Daily Archives: August 6, 2015

ISC Releases Critical Security Updates for BIND

In late July the Internet Systems Consortium (ISC) released security updates to resolve critical denial of service (denial of service, defined) CVEs (CVE, defined) that exist in their BIND DNS software.

The first flaw is due to an error in handling TKEY queries (transaction key: the data structure that holds information in a standardized format for exchange between DNS servers). A single specifically crafted packet sent to BIND will cause it to trigger a REQUIRE assertion failure which will cause BIND to exit. Assert functions are generally used in software code to trigger a program to halt when certain conditions occur.

According to ISC, this issue has no workarounds or known mitigations. The only solution is to install the updates to BIND as mentioned in this security advisory.

The remaining flaw patched by ISC is due to an error in how BIND parses (analyses data in a structured manner in order to create meaning from it) data when performing DNSSEC validation for data contained within a specifically crafted DNS zone (the area in which a DNS server has authority for (see also “Aside” below)). This will result in the BIND software exiting resulting in a denial of service condition (denial of service, defined). While this issue has workarounds, they are not recommended actions since they have drawbacks, instead installing the updates mentioned in this security advisory is the recommended resolution.

Why Are These Issues Considered Critical?
These issues were assigned such a severe criticality rating due to their impact on the DNS name resolution software, namely that the software stops functioning. In addition, these issues are considered easy to exploit. For any device that uses your server for DNS services, those devices will no longer be able to access websites, other intranet resources or use email. If this issue is exploited on a wider scale, large parts of the internet would no longer be able to function correctly until those DNS servers were returned to service.

In addition, according to two separate sources exploits for this issue are already being seen in the wild. The availability of some popular websites has been affected. Since your website can be a large contributor to your revenue it is in your interest to address this issue.

How Can I Protect Myself From These Issues?
If you use BIND (it is included with Linux distributions e.g. Ubuntu, Redhat etc.) to provide any DNS services within your company or you know anybody who may be affected by this issue, please follow the advice in ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure

CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating

Thank you.

=======================
Aside:
What is a DNS zone?

A companies domain e.g. example.com can be split for organizational/administrative reasons into departments e.g. accounting.example.com , admin.example.com etc. Each of these divisions/splits is then referred to as a subdomain zone within the root domain (example.com). Depending on the size of an organization, for performance reasons multiple DNS servers may be assigned to provide DNS services for specific subdomains e.g. DNS server 1 provides DNS for Accounting and Admin while DNS server 2 is responsible for Production and Support.

Thus each server is responsible for different zones. These servers are authoritative for those zones (since those servers contain the hostname (the name of a device within a domain or subdomain) to IP address translation. This is similar to a person looking up a person’s name in a phone book to find their telephone number, DNS provides this service to enable computers to communicate with one another.

For an example of how DNS is used when web browsing, see the section titled “Why Does An Attacker Want To Change My Router’s DNS Settings” within a previous blog post.
=======================

=======================
Aside 2:
What is DNSSEC?

This is set of extensions to the original DNS standard that provides extra security such as origin authentication (where the DNS translation data came from). This is to prevent spoofing (where an invalid hostname to IP address translation is provided by another DNS server (potentially controlled by an attacker)) and DNS cache poisoning (where spoofed values are stored alongside legitimate values within a DNS server, such values will be provided to DNS queries taking devices to unexpected locations).

DNSSEC uses a Public Key Infrastructure (PKI) as well as digital signatures to allow the verification of authenticity of the DNS data received. The PKI allows the management of encryption keys and digital certificates (used in digital signatures) to maintain a trusted environment. The digital signatures are a means of verifying that the DNS information received has not been altered and has come from a known and trusted source. The digital certificates included with the signatures are issued/vouched for by certification authorities (CA, defined) e.g. Thawte, DigiCert and VeriSign etc.

A summary of the security benefits of DNSSEC is provided here and here while background information on DNSSEC deployment is provided here.
=======================

OpenSSH Potentially Vulnerable To Password Brute Force Attack

Update: 13th August 2015:
OpenSSH has released v7.0 which addresses the issue discussed in this post.

In late July a security issue with the most widely used SSH (Secure Shell, defined) implementation namely OpenSSH for Linux based systems was documented on the Full Disclosure mailing list. SSH uses port 22, TCP (see Aside (below) for a definition) or UDP (see Aside 1 of this post for a definition).

The issue involves the now less used method of keyboard-interactive login (where you type your password using a keyboard when prompted by the server). Many SSH sessions today are set up using automated secure connections (since they are automated no person is present to type the password). Instead public key cryptography (asymmetric encryption) allows you to verify your identity to the server as follows:

In order to do this, you initially create 2 keys a public and a private key. You send the public key to the server. When you wish to log into that server it will send a challenge (a cryptographic nonce) encrypted with the public key that you previously provided. You then use your private key to decrypt that nonce, re-encrypt it with your private key and send it back. The server then uses the public key to decrypt what you have sent. This verifies to the server that you do indeed possess the correct private key and are authorized to use the server. Guides on how to set up this feature are provided here and here.

Why Should This Issue With OpenSSH Be Considered Important?
On some OpenSSH installations especially FreeBSD systems have keyboard-interactive authentication enabled by default. When this is the case, you can specify via command line parameters to OpenSSH to allow for example 10000 individual keyboard devices to try to respond to the password being requested by the server you are attempting to access. This means that you will have 10000 attempts to guess the password of the server. This would allow you to execute a brute force attack to try to obtain the password.

If the password is quite weak, 10000 attempts will be more than enough to obtain/guess that password. The server does only allow you (by default) to have 2 minutes for the “login grace time” to allow you to enter your password, thus the attack would also be limited to this time, however 10000 guesses within 2 minutes is possible. When the password is obtained an attacker can then use your server with the same level of access that you have for any purpose they wish.

=======================
Aside:
What is TCP?

Transmission Control Protocol (TCP) is a connection oriented transport protocol within the larger TCP/IP ((Internet Protocol) suite which provides reliable data transmission (due to error checking and re-sending of packets corrupted or not received) and preserves the order of packets that are transmitted from a source device to a destination device. TCP/IP is a suite of protocols that provides worldwide connectivity between the devices that make up the Internet.

With TCP the connection between 2 devices must be set up and torn down. This in contrast to UDP that provides a connectionless data transmission service.
=======================

How Can I Protect Myself From This Issue?

While OpenSSH 6.9 is currently available, the upcoming version 7.0 does not appear to include revised default settings to eliminate the issue discussed above. The above suggestions should keep you safe from this potential brute force attack.

Update: 13th August 2015:
OpenSSH has released v7.0 which addresses the above issue discussed in this post.

Thank you.

WordPress Releases Security Updates

Earlier this week, WordPress released version 4.2.4 of its self-hosted blogging tool/content management system (CMS).

This update resolves 6 serious issues, which include:

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

In addition, in late July WordPress released version 4.2.3. That update resolves 2 security vulnerabilities; the first vulnerability is a cross-site scripting (XSS) issue that could allow legitimate users (with Author or Contributor rights) to compromise your website by allowing the addition of JavaScript to the website pages. With the addition of arbitrary JavaScript code to a website comes risks of malware infection (e.g. a watering hole attack) or in a severe case of an XSS attack the user’s session cookies (and thus the resources/information it has access to) are compromised by an attacker. The remaining issue involved a legitimate user with Subscriber permissions being able to carry out un-intended actions, specifically creating a draft of a webpage using the Quick Draft feature.

WordPress users can update their CMS manually or since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

The next version WordPress namely 4.3 is anticipated to arrive on the 18th of August. While this is not a security update, it does contain important changes. In order to ensure the stability and security of your WordPress installation it is prudent to have streamlined processes in place in order to apply multiple updates to WordPress each month when necessary.

Thank you.