While this is completely unrelated to any particular malware, there is a rather disconcerting DNS cache-poisoning vulnerability that has surfaced which deserves the attention of any and every organization on the planet that operates their own DNS servers.

The importance of determining if you are vulnerable, and getting the vulnerability fixed quickly, is becoming more important as each day passes. This is due not only to the criticality of the vulnerability, but also due to some of the “colorful” background in how some of the details have become available surrounding the vulnerability itself.

First, US-CERT published an advisory on this vulnerability on 8 July 2008, and they have a detailed reference of vendor products that are affected on their advisory page. Please visit their advisory page to determine if your DNS infrastructure is at risk.

As the US-CERT advisory states, the heart of this issue is that DNS caching nameservers can be poisoned by an “…attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver.”

This is a very serious situation, and can possibly lead to widespread and targeted attacks that hijack sensitive information by redirecting legitimate traffic to fraudulent Web sites, due to incorrect (fraudulent) information being injected into the vulnerable caching nameserver(s).

Secondly, while the details of this vulnerability were originally discovered by Dan Kaminsky, and were originally to be revealed at the upcoming Black Hat conference in Las Vegas next month, some details regarding the vulnerability have been “leaked” to the public, which increases the importance of quickly patching any vulnerability in deployed DNS servers.

There are also some publicly available tools to determine if your DNS servers are affected.

This vulnerability is quite serious, so please — PATCH NOW.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research