Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Check Point Provides Preemptive Protection Against Latest Microsoft DNS Server Vulnerabilities

(MS09-008, CVE-2009-0233, CVE-2009-0234)

Microsoft has announced two new vulnerabilities in their DNS servers. These vulnerabilities allow a hacker to insert false information into the DNS server’s cache, potentially redirecting users to malicious sites. These vulnerabilities leverage the latest DNS cache poisoning technique, announced by CERT on July 8, 2008 (CVE-2008-1447) and significantly improve an attacker’s chances to create a successful cache poisoning attack.

“At the heart of the Internet are DNS servers. We trust DNS servers to direct all applications that we use on the Internet to the right address, so any vulnerability affecting the integrity of DNS servers is of great concern,” said Oded Gonda, vice president of network security products at Check Point. “In less than a year there have been three major DNS exploits and more are likely to follow. Check Point’s preemptive protection technology allows businesses to gain immediate protection from threats that could unknowingly route them to malicious sites.”

To learn more about DNS Cache Poisoning attacks, watch this video and read the FAQ.

Vulnerability Details

These new vulnerabilities are related to the Kaminsky DNS vulnerabilities that were reported and patched by Microsoft in July of 2008 (MS08-037). Check Point’s security professionals have determined that even DNS servers that received the July Microsoft Patch are vulnerable to attacks using these vulnerabilities.

The two new vulnerabilities are:

  • Microsoft DNS server query validation weakness (CVE-2009-0233)- Windows DNS server does not reuse cached responses when receiving specifically crafted queries.
  • Microsoft DNS server cache validation weakness (CVE-2009-0234)-Windows DNS server does not correctly cache specifically crafted DNS responses.

In both cases, these vulnerabilities result in the DNS server making unnecessary lookups, rather than relying on the cached responses. These unnecessary lookups result in increased, predictable opportunities for an unauthenticated remote attacker to reliably spoof responses and insert incorrect responses into the DNS server’s cache. Users can thus be redirected by these incorrect responses to malicious websites.

Check Point security researchers have compared the time required for a 50% success rate between a DNS cache poisoning attack on a Windows DNS server using the famous Kaminksy attack and one using the new vulnerabilities. In both cases, the DNS servers had the July DNS vulnerability patch applied. The results, shown in the table below, demonstrate how much more dangerous the new attacks are.

Attack Bandwidth Packets until 50% success* Time until 50% success*
Kaminsky 10 Mbps 64,000,000 1.25 Hours
Kaminsky 1 Mbps 64,000,000 10 Hours
Kaminsky 100 Kbps 64,000,000 100 Hours
New Vulnerabilities 10 Mbps 480,000 32 Seconds
New Vulnerabilities 1 Mbps 540,000 360 Seconds
New Vulnerabilities 100 Kbps 2,475,000 4.6 Hours

*Estimates were derived under conditions valid for a specific lab setting. Actual figures may vary considerably in production environments and from one environment to another.

Protection

Since applying the Microsoft patch to essential infrastructure such as DNS servers can be complicated and risky, many organizations may remain unpatched and thus unprotected for an extended period of time. Hackers count on this natural lag in patching and may time their exploits for the vulnerability window immediately following this disclosure.

Because of this, Check Point recommends that companies augment their patching process with integrated and dedicated intrusion prevention systems. These can be deployed both at the network perimeter and at internal locations, separating the company’s network into segments. Check Point SmartDefense, IPS-1 and the new Check Point IPS Software Blade provide protection against these attacks.

Check Point has provided preemptive protections against all DNS cache poisoning vulnerabilities published to date:

Vulnerability Announced Industry References Vulnerability Check Point Protection
March 2009 CVE-2009-0233
CVE-2009-0234
MS09-008		 Multiple Microsoft DNS Server Cache Spoofing Vulnerabilities - CPAI-2009-036
July 2008 CVE-2008-1447
MS08-037		 Multiple Vendor DNS Insufficient Socket Entropy Vulnerability (Kaminsky) CPAI-2008-092 Preemptive
(Available since 2004)
April 2008 CVE-2008-0087
MS08-020		 Microsoft Windows DNS Client Spoofing Vulnerability CPAI-2008-052
Preemptive
(Available since 2003)
November 2007 MS07-062
CVE-2007-3898
 Microsoft Windows DNS Client Spoofing Vulnerability CPAI-2007-133
Preemptive
(Available since 2003)
August 2007 CVE-2007-2926 ISC BIND Predictable DNS Query ID Generation Cache Poisoning CPAI-2007-096
Preemptive
(Available since 2003)

As with the earlier Kaminsky vulnerability, the existing cache poisoning protections provided in 2004 for Check Point’s IPS offerings (CPAI-2008-092), provide strong preemptive protection against the new attacks. Read more about these protections.

In addition to these protections, as part of Check Point’s commitment to providing the best protection for Microsoft vulnerabilities, Check Point has issued a new protection (CPAI-2009-036). This protection detects and blocks multiple requests to the DNS server using the same domain name.

Protection Details

Check Point IPS provides several preemptive protections against DNS poisoning:

Inbound Requests

This Protection drops queries related to zones that are not associated with the organization's domain. This protection alone blocks many poisoning attacks.

To activate the protection:

  1. In the SmartDashboard IPS/SmartDefense tab, click Application Intelligence > DNS > Scrambling > Drop Inbound Requests.
  2. In the configuration pane, set the mode to Active.

This protection requires that you create a DNS server object and define authoritative domains for it. Once defined, and the protection enabled, the gateway will allow queries from external interfaces only to the server's authoritative domains. There are no restrictions on queries coming from internal interfaces.

To configure:

  • Define a host object for the DNS server and enter its address.
  • Click Configure Servers, select DNS Server and click OK.
  • In the DNS server properties, add objects representing the authoritative zones for this server.

    The relevant network objects are domain objects and network objects that represent a network or a host. Domain objects are used to match regular DNS questions. (created via Network Objects->New->Others->Domain)

    The domain object will apply to any DNS request for a domain that hierarchically belongs to the defined domain.

    Example:
    Defining example.com as a domain object, will apply to requests for www.example.com, ns.example.com, internal.example.com, but not to a request for www.example.com.org

    The other network objects are used to match reverse lookup questions. When adding a network object with IP address a.b.c.d to the authorization list, the domain that will be matched is d.c.b.a.in-addr.arpa.

    Note: Only networks with a netmask of 8, 16, 24 or 32 can be used in the DNS Server authorization list.

Microsoft DNS Server Validation Spoofing Weakness

This newly-released protection identifies the attack pattern that exploits the Microsoft DNS Server vulnerabilities and blocks any DNS traffic that may be part of the attack.

To activate the protection:

  1. In the SmartDashboard IPS/SmartDefense tab, click Application Intelligence > DNS > Cache Poisoning > Microsoft DNS Server Validation Spoofing Weakness.
  2. In the configuration pane, set the mode to Active.

Scrambling

Scrambling involves the randomization of both source port and transaction IDs. This makes it more difficult for hackers to spoof responses.

Note: Customers who haven’t installed the patch provided in security bulletin MS08-037 (Kaminsky’s attack) or have a DNS resolver that is behind Hide NAT should consider activating the Scrambling protection.

To activate the protection:

  1. In the SmartDashboard IPS/SmartDefense tab, click Application Intelligence > DNS > Cache Poisoning >Scrambling.
  2. In the configuration pane, set the mode to Active.

Mismatched Replies

This setting creates an alert when the number of mismatched DNS replies exceeds a certain threshold. While not preventing the attack, this defense provides a clear indication that an attack is taking place. There is no legitimate reason for a large number of replies with mismatching transaction IDs to be encountered, and therefore such an alert is a reliable indicator of a DNS attack and has a very low false positive rate.

To activate the protection:

  1. In the SmartDashboard IPS/SmartDefense tab, click Application Intelligence > DNS > Cache Poisoning >Mismatched Replies.
  2. In the configuration pane, set the mode to Active.

Install the policy associated with the above protections on all relevant gateways.

The relevant gateway should be in a segment of the network that inspects DNS traffic in relation to the location of the DNS server.

FAQ

What targets are at risk from these new vulnerabilities?
All versions of Microsoft Windows DNS servers.
What is DNS?
The Domain Name System (DNS) is a key component in every network and one of the Internet’s fundamental building blocks. Its main responsibility is locating and translating Internet domain names into Internet Protocol (IP) addresses and vice versa.
What is DNS Cache?
A DNS server uses a caching mechanism that saves the responses to DNS queries. Its purpose is to shorten the process for future queries and avoid sending repeated queries through the network.
What is DNS Cache Poisoning?
Cache poisoning refers to the corruption of a DNS’s system table by replacing an Internet address with that of another, rogue address. When a web user seeks the page with that address, the request is redirected to the IP address of the attacker’s choosing. At that point, a remote attacker may inspect, capture, or corrupt any information exchanged between hosts on the network. The attacker may also choose to direct users to malicious sites or prevent them from accessing websites of their choice.
  • What might an attacker use a cache poisoning vulnerability to do?
Once a remote attacker has successfully poisoned the cache, traffic can be captured, corrupted, or redirected to a malicious site set up by the attacker without having the user suspecting that the site is malicious or that the traffic is being sniffed.
What causes cache poisoning vulnerabilities?
DNS cache poisoning is facilitated by inherent deficiencies in the DNS protocol and in common DNS implementations including:
  • Poor randomization of transaction ID:
    The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is incorrectly implemented and the transaction ID is not randomly selected, an attacker will have better chances of predicting the transaction ID.
  • Poor randomization of source port:
    Randomizing the source port for outstanding queries reduces the probability of the attacker to successfully spoof the DNS session.
  • Multiple outstanding requests:
    Some DNS implementations contain a vulnerability in which multiple identical queries for the same resource record (RR) will generate multiple outstanding queries for that RR. This is also known as a “birthday attack”.