SA26 : DNS Cache Poisoning Vulnerability (CERT VU#800113)
1157
03 March 2020
14 July 2008
CLOSED
LOW
SUMMARY
Multiple DNS implementations are vulnerable to a spoofing attack as described in the above vulnerability note and associated references. The vulnerability allows an attacker to send spoofed DNS replies and have them accepted by the DNS resolver which can give the attacker control over the DNS name to address resolution process.
Blue Coat Systems products are affected as listed below.
ISSUES
Successful attacks require the attacker to send a stream of spoofed DNS responses to the attacked device. In many cases this ability can be limited by network configuration. For example, configuring the device to resolve names by consulting a name server that is not vulnerable can reduce attack exposure significantly. In this configuration, the attacker would have to spoof packets from the configured nameserver, which may require the attacker to have access to the internal network.
In addition, some products use DNS in ways that mitigate the effects of DNS response spoofing. These are noted in the sections for the individual products below.
REFERENCES
Note that details of the attack discovered by Dan Kaminsky have not been released and therefore it is difficult to assess the actual risk for a particular product. Note also that the vulnerability assessment tool at www.doxpara.com gives results for the DNS client that is sending the queries over the Internet. If a Blue Coat Systems product is configured to resolve via another DNS server, the tool will assess that server's vulnerability.
For more details and advice please see section III of the CERT note VU#800113 (https://www.kb.cert.org/vuls/id/800113)
Additional Information
https://www.kb.cert.org/vuls/id/800113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.us-cert.gov/cas/techalerts/TA08-190B.html