Lack of security in hidden DNS resolvers leaves website hijacking risk pervasive

WordPress installations exposed to spoofed password resets and cache poisoning threats

Security researchers warn that hidden DNS (Domain Name System) resolvers create a means to carry out email redirection and account takeover attacks.

In a technical blog post, SEC Consult uses a variant of a cache poisoning attack (PDF) first uncovered by Dan Kaminsky, a well-known network security researcher, to reveal the DNS names of these so-called closed DNS resolvers. It explains how to work with resolution. in 2008.

Cache from Chaos

Previous research by SEC Consult has shown that attackers can manipulate DNS name resolution to take over web application user accounts.

Closed DNS resolvers are used by many hosting providers and other Internet Service Providers (ISPs) to provision their services to their clients. As the name suggests, a closed DNS resolver resides in a closed network or intranet.

However, the term “closed” is a bit misleading in the context of the SEC Consult study. Because the researchers show that an outside actor could abuse the functionality of his web application to easily attack closed resolvers.

They found that attack reconnaissance is possible by exploiting how closed DNS resolvers interact with spam protection mechanisms on the open Internet.

This helps attackers understand DNS security features such as source port randomization, DNSSEC, and IP fragmentation. It could also be understood by an attacker by more easily exploiting the registration, password reset, and newsletter functions of her web application that relies on closed resolvers.

scour the web

SEC Consult used two open source tools, DNS Reset Checker and DNS Analysis Server, to analyze DNS traffic from the targeted system and identify vulnerabilities.

In practice, this attack reconnaissance effort involved sending emails to several known domains and specifying the analysis domain as the sending domain. This allowed researchers to identify thousands of systems using static source ports. This was a security oversight that made it vulnerable to Kaminsky-style attacks.

“After sending emails to approximately 50,000 domains, we received and analyzed DNS data for approximately 7,000 of them,” explains SEC Consult. “Of these 7,000 domains, he found that at least 25 used static source ports. Digging down the rabbit hole again, he uncovered thousands of domains using static source ports. rice field.”

SEC Consulting discovered that none of the 25 vulnerable resolver samples used or enforced additional security features such as DNSSEC.

The affected services ran behind domains operated by both small businesses and large corporations, as well as sites distributing government services and political campaigns.

Keep up with the latest DNS security news and analysis

The DNS cache poisoning vulnerability can be exploited for record manipulation and email redirection. This is a security flaw that allows attackers to abuse the password reset functionality of installations such as WordPress and Joomla.

SEC Consult was able to demonstrate that this attack technique can be used to hijack even a fully patched WordPress installation.

The information security company has refrained from disclosing the exploit code it developed to attack WordPress systems. This is due to the lack of awareness of this issue and the concern that many web-based systems accessible through closed DNS resolvers may be exposed to attack.

SEC Consults spoke to ISPs, hosting providers, and Computer Emergency Response Teams (CERTs) about the issue months before last week’s findings were published.

cash out

Independent DNS security experts say the research raises legitimate concerns.

Infoblox Chief DNS Architect Cricket Liu said: Daily Swig: “I don’t think this is particularly new. We talked about this sort of thing in the heyday of the Kaminsky vulnerability, but there are still some DNS servers that don’t use source port randomization, so it’s relevant.” there is potential.”

Including Exotic Attacks

While the traditional Kaminsky attack is definitely not the “next big thing,” according to SEC Consult, it would be unwise to dismiss the issue as unfashionable.

Timo Longin, security consultant at SEC Consult, said: Daily Swig: “DNS has to be brought to the attention of the information security community because it offers such an exotic and unknown attack vector. We have found that doing so can compromise all hosted servers.”

Vulnerable DNS resolvers must be patched and securely configured to protect your system. Best practices for securing your own DNS resolver can be found on Google and DNS flag day. Alternatively, you can use a large public DNS provider such as Google, Cloudflare, or Cisco.

Countermeasures against new DNS attacks are typically quickly implemented by these large providers, according to SEC Consult.

you might like it too A policy-as-code approach combats “cloud-native” security risks