Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
9 Jul. 2008
Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
Cisco has released free software updates that address these vulnerabilities.
The following Cisco products are capable of acting as DNS servers and have been found to have the DNS implementation weakness that makes some types of DNS cache poisoning attacks more likely to succeed:
* Cisco IOS Software
A device that is running Cisco IOS Software will be affected if it is running a vulnerable version and if it is acting as a DNS server.
All Cisco IOS Software releases that support the DNS server functionality and that have not had their DNS implementation improved are affected. For information about specific fixed versions, please refer to the Software Versions and Fixes section.
A device that is running Cisco IOS Software is configured to act as a DNS server if the command ip dns server is present in the configuration. This command is not enabled by default.
* Cisco Network Registrar
All Cisco Network Registrar versions are affected, and DNS services are enabled by default.
The DNS server on CNR is enabled via the command-line interface (CLI) commands server dns enable start-on-reboot or dns enable start-on-reboot or via the web management interface in the Servers page by selecting the appropriate "Start," "Stop," or "Reload" button.
* Cisco Application and Content Networking System
All Cisco Application and Content Networking System (ACNS) versions are affected; DNS services are disabled by default.
ACNS is configured to act as a DNS server if the command dns enable is present in the configuration.
* Cisco Global Site Selector Used in Combination with Cisco Network Registrar
The Cisco Global Site Selector (GSS) is affected when it is used in combination with Cisco Network Registrar software to provide a more complete DNS solution. Fixed software would come in the form of an update of the Cisco Network Registrar software rather than an update of the GSS software.
Products Confirmed Not Vulnerable:
Products that do not offer DNS server capabilities are not affected by this vulnerability.
The Cisco GSS by itself is not affected by this vulnerability. However, it is affected when it is used with Cisco Network Registrar software.
No other Cisco products are currently known to be affected by these vulnerabilities.
The Domain Name System is an integral part of networks that are based on TCP/IP such as the Internet. Simply stated, the Domain Name System is a hierarchical database that contains mappings of hostnames and IP addresses. The DNS protocol is part of the TCP/IP protocol suite and allows DNS clients to query the DNS database to resolve hostnames to IP addresses.
A DNS server is an application that implements the DNS protocol and that has the ability to respond to queries made by DNS clients. When handling a query from a DNS client, a DNS server can look into its portion of the global DNS database (if the query is for a portion of the DNS database for which the DNS server is authoritative), or it can relay the query to other DNS servers (if it is configured to do so and if the query is for a portion of the DNS database for which the DNS server is not authoritative.)
Because of the processing time and bandwidth that is associated with handling a DNS query, most DNS servers locally store responses that are received from other DNS servers. The area where these responses are stored locally is called a "cache." Once a response is stored in a cache, the DNS server can use the locally stored response for a certain time (called the "time to live") before having to query DNS servers again to refresh the local (cached) copy of the response.
A DNS cache poisoning attack is an attack in which an entry in the DNS cache of a DNS server is changed so the IP address associated with a hostname in the cache does not point to the correct place. For example, if www.example.com is mapped to the IP address 192.168.0.1 and this mapping is present in the cache of a DNS server, an attacker who succeeds in poisoning the DNS cache of this server may be able to map www.example.com to 10.0.0.1 instead. If this happens, a user who is trying to visit www.example.com may end up contacting the wrong web server.
Although DNS cache poisoning attacks are not new, a security researcher recently presented a technique that allows an attacker to mount successful DNS cache poisoning attacks with low complexity tools and low traffic requirements. This technique exploits a weakness in most implementations of the DNS protocol. The fundamental implementation weakness is that the DNS transaction ID and source port number used to validate DNS responses are not sufficiently randomized and can easily be predicted, which allows an attacker to create forged responses to DNS queries that will match the expected values. The DNS server will consider such responses to be valid.
The following Cisco products that offer DNS server functionality have been found to be susceptible to DNS cache poisoning attacks:
* Cisco IOS Software: The vulnerability documented in Cisco bug ID CSCso81854 ( registered customers only) .
* Cisco Network Registrar: The vulnerability documented in Cisco bug ID CSCsq01298 ( registered customers only) .
* Cisco Application and Content Networking System (ACNS): The vulnerability documented in Cisco bug ID CSCsq21930 ( registered customers only) .
Successful exploitation of the vulnerability described in this document may result in invalid hostname-to-IP address mappings in the cache of an affected DNS server. This may lead users of this DNS server to contact the wrong provider of network services. The ultimate impact varies greatly, ranging from a simple denial of service (for example, making www.example.com resolve to 127.0.0.1) to phishing and financial fraud.