A newly discovered set of Domain Name System (DNS) vulnerabilities puts a wide range of home routers at risk, with an estimate of millions of individual units impacted. This new collection of vulnerabilities raises fresh questions about the inherent security of DNS, over a decade after the infamous “Kaminsky Attack” that threatened nearly every website on the internet by way of a universal nameserver vulnerability.
Seven new DNS vulnerabilities collectively threaten millions of devices
As with the exploit discovered by Kaminsky in 2008, the new DNS vulnerabilities make use of “cache poisoning” to redirect traffic from a legitimate URL to one controlled by an attacker. The attack targets the caches of routers that store the numerical IP addresses tied to domain names, stepping into the DNS query communications between router and DNS server and sending back faulty IP addresses that appear to the router to be legitimate. A compromised router would cause the victim to traverse to an attacker-planted IP address after typing in an otherwise legitimate domain name.
The attack centers on transaction ID (TXID) numbers, the measure meant to secure these communications between router and upstream DNS server. This was the core of the Kaminsky Attack, which was “patched” via several measures such as making the 16-bit TXID numbers 32-bit to greatly increase the amount of time it would take an attacker to ascertain them. All seven of the new attacks affect the widely-used DNSMasq DNS forwarding software and have found new ways to work around the measures implemented to improve the security of TXID numbers. Three are traditional cache poisoning attacks, while four are buffer overflows that could allow the attacker to take over the device.
One of the most worrying aspects of these new DNS vulnerabilities is that they can be exploited with just one attacker-controlled machine on a LAN, subjecting every other device on the network to these malicious redirects. For example, one attacker or compromised device logged into a hotel or coffee shop WiFi network that uses DNSMasq could steer everyone else on the network through the tainted DNS resolver.
Exploiting the new DNS vulnerabilities does have some barrier to entry, but not a particularly high one. An attacker would need to control a registered domain that has the ability to send IP packets with spoofed source addresses. The researchers note that quite a few legitimate internet service providers do not restrict this ability, making it relatively easy to acquire.
The total amount of devices potentially impacted by these new vulnerabilities is staggering, easily within the millions. The researchers could not test all of the possibilities, but did note some specific devices that were found to be vulnerable: several models of Cisco VPN router, and hundreds of routers that use the OpenWRT firmware.
Since DNSMasq is merely one of many options for software of this nature, and since DNS forwarding is primarily a speed and convenience option that is not even completely necessary, switching to something else or even disabling DNSMasq entirely would seem to be a quick solution to the problem. However, this is particularly problematic for the average end user as that ability is beyond their control or too arcane of a matter to handle without technical assistance. In work environments, disabling DNS forwarding may also cause things to break. The device testing did find that routers from Check Point and Netgear that ship with caching disabled were far less vulnerable to these attacks.
The risks of individuals being redirected to an attack site that delivers malware (via cache poisoning) or simply having the device taken over directly (via buffer overflow) are bad enough, but there is an even greater hypothetical attack profile with these DNS vulnerabilities. The ability to funnel traffic unwittingly to any IP address the attacker chooses could manifest as a massive distributed denial of service (DDoS) attack. Similarly, an attacker could execute a mass block of user IP addresses on a vital or popular website for the purposes of ransoming it or simply causing mass chaos. These DNS vulnerabilities are also “wormable” in the sense that a mobile device that has accessed the DNS records of a compromised network could potentially infect any future networks it connects to.
7 vulnerabilities in total – 3 are traditional cache poisoning attacks, while 4 are buffer overflows that could allow the attacker to take over the device. #cybersecurity #respectdata
Click to Tweet
DNS security issues weaved into Internet fabric
DNS has always been something of a time bomb since it was first implemented, with several flare-ups of security issues over the years in addition to the big one uncovered by Kaminsky in 2008. However, it is at this point a fundamental backbone of the internet; any ideas for replacement of the system, such as use of blockchain technology, are speculative at best at this point. Some DNS vulnerabilities are baked in at this point and unfixable, requiring methods (and sometimes outright hacks) to be layered over top to address: the shift to pseudo-32-bit TXID numbers, the implementation of protocols such as HTTPS and HSTS, and in-browser warnings about unexpected website responses among them. While this new set of DNS vulnerabilities does not threaten to break everything in the way the 2008 incident did, DNSMasq is so widely used that it should be considered an emergency issue by all organizations.