A newly disclosed security vulnerability in the DNS system could leave providers at risk of server attacks.
Keyu Man, Xin’an Zhou and Zhiyun Qian of the University of California, Riverside said in a recently published paper that attackers who exploit the vulnerability could potentially get in between the connection from the DNS resolver to the nameserver, thus allowing them to change the server IP addresses connected to various web domains. The research on the vulnerability, designated CVE-2021-20322, was presented Wednesday at the ACM Conference on Computer and Communications Security in South Korea.
Central to the attack is the way Linux handles DNS queries on servers, specifically Internet Control Message Protocol (ICMP) packets. The academic research team found that these behaviors could be used to infer the User Datagram Protocol (UDP) port number between the resolver and nameserver, something that is otherwise randomized and extremely difficult to guess.
By creating specially crafted ICMP packets, firing them en masse at a block of potential port numbers and then analyzing the content of the error message responses, it would be possible to narrow the number of potential connections to the point where the private port number could be worked out.
From there, the attacker could spoof the connection between the nameserver and resolver, instruct the resolver to set arbitrary IP addresses for popular domains, and enable anything from phishing attacks to drive-by downloads.
“Surprisingly, we uncover novel side channels that have been lurking in the Linux network stack for over a decade and yet were not previously known,” the researchers wrote in their paper, adding that as much as 38% of DNS resolvers are vulnerable to attacks.
However, the team warned that Linux is not the only threat vector for this attack. “The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound and dnsmasq.”
The research builds on a previous set of attacks the researchers uncovered and dubbed “SADDNS.” The SADDNS research showed how the rate limit on the UDP system could be used to infer the port for the nameserver connection.
“In SADDNS, the key insight is that a shared resource, i.e., ICMP global rate limit shared between the off-path attacker and victim, can be leveraged to send spoofed UDP probes and infer which ephemeral port is used,” the trio explained in the paper. “Unfortunately, it is unclear how many more such side channels exist in the network stack.”
The work also harkens back to research from the late Dan Kaminsky, a noted security researcher who in 2008 caused a major stir in the industry by disclosing the possibility of large-scale DNS cache poisoning attacks. Kaminsky died earlier this year at the age of 42.
The team have already reported the flaw privately and, while the Linux kernel, BIND, and Unbound all have patches to address the bugs, Man told SearchSecurity it’s not clear where the DNS providers themselves are in the process.
“We reported our findings to multiple DNS providers like AdGuard, OpenDNS and Quad9, and they acknowledged the vulnerabilities,” Man said. “But to the best of our knowledge, only OpenDNS told us that they have patched the issue.”
As for administrators and end users, the team advises making sure their Linux kernel and BIND/Unbound are updated. Administrators can also place further limits on how ICMP traffic is handled.
“An easy-to-deploy workaround would be rejecting ICMP fragment-needed packets and ICMP redirect packets using iptables and ip6tables, which can be done in runtime without restarting the service,” Man said. “But this may break some legitimate usage of these packets.”