Tag Archives: DNS

Cable Modems Vulnerable to Cable Haunt Vulnerabilities

If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. If you use a cable modem for your internet connection, you should check if your modem is vulnerable and follow the step “What should I do” mentioned below.

In mid-January it was discovered the firmware (defined) of many internet service provider (ISP) modems (specifically combined modems and routers in the same device) was vulnerable to remote takeover by attackers. These vulnerabilities have been named Cable Haunt as an easier to remember reference.

How widespread are the affected modems?
At the least the following manufacturers are affected with up to 200 million vulnerable modems mainly based in Europe but other regions e.g. North America are also affected. Please see also the FAQ “Am I Affected” on the Cable Haunt website.


Other brands of modems confirmed by the wider community as being vulnerable are:

Cisco EPC3928AD
Cisco/Technicolor DPC3216
Humax HGB10R-02
SMC Electronics SMC D3-CCR-v2
Zoom 5370
Virgin Media’s Super Hub 3 and 4 do not appear to be vulnerable.

How serious are these vulnerabilities?
While the vulnerabilities are serious in their impact, namely complete remote compromise of the device, how an attacker could exploit the vulnerabilities to achieve that outcome is not trivial. As per the researchers:

“This could be exploited by an attacker if you visit a malicious website or if they embed the code, for instance in an advert, on a trusted website. It is important to point out that this is not the only attack vector that can be employed, vulnerable mail-clients, exploited IoT devices, public networks etc. are also viable attack vectors”.

Summary of the Technical Aspects of these vulnerabilities
The vulnerability designated formally as CVE-2019-19494 is a buffer overflow (defined) that if exploited could allow remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) with kernel level (defined) privileges by using JavaScript (defined) within your web browser. The buffer overflow can be exploited using (according to the researchers: “a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker”.

An important aspect of the above described exploit is that while the attack is a remote attack (using a victim’s web browser) it results in the local compromise of the modems spectrum analyser. Linked to this; a DNS re-bind attack (defined) can be used to enable an attacker the ability to access the compromised spectrum analyser. The result of the above exploits provides the attackers with (according to the researchers): “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,”. This capability could be used to:

  1. Intercept private messages
  2. Redirect traffic
  3. Add the modems to botnets
  4. Replace the devices firmware
  5. Instruct the device to ignore remote system updates (which could be used to patch the vulnerabilities, complicating the resolution of a compromised device by its legitimate owner/user)

How can I protect my organisation or myself from these vulnerabilities?\
For in-depth answers from the researchers to answer this question in the context of an internet service provider (ISP), the user of the modem (e.g. within a small business), as an individual or a security researcher, please see the question “What Should I do” on the dedicated Cable Haunt website:


According to Graham Cluley: “Some ISPs in Scandinavia appear to have remotely patched the cable modems of their customers, but others have some catching up to do it seems.
If your cable modem contains a Broadcom chipset you might want to contact your ISP and ask them what they’re doing about this”.

Thank you.


My sincere thanks to the Cable Haunt researchers Alexander Dalsgaard Krog (Lyrebirds), Jens Hegner Stærmose (Lyrebirds), Kasper Kohsel Terndrup (Lyrebirds) and Simon Vandel Sillesen (Independent) as well as Graham Cluley for the excellent information which this blog post is built upon.

DNS Flag Day Aims to Make DDoS Attacks Harder

Since the 1st of February multiple major DNS (defined) resolvers removed resolver workarounds. The resolvers involved in the initiative include ISC, Cloudflare, Facebook, Cisco, Google (among others).

The workarounds were removed to stop DNS queries not compliant with the following official Requests for Comments (RFC) 1035 and 2671 from being completed(resolved). In more depth; the DNS Flag day page explains these workarounds are being removed due to:

The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago.

To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.

It appears that DNS amplification and DNS flood attacks are the threats attempting to be mitigated with these changes. A full list of the types of DDoS (defined) attacks is available from the following Cloudflare page (at the end of that page):

It will be interesting to see the effect of these changes on the DNS infrastructure when it is again targeted by botnets (defined) (e.g. made up of Internet of Things (IoT)(defined) or compromised systems or by other means. Such botnets can make use a command and control (C2) (defined) infrastructure.

Thank you.

October 2017 Security Updates Summary

As scheduled Microsoft released their monthly security updates earlier today. They address 62 vulnerabilities; more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month there are 4 Known Issues (kb4041691, kb4042895 , kb4041676 and kb4041681) for this month’s Microsoft updates. 2 of these issues relate to an exception error dialog box appearing, with the others causing a black screen, updates not to install in express , a BSOD and changing of display languages. Microsoft states in each link above they are working on resolutions to these issues.


Update: 18th October:

On the 16th of October Adobe released Flash Player v27.0.0.170 to address a critical zero day (defined) vulnerability being exploited in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives)). The BlackOasis APT group are believed to operate in the Middle East. The group is using malicious Microsoft Office documents with embedded ActiveX controls which contain the necessary Flash exploit. This exploit later installs the FinSpy malware.

Please install this update as soon as possible for any device with Flash Player installed. Google Chrome has already automatically received the update while earlier today Windows 8.1 and Windows 10 began receiving it.

As always you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):


A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

For this month’s Microsoft updates, I will prioritize the order of installation for you below:
Critical severity:

Microsoft Office Vulnerability : CVE-2017-11826 : While not critical severity since it is already being exploited by attackers namely a zero day (defined) vulnerability.

Windows DNS Vulnerabilities: Further details provided within this news article

Windows Search Service (CVE-11771): affects Windows 7 up to and including Windows 10

Windows Font Vulnerabilities: CVE-2017-11762 and CVE-2017-11763

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)


Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Nvidia Geforce Drivers:
This update (released in September 2017) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

Google Chrome:
Google Chrome: includes 35 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

Wireshark 2.4.2 and 2.2.10
v2.4.2: 5 CVEs (defined) resolved

v2.2.10: 3 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.2) or v2.2.10). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

This month Oracle resolved 250 vulnerabilities. Further details and installation steps are available here. Within the 250 vulnerabilities addressed, 22 vulnerabilities were addressed in the Java runtime.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

Malware uses DNS protocol for command and control

In early March two Cisco Talos security researchers Edmund Brumaghin and Colin Grady released details of a multi-stage trojan horse which communicates with it’s creator(s) using the Domain Name Service (DNS)(defined) protocol.

Since DNS is a widely used essential protocol it is often allowed to pass through corporate and personal firewalls. The source of the malware is an email containing an attachment reportedly secured with McAfee. The attachment is a Microsoft Word document which when opened requests to enable macros (defined). If the user enables macros the macros unpacks a Microsoft PowerShell script (a computer programming language usually used for automating system administration tasks) which forms the second stage of the attack.

Next the script checks if currently logged in user has administrator rights for their Windows account and checks the installed version of PowerShell. The script then adds a backdoor (defined). If the earlier check for administrative privileges was positive the backdoor will persist after restarting or powering off the system. This backdoor uses DNS to receive and carry out commands from it’s creators.

While analysing this threat, the above mentioned security researchers did not witness the malware receiving DNS commands due to its targeted nature.

How can I protect myself from this threat?
Sine this malware arrives via email, please verify the emails you receive are genuine and not attempting to deliver malware. SANS recently provided extra advice on this (March 6th : source)

Don’t Trust Links Sent in Email Messages March 6, 2017
A common method cyber criminals use to hack into people’s computers is to send them emails with malicious links. People are tricked into opening these links because they appear to come from someone or something they know and trust. If you click on a link, you may be taken to a site that attempts to harvest your information or tries to hack into your computer. Only click on links that you were expecting. Not sure about an email? Call the person to confirm they sent it.

In addition if you inspect network traffic within your corporate network, please consider adding DNS to the list of protocols analysed. Attackers are likely to leverage this widely allowed protocol for command and control (defined) going forward.

Thank you.

Apple Releases Security Updates May / June 2016

Earlier this week Apple released a firmware (defined) update for its AirPort wireless base stations to resolve a critical vulnerability. Since I haven’t published information on Apple updates in many weeks I will also discuss the large collection of updates released on the 16th of May applying to the following products:

    Apple iOS 9.3.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 3 and later
    Apple watchOS 2.2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
    Apple tvOS 9.2.1: For Apple TV (4th generation)
    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.5
    Apple Safari 9.1.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.5
    Apple iTunes 12.4: For Windows 7 and later

    As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

    Why Should These Issues Be Considered Important?

    The most important updates to install are the AirPort firmware updates and the OS X security updates.

    The AirPort firmware update is particularly severe since it relates to how the devices within how these devices parse (defined) DNS (defined) data. The possible implications of such a vulnerability are clearly explained in this ComputerWorld article. As that article notes, DNS cannot be easily disabled without affecting functionality providing even more reason to install the necessary firmware updates as soon as possible.

    Apart from the AirPort firmware updates the collection of updates made available on the 16th of May includes fixes for issues such as those detailed below:

    Apple iOS 9.3.2: Resolves 39 CVEs and includes fixes for CommonCrypto, IOAcceleratorFamily, Disk Images, iOS kernel (defined), libc, libxml2, OpenGL, WebKit (and associated components (among others).

    Apple watchOS 2.2.1: Resolves 26 CVEs and includes fixes for CommonCrypto, CorCapture, Disk Images, IOHIDFamily, IOAcceleratorFamily, watchOS kernel, libc, libxml2, libxslt and OpenGL

    Apple tvOS 9.2.1: Addresses 33 CVEs, the most severe present in the following components: CommonCrypto, IOAcceleratorFamily, Disk Images, IOHIDFamily, tvOS kernel (defined), libc, libxml2, libxslt, OpenGL, WebKit (and associated components (among others).

    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: Resolves 70 CVEs the most severe being present in the following: AMD, AppleGraphicsControl, AppleGraphicsPowerManagement, ATS, Audio, CommonCrypto, CoreCapture, CoreStorage, Crash Reporter, Disk Images, Graphic Drivers, Intel Graphics Drivers, OAcceleratorFamily, IOAudioFamily. IOFireWireFamily, IOHIDFamily, OS X kernel, libc, libxml2, libxslt, Nvidia Graphics Drivers, OpenGL, QuickTime, SceneKit (among others).
    Apple Safari 9.1.1: Resolves 7 CVEs the most critical being present in WebKit (the renderer of Safari) and WebKit Canvas.

    Apple iTunes 12.4 for Windows: Resolves 1 critical CVE in the iTunes installer.

    How Can I Protect Myself from These Issues?
    If you own any devices that use Apple AirPort wireless base stations, use Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.

    As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

    Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

    For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

    Thank you.

ISC Releases Security Updates for BIND (March 2016)

Last week the Internet Systems Consortium (ISC) released 3 security updates to address 3 high severity denial of service issues (defined) found within their BIND DNS software.

Separately ISC has released a security advisory for ISC DHCP concerning a denial of service issue that has not yet been resolved using a patch/update. Workarounds for this issue are available within that advisory. I will update this post when these updates become available. This issue affects the following versions of ISC DHCP: 4.1.0->4.1-ESV-R12-P1, 4.2.0->4.2.8, 4.3.0->4.3.3-P1

Update 25th June 2016
At this time as I mentioned below in my previous update; the updates to address the issue mentioned above within ISC DHCP have not yet been released. I will continue to monitor the security advisory until these updates are made available.

Thank you.
Update 26th April 2016
At this time, the updates to address the issue mentioned above within ISC DHCP have not yet been released. I will continue to monitor the security advisory until these updates are made available.

Thank you.

Why Should These Issues Be Considered Important?
These issues affect a large number of versions (listed below) of BIND making these issues ever more important to address as soon as possible:

Advisory 1: 9.10.0 -> 9.10.3-P3
Advisory 2: 9.2.0 -> 9.8.8, 9.9.0->9.9.8-P3, 9.9.3-S1->9.9.8-S5, 9.10.0->9.10.3-P3
Advisory 3: 9.0.0 -> 9.8.8, 9.9.0 -> 9.9.8-P3, 9.9.3-S1 -> 9.9.8-S5, 9.10.0 -> 9.10.3-P3

The first security issue involves an error in the implementation for preliminary support for DNS cookies. If an attacker sends a malformed packet containing multiple cookie options, the named control channel will exit with an INSIST assertion (defined) meaning that the DNS server is no longer available to process user requests (a denial of service).

If you cannot deploy the patch for this issue immediately, a workaround is provided by ISC within this security advisory which you can use until the patch is installed.

The second security issue involves the incorrect parsing (analyzing data in a structured manner in order to create meaning from it) of a malformed packet deliberately sent to the server by a remote attacker. This description from ISC seems a little misleading since you cannot correctly parse an incorrectly formed packet, what I expect they mean is that an unexpected/inappropriate action is taken by the named control channel when it encounters a malformed packet which results in a security issue. In this instance an assertion failure results in the named control channel exiting as before resulting in a a denial of service.

If you cannot deploy the patch for this issue immediately, a workaround is provided by ISC within this security advisory which you can use until the patch is installed.

The third and final security issues addressed by the issued security updates involves an error in the parsing of DNAME (defined here and here) DNS records. Once again this results in an assertion causing an exit and a resulting denial of service issue. No workaround is available for this issue.

How Can I Protect Myself from These Issues?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by these issues, please follow the advice within ISC’s security advisories to install the necessary updates to resolve these issues as soon as possible:

CVE-2016-2088: A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure
CVE-2016-1285: An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
CVE-2016-1286: A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c

Thank you.

ISC Releases Security Updates for BIND (January 2016)

On the 19th of January Internet Systems Consortium (ISC) released 2 security updates to address critical and medium severity denial of service issues (defined) within their BIND DNS software.

Why Should These Issues Be Considered Important?
This critical severity remotely exploitable vulnerability is caused by a buffer overflow (defined) within a guard feature intended to prevent such an overflow. If an overflow occurred, it could cause BIND to exit. Examples of possible ways (not an exhaustive list) for this vulnerability to be exploited are provided by ISC within their first security advisory for these issues. For the remaining medium severity remotely exploitable issue an error in how BIND interprets specifically formatted text could cause an assertion (defined) again resulting in the possible exiting of BIND.

These issues affect a large number of versions (listed below) of BIND making them ever more important to address:

Critical Severity Issue: 9.3.0->9.8.8, 9.9.0->9.9.8-P2, 9.9.3-S1->9.9.8-S3, 9.10.0->9.10.3-P2
Medium Severity Issue: 9.10.0->9.10.3-P2

In addition, as mentioned by ISC, versions 9.3 to 9.8 of BIND are considered end of life and will not be receiving updates to address the critical issue. Currently supported versions of BIND are listed here.

Moreover, according to ISC, the critical issue has no workarounds or known mitigations. The medium severity issue can be mitigated by disabling debug logging (but only as a temporary measure until the appropriate update can be applied).

How Can I Protect Myself from These Issues?
If you use BIND (it is included with Linux distributions e.g. Redhat, Ubuntu etc.) to provide any DNS services within your company/organization or you know anybody who may be affected by these issues, please follow the advice within ISC’s security advisories to install the necessary updates to resolve these issues:

CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c
CVE-2015-8705: Problems converting OPT resource records and ECS options to text format can cause BIND to terminate.

Thank you.