are traditional cache poisoning attacks, while four are buffer overflows that could allow the attacker to take over the device.

One of the most worrying aspects of these new DNS vulnerabilities is that they can be exploited with a single machine controlled by an attacker on a LAN, subjecting all other devices on the network to these malicious redirects. For example, an attacker or compromised device connected to a hotel or coffee shop WiFi network using DNSMasq could direct everyone else on the network through the tainted DNS resolver.

Exploiting new DNS vulnerabilities has some barriers to entry, but not particularly high. An attacker would need to control a registered domain that has the ability to send IP packets with spoofed source addresses. The researchers note that many legitimate Internet service providers do not restrict this ability, making it relatively easy to acquire.

The total number of devices potentially affected by these new vulnerabilities is staggering, easily in the millions. The researchers weren’t able to test all the possibilities, but they did notice a few specific devices that were vulnerable: various models of Cisco VPN routers and hundreds of routers using OpenWRT firmware.

Since DNSMasq is simply one of many options for software of this nature, and since DNS forwarding is primarily a speed and convenience option that is not even necessary, switching to something else or even disabling DNSMasq entirely would appear to be a quick solution to the problem. However, this is particularly problematic for the average end user, as that ability is beyond their control or too arcane a matter to handle without technical assistance. In work environments, disabling DNS forwarding can also cause things to break. The device test found that Check Point and Netgear routers that ship with caching disabled were much less vulnerable to these attacks.

The risks of people being redirected to an attack site that distributes malware (via cache poisoning) or simply having the device take over directly (via buffer overflow) are serious enough, but there is a even higher hypothetical attack profile with these DNS vulnerabilities. The ability to inadvertently funnel traffic to whatever IP address the attacker chooses could manifest itself as a massive distributed denial of service (DDoS) attack. Similarly, an attacker could execute a massive block of user IP addresses on a vital or popular website for the purpose of rescuing it or simply causing massive chaos. These DNS vulnerabilities are also “deworming” in the sense that a mobile device that has accessed the DNS records of a compromised network could potentially infect any future network to which it connects.

7 vulnerabilities in total: 3 are traditional cache poisoning attacks, while 4 are buffer overflows that could allow the attacker to take over the device. #cybersecurity #respectdata

Click to tweet

DNS security issues woven into the fabric of the Internet

DNS has always been something of a time bomb since it was first implemented, with several outbreaks of security problems over the years, in addition to the large one discovered by Kaminsky in 2008. Internet; Any ideas to replace the system, such as the use of blockchain technology, is speculative at best at the moment. Some DNS vulnerabilities are built in at this point and cannot be fixed, requiring methods (and sometimes direct hacks) to overlap to address: the shift to pseudo 32-bit TXID numbers, the implementation of protocols such as HTTPS and HSTS, and browser warnings about unexpected website responses between them. While this new set of DNS vulnerabilities doesn’t threaten to break everything in the way that the 2008 incident did, DNSMasq is so widely used that all organizations should consider it an emergency problem.


Leave a Reply

Your email address will not be published. Required fields are marked *