Hi JJZolx and MickeyG, Thanks for your input.
Andyg, as you probably aware, MS update KB951748 fixed a huge DNS security flaw. The flaw was nothing new, and apparently was well know in the security community. To outline the flaw: "Microsoft DNS server generates predictable DNS transaction IDs. If the server is configured to allow recursive queries it is possible to insert fake records in the DNS cache (DNS cache poisoning) by guessing the next transaction ID that the server will use and sending a spoofed DNS reply to the server. Alla Bezroutchko, Predictable DNS transaction IDs in Microsoft DNS Server May 2007 By observing these values of DNS queries over a period of time, the following patterns were noted: The DNS transaction ID always begins at 1 and is incremented by 1 for each subsequent DNS query; and the UDP source port of the query, which becomes the UDP destination port of the response, remains static for the entirety of a session from startup to shutdown. Ian Green reporting on research he did in 2005 for GSEC. (See recent ISC Diary Entry) Notice how all of those are similar? Each one has a common thread, transaction IDs are predictable. Now, look at the CERT advisory from July 8, 2008. The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations. Reading all of the documentation that CERT provides, even they tell you that this issue has been around for awhile now and is well-known to the security community. CERT has some suggestions to help with the DNS issue. The best one is the simple one, if your vendor has a patch for BIND, apply it. Microsoft released theirs yesterday (MS08-037). So who offers vulnerable DNS? CERT has a running list, most of them are unknown, but the confirmed vulnerable vendors are Cisco, ISC, Juniper Networks, Microsoft, Nominum, Red Hat, and Sun Microsystems. Ok, with Cisco and Microsoft in the list you have a good deal of potentially vulnerable networks; add the others, and the numbers will only increase. However, does this mean the world will end now? No, all this means is that network engineers and administrators get to come in overnight and apply patches. Each of the vendors confirmed to be vulnerable to the issue, all seven of them, released patches at the same time." The flaw however, was not my point on posting my findings to you. I take it that the SC code uses API Calls directly through Winsock to resolve names, using ephemeral port range 1024-5000 with the old strategy (the incrementing and predictable one). Knowing that this method is flawed, surely you could act and try to tighten SC BEFORE MS do something about it? I think MS, Cisco et el were very worried about the DNS cache poisoning potential, therefore they worked together to release a fix on the same day. MS's fix even works with or WITHOUT the DNS Client component running, which tells you how serious MS were about acting on it. However, like you said, surely this is an OS problem then? Well, yes, I think it is. However, you, as a developer,(and other Internet software developments) first priority .. should be SECURITY! If SqueezeCenter is not able to maintain their Names resolver, maybe you could use Windows API gethostbyname(). At least then we know not only the right ephemeral port range is used but the DNS transaction ID entropy is improved also (Safer). Please take this post in the way it is intended. I am only trying to post my findings to you, and hopefully they are of some use. Many (most?) third party developers I presume, will be facing the same issue. Thanks. -- Ron1 ------------------------------------------------------------------------ Ron1's Profile: http://forums.slimdevices.com/member.php?userid=11607 View this thread: http://forums.slimdevices.com/showthread.php?t=51705
_______________________________________________ discuss mailing list [email protected] http://lists.slimdevices.com/lists/listinfo/discuss
