7/24/2008

DNS Cache Poisoning Vulnerability

One of the people I connected with in the course of my security work is Dan Kaminsky. Dan’s a widely respected security researcher and I was really pleased when he joined IOActive as Director of Penetration Testing. Josh Pennell and the IOActive team are friends and some of the sharpest security minds in the business.

While DNS problems might not sound like they fit in the world of unified communications. Dan’s latest find is a big enough issue that I think it’s wroth sharing here.

My colleague Dan Sullivan describes it here on the Realtime Messaging and Web Security Community.

DNS Cache Poisoning Code Now Publicly Available

As predicted it didn’t take long for exploit code to become available to the DNS vulnerability found by Dan Kaminsky.

Ryan Naraine and Nathan McFeters has details and analysis here with updates here.

The code is available for Metasploit making it readily available to anyone with the open source tool. It’s hard to imagine anyone who hasn’t patched not dropping everything else this morning to get this patched.

If you haven’t already patched your DNS, go do so now.

Technorati Tags: , , , , ,

* Filed by Ken at 8:32 am under InfoSec, Information Security

3 Responses to “DNS Cache Poisoning Vulnerability”

  1. Greg Ness
    July 24th, 2008 | 10:53 am

    Ken:

    Thanks forthe advisory. Wanted to add that Cricket Liu has recently commented on hte DNS vulnerability at: http://gregness.wordpress.com/2008/07/23/dns-vulnerability-an-exclusive-interview-with-cricket-liu/

    Sincerely,
    Greg

  2. Industrial Guru
    August 6th, 2008 | 1:04 pm

    Great post, thanks for the heads up.

  3. Dana Nelson
    September 3rd, 2008 | 7:22 am

    Hi Ken,

    I wanted to apologize for my e-mail to you yesterday. I understand that my company has a long history of spamming bloggers, and that was not my intention. Like I mentioned in my e-mail, one of my former colleagues left and the work was shifted to me — I had a short list of people he was supposedly in contact with, and I wanted to tie up those loose ends.

    I understand your position and respect your desire to not be contacted by us, so I sent out an e-mail to everyone else at the company to notify them of your wishes. I’m truly sorry this was not done earlier and that it had to get to this point.

    Best wishes,
    Dana

Leave a reply