Special Security Alert - DNS Flaw : 5 August 2008

Security Alert - Background Summary
- Background to DNS Flaw
- Useful reading
- Who does this impact?
- Is this just another scare story - Am I bothered?
- Who is going to fix which equipment?
- How can I find out if I have an issue - has the patch worked?

Equiinet's upgrades to overcome the DNS Flaw
- For V5 systems
- For V4 systems
- For V3 systems
- For V2 systems
- For new products being shipped now


Security Alert - Background Summary

Background to the DNS Flaw

Recently a significant flaw in DNS (the system that translates domain names to routable IP addresses) was discovered. This flaw potentially allows people with malicious intent to impersonate almost any website on the Internet by deliberately misdirecting URL requests. The flaw, a variation on what's known as a cache poisoning attack*, was announced on July 8 by IOActive researcher Dan Kaminsky**. Significantly, he plans to disclose full technical details of the bug during a presentation at the Black Hat conference on 6-August-2008 .

Exploiting this flaw would significantly impact both browsing as well as email activity. Software companies across the industry including Equiinet have quietly collaborated to release fixes for all affected name servers and devices which utilise name services.

The purpose of this communication is to advise Equiinet product users as to what Equiinet is doing regarding this DNS issue in particular, and of the wider picture. Undoubtedly, you will want to consider the impacts on your customer/user base and inform them of the situation.

One point we'd like to stress; the DNS server functionality built into Equiinet products can only be attacked from its LAN side, unless of course, firewalls or VPN tunnels have been mis-configured to allow intruders in. Therefore, our products are far less susceptible to attack than DNS servers on the Internet.

Having read this information if you have further questions please contact you Equiinet product supplier or support organisation in the first instance. Equiinet support staff are also available to assist on the number and email address at the foot of this email.

Useful Reading
BBC: http://news.bbc.co.uk/1/hi/technology/7496735.stm (general intro)
* DNS Cache poisoning: http://en.wikipedia.org/wiki/DNS_cache_poisoning
** From Dan Kaminsky: http://www.doxpara.com/ (the person who found the flaw)

Who does this impact?
Essentially, everyone - any user of Microsoft and Cisco equipment, any and every ISP - anything that needs name resolution via a DNS server. This also includes every user of Equiinet NetPilot, CachePilot, SecurePilot and ControlPilot equipment.

Is this just another scare story?
DNS has been compromised before, so this is not unique. But due to the potential scale to exploit this situation the response taken by the industry is to take things very seriously and to act in a timely manner.

Who needs to create and implement fixes?
Manufacturers such as Microsoft, Cisco, Equiinet etc, need to develop their own fixes and distribute them through their respective support channels to end users for implementation, or to those who undertake this on their behalf. More importantly, all ISPs need to update their name servers with suitable fixes as they are extremely vulnerable to attack.

How can I find out if I might have an issue? I have applied patches - how do I test if they work?
If you apply the upgrade patches described below to your Equiinet Equipment - to test correct operation ENSURE Equiinet product is NOT forwarding to an external DNS system (but rather the default to the root DNS servers). The two tests that this checker performs will indicate two values of 'Great'. As confirmation as to which DNS device you are actually testing - the checker provides the tested DNS IP Address - this should be the WAN address of your Equiinet unit.

If you are using non-Equiinet equipment or are pointing to an upstream DNS device at your ISP - the check may well indicate that your ISP's DNS has yet to be fixed. Results of 'Poor' and 'Poor' will be obtained. Contact your network support organisation or ISP, or look at their support websites for advice.

DNS Checker: DNS OARC
Equiinet's upgrades to overcome DNS flaw

Equiinet has devised patches and these are available now to apply. Having read this information if you have further questions please contact you Equiinet product supplier or support organisation in the first instance.

The situation impacts all Equiinet products using DNS services, namely: NetPilot, CachePilot, SecurePilot and ControlPilot. However, the DNS server functionality built into Equiinet products can only be attacked from its LAN side, unless of course, firewalls or VPN tunnels have been mis-configured to allow intruders in.

It should also be noted that the Equiinet fix does not, and cannot, eliminate the effects of an attack to a DNS server further up the line e.g. at the ISP.

Upgrade patches and procedures detailed by product operating system version:  

For those running Version 5 code
 A V5 DNS Flaw patch ( 0001525.nub), is available here:
http://www.equiinet.com/netpilot/softwarerequest/V5_DNSflaw_upgrade.asp

Users need to be running any of: 5.0.2, 5.1.0, 5.1.1, 5.1.2 or 5.1.3 versions in order to apply the fix. When the nub is applied it will not change the current version number. All future versions of v5 code - from v5.1.4 onwards - will have the fix built-in, and will not require the patch.

For those running Version 4 code
You will firstly need to move to Version 5. Version 5 is, and will continue to be, the software level that contains all the very latest features, fixes and functionality. Following this you should follow the instructions above for applying the fix to Version 5 code. Upgrading is relatively easy. The main obvious difference with Version 5 code is that it has a different (better and more useable) administration interface.

If you are running a very early Version 4 system, you will be required to upgrade to the final V4 release first. All the information is given at: http://www.equiinet.com/netpilot/softwarerequest/5_0_2_upgrade.asp

For those running Version 3 code
Version 3 code was “End of Lifed” at the end of 2007 and the last code update was released some two years earlier. However, as some customers are still running older hardware that is not upgradeable to Version 5 code, we have decided to make one last upgrade - v3.2.9 - before all support finishes at end of 2008.

A V3 DNS Flaw patch ( 0001526.nub), is available here:
http://www.equiinet.com/netpilot/softwarerequest/V3_DNSflaw_upgrade.asp
(Users need to be running versions 3.2.5 to 3.2.8, and upgrade will take you to 3.2.9)

Customers using the Version 3 code should be also made aware that they need to consider what happens post 2008 regarding security, virus checking and other potential exploits - time is running out! We recommend users of V3 systems talk to their Equiinet equipment supplier or if they no longer have support arrangements, to Equiinet direct.

For those running Pre-Version 3 code (i.e. Version 2)
Long since “End of Lifed” there is no DNS flaw patch available.

All new products being shipped now!
All new products now being shipped from Equiinet to its distributors contain the required patches.

For more information contact
Equiinet Support Team
01793-603747 or support@equiinet.com

Equiinet Limited
Edison House, Edison Road, Swindon SN3 5JX
Registered in England and Wales with company number 4211762, VAT registration number 768 4679 62
www.equiinet.com

Copyright 2008 Equiinet Ltd.