Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - DNS vulnerability announced by NISCC today InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNS vulnerability announced by NISCC today

Published: 2006-04-25
Last Updated: 2006-04-25 23:45:13 UTC
by donald smith (Version: 1)
0 comment(s)
NISCC has published an advisory about a potential DNS vulnerability today:

These issues were discovered by use of the Oulu University Secure Programming Group's new PROTOS test-suite c09-dns. This tool is not currently public.

Their abstract (aka description) states:
"Abstract: The vulnerabilities described in this advisory affect implementations of the Domain Name System (DNS) protocol. Many vendors include support for this protocol in their products and may be impacted to varying degrees, if at all. "

Notice they state "affect implementations" which implies it is not a vulnerability in the basic DNS protocol rather it is an issue in how some of the vendors implemented that protocol.

This link has a list of vendors who have responded with vulnerability information so far. 

Not many vendors provided vulnerability details on their products.

The Internet Software Consortium ( authors of (BIND) provided a detailed response. Juniper Networks (, Delegate ( and pdnsd ( )also provided specific details. In each case the impact appears to be DOS not a remote code execution. 

Hitachi and Wind River state that they believe they are not vulnerable.

Microsoft, Sun and Ethereal all reported that they are reviewing or testing for these issues.


ISC (BIND), MyDNS, Juniper Networks, pdnsd all announced vulnerabilities.
All but ISC have released patches or upgrades for them.

ISC has not released a patch but based on their analysis their vulnerability is a very low risk. Its appears to be based on an malformed 2nd tsig packet. If you understand tsig you understand why this should not be much of a threat as they have already established a trust relationship.

The pdnsd maintainer, Paul A Rombouts,  recommends upgrading to version 1.2.4 or later of pdnsd.

MyDNS 1.1.0 has a fix for a "query-of-death" DOS and can be found here:

Juniper Networks has several upgrade options for their e-series routers which are the only routers mentioned as having a vulnerability. You may need a Juniper networks account to get access to those updates. According to the vendor document above  "The issue was resolved in the following JUNOSeupdates: 5-3-5p0-2, 6-0-3p0-6, 6-0-4, 6-1-3p0-1, 7-0-1p0-7, 7-0-2, 7-1-0p0-1, 7-1-1. Later JUNOSe releases are unaffected."

0 comment(s)
Diary Archives