DNS implementations vulnerable to denial-of-service attacks via malformed DNS queries

Overview

Incorrect decoding of malformed DNS packets causes certain DNS implementations to hang or crash.

Description

RFC1035 (DOMAIN NAMES, IMPLEMENTATION AND SPECIFICATION) defines a mechanism for conserving bytes in a DNS query or reply packet by avoiding repetition of character strings (“labels”) in a domain name. Thus if the label “domain.com” appears several times in a query or response packet (i.e. “www.domain.com”, “host.subdomain.domain.com”, “ns.domain.com”), only the first occurrence need be fully specified - further occurrences of “domain.com” can be alluded to by using a pointer to the first occurrence. Since labels in a DNS packet are preceded by an 8 bit length field, and since individual labels are restricted to 63 characters, there are 2 unused bits in the length field. Setting these two bits 2 to “11” indicates that the following byte is not a label but rather a pointer to a prior occurrence of a label elsewhere in the packet. Programs are not required to encode packets using this label compression scheme, but all programs are required to be able to decode any such packets that are received.

Numerous DNS implementations do not perform sufficient input checking on compressed labels, allowing an attacker to craft a DNS query containing malformed compressed labels. For example, a packet can be constructed that has a pointer that points back to itself, or that contains a pointer that points to another pointer which points back to the first pointer. When vulnerable programs attempt to decode these malformed labels, various undesirable effects can be induced in the decoding process including allocating all of the process’s available memory or causing the process to enter an infinite loop.

Note: Any program that performs raw decoding of DNS packets (sniffers, IDS, nameservers, etc.) may potentially exhibit this vulnerability unless care has been taken in the implementation of the decompression code. Many popular programs besides tcpdump and ethereal perform these functions, and may not have been tested for this vulnerability yet.

---

Impact

If a remote, unauthenticated attacker supplies a vulnerable DNS implementation with a specially crafted query, they may be able to cause that DNS software to enter an infinite loop eventually consuming 100% CPU resources. This will cause the DNS software to crash resulting in a denial-of-service condition.

---

Solution

Apply patch

Users are encouraged to check with their vendor to determine the appropriate patch or update to apply.

---

Vendor Information

23495

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Ethereal __ Affected

Updated: May 30, 2001

Status

Affected

Vendor Statement

Upgrade to at least ethereal 0.8.7

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2323495 Feedback>).

Tcpdump.Org __ Affected

Updated: May 30, 2001

Status

Affected

Vendor Statement

Upgrade to at least tcpdump 3.5

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2323495 Feedback>).

Apple Computer, Inc. Not Affected

Updated: November 10, 2005

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation __ Not Affected

Notified: November 10, 2005 Updated: November 15, 2005

Status

Not Affected

Vendor Statement

According to Microsoft:

The Microsoft implementation of DNS is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: November 10, 2005 Updated: November 10, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Internet Software Consortium Unknown

Notified: November 10, 2005 Updated: November 10, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: November 10, 2005 Updated: November 10, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html&gt;
• <http://www.securityfocus.com/bid/1165&gt;
• <http://www.ciac.org/ciac/bulletins/l-015.shtml&gt;
• <http://secunia.com/advisories/15472/&gt;
• <http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml&gt;
• <http://www.securityfocus.com/bid/13729&gt;
• <http://www.securitytracker.com/id?1014046&gt;
• <http://www.securitytracker.com/id?1014045&gt;
• <http://www.securitytracker.com/id?1014044&gt;
• <http://www.securitytracker.com/id?1014043&gt;
• <http://www.ethereal.com>
• <http://www.tcpdump.org>

Acknowledgements

Thanks to Hugo Breton and [email protected] for reporting this vulnerability. Additional information for this issue was provided by the by the NISCC Vulnerability Management Team.

This document was written by the CERT Technical Staff.

Other Information

CVE IDs:	CVE-2000-0333
Severity Metric:	41.92 Date Public: