Search This Blog

Powered by Blogger.

Blog Archive

Labels

Critical Flaws Discovered in Linux that Enables DNS Cache Poisoning

The vulnerability allows threat actors to change the server IP addresses linked to several web domains.

 

Researchers at the University of California have unearthed security flaws in the DNS system that could leave vendors at risk of server attacks. 

The hackers can abuse the vulnerability by intercepting the connection from the DNS resolver to the nameserver, thus allowing them to change the server IP addresses linked to several web domains, researchers Keyu Man, Xin’an Zhou, and Zhiyun Qian wrote in a recently published research paper at the ACM CCS 2021 conference. 

"The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers stated. "SAD DNS attack allows an attacker to redirect any traffic (originally destined to a specific domain) to his own server and then become a man-in-the-middle (MITM) attacker, allowing eavesdropping and tampering of the communication." 

The central to the assault is how Linux manages DNS queries on servers, particularly Internet Control Message Protocol (ICMP) packets. The researchers discovered that these behaviors could be used to infer the User Datagram Protocol (UDP) port number between the resolver and nameserver, something that is otherwise randomized and seems impossible to guess. 

"Surprisingly, we uncover novel side channels that have been lurking in the Linux network stack for over a decade and yet were not previously known," the trio explained in their paper, adding that as much as 38% of DNS resolvers are susceptible to attacks.

However, researchers warned that Linux is not the only threat vector for this assault. "The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound, and dnsmasq." 

This particular research was based on a previous set of attacks the researchers uncovered and dubbed "SADDNS." The SADDNS research demonstrated how the rate limit on the UDP system could be used to infer the port for the nameserver connection. DNS cache poisoning was originally discovered by the late Dan Kaminsky in 2008. 

"In SADDNS, the key insight is that a shared resource, i.e., ICMP global rate limit shared between the off-path attacker and victim, can be leveraged to send spoofed UDP probes and infer which ephemeral port is used," researchers stated. "Unfortunately, it is unclear how many more such side channels exist in the network stack." 

To mitigate the risks, the researchers propose a number of solutions, such as randomizing the caching structure, rejecting ICMP redirect messages, and setting proper socket options such as IP_PMTUDISC_OMIT, which instructs an operating system to ignore so-called ICMP messages, and therefore completely mitigates the side channel-related processing in the kernel.
Share it:

DNS poison attack

Linux Kernel

Malicious Payload

Vulnerabilities and Exploits