CVE-2012-1033: Ghost Domain Names: Revoked Yet Still Resolvable
| Author: Cathy Almond Reference Number: AA-00691 Views: 14184 Created: 2012-05-31 12:06 Last Updated: 2012-06-07 13:08
0 Rating/ Voters
completing our analysis of the DNS exploit reported by Professor Haixin
Duan of Tsinghua University, ISC has determined that the behavior he
describes, while verifiable, is due to design issues
in the DNS protocol. No immediate steps are planned to address the
issue. Further information concerning the implications of the reported
vulnerability can be found in the complete problem description below.
Posting date: 07 Feb 2012
All versions of BIND
On February 7th, in anticipation of a paper being presented by Professor Haixin Duan, ISC issued a security announcement for CVE-2012-1033.
We moved quickly to make an announcement in advance of Professor Duan's
paper, scheduled to be presented at the Network and Distributed System
Security Symposium the following day, because we wanted to ensure that
we were not withholding any information with potential security
implications for our users.
Our initial disclosure stated that
we were assessing the implications of this vulnerability. After
completing our analysis, we wish to share our conclusions:
- The behavior in question arises from a side-effect of design
decisions in the DNS protocol. It is not caused by a bug in BIND or
other affected software. BIND and other software affected by this
behavior are so affected because of the inherent, longstanding design of
the DNS protocol.
- To the best of our current knowledge, the
extent of the exposure for users of BIND or other affected software is
this: every resource record in the Domain Name System hierarchy has a
time-to-live (TTL) value associated with it, intended to control how
long the information in the resource record can be kept in cache by a
non-authoritative server. Dr. Duan's paper discloses a method whereby
information can be prolonged in the cache beyond the period supposedly
allowed by the TTL value, causing affected resolvers to potentially
return incorrect answers. It does not allow arbitrary insertion,
removal, or alteration of resource record data.
- ISC does not
have current plans to release new versions of BIND with alterations to
caching policy in response to this disclosure.
We intend to do
further analysis and to work with the IETF, the internet infrastructure
community, and our customers to determine
how to address the problem
while remaining protocol-compliant. Relevant improvements to the
protocol have been previously proposed by Paul Vixie  and ISC will
continue to work for adoption of those or other protocol-level
- While the behavior in question is clearly not
intended by design and may be exploitable in highly specific
circumstances, unsecured DNS is not designed to be relied on for
security. ISC continues to recommend that organizations with security
needs who are reliant on the Domain Name System proceed with adoption of
DNSSEC; DNSSEC is the best known method of mitigating this issue.
(Original Description:Tsinghua University researchers discovered "a vulnerability affecting the large majority of popular DNS
implementations which allows a malicious domain name to stay resolvable
long after it has been removed from the upper level servers." The
issue, which is in all versions of BIND 9 to our knowledge, "exploits a
vulnerability in DNS cache update policy, which prevents effective
domain name revocation. Attackers could cause a malicious domain name to
be continuously resolvable even after the delegated data has been
deleted from the domain registry and after the TTL associated with entry
supposedly expires." (quoted sections are from the Tsinghua University
CVSS Score: 5
CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N)
If you are aware that you have cached bad
records, clearing the cache will remove them but is not an effective or
practical preventative approach.
No known active exploits, but the paper describing
the issue is public and has been presented in public forums. The Ghost
Names exploit might assist cyber-criminal activity.
On further review, ISC has determined that this
is not an issue which needs an immediate patch. The issue is being
reviewed at the protocol level and will be addressed there. Implementing
DNSSEC is the safest mitigation measure.
**Delayed Update of 29 May --
The following releases, 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0, and subsequent releases have changes to address this issue:
3282. [bug] Restrict the TTL of NS RRset to no more than that
of the old NS RRset when replacing it.
[RT #27792] [RT #27884]**
Acknowledgment: ISC would like to thank the research team who found this exploit:
Jian Jiang, Network Research Center, Tsinghua University firstname.lastname@example.org
Haixin Duan, Network Research Center, Tsinghua University email@example.com
Jianping Wu, Network Research Center, Tsinghua University firstname.lastname@example.org
Kang Li, Department of Computer Science, University of Georgia email@example.com
Jun Li, University of Oregon Carlos III University of Madrid, Institute IMDEA Networks firstname.lastname@example.org
Jinjin Liang, Network Research Center Tsinghua University email@example.com
Nicholas Weaver, International Computer Science Institute (ICSI) firstname.lastname@example.org
The exploit was presented at the NDSS conference: "Ghost Domain Names: Revoked Yet Still Resolvable" http://www.internetsociety.org/events/ndss-symposium-2012/symposium-program/feb08
Document Revision History:
1.0 -Notified Phase I, II & III (7 February, 2012)
2.0 -Updated Description, Summary, Workaround, Related Docs (8 February, 2012)
2.1 -Updated Summary description with changes made to code in the last releases (29 May, 2012)
Internet Systems Consortium (ISC) is providing
this notice on an "AS IS" basis. No warranty or guarantee of any kind is
expressed in this notice and none should be implied. ISC expressly
excludes and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any implied
warranty of merchantability, fitness for a particular purpose, absence
of hidden defects, or of non-infringement. Your use or reliance on this
notice or materials referred to in this notice is at your own risk. ISC
may change this notice at any time.
A stand-alone copy or paraphrase of the text of this document that
omits the document URL is an uncontrolled copy. Uncontrolled copies may
lack important information, be out of date, or contain factual errors.
© 2001-2017 Internet Systems ConsortiumFor assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.