New side channel vulnerability in Linux kernel allowing DNS cache poisoning



A recent research paper from a team at the University of California at Riverside shows the existence of previously overlooked secondary channels in Linux kernels that can be exploited to attack DNS servers.

According to the researchers, the problem with DNS has its roots in its design, which never really made security a major concern and made it extremely difficult to upgrade strong security features.

Despite its essential role, the DNS has been a fragile link in the security chain. Historically, efficiency was the primary consideration of DNS, leading to the design of a single query and response over UDP, which is still the primary mechanism in use today.

While DNS security features are available, including DNSSEC and DNS cookies, they are not widely deployed due to backward compatibility, the researchers say. Instead, the only approach to making DNS more secure was randomizing UDP ports, known as ephemeral ports, with the aim of making it more difficult for an attacker to discover them.

As a result, several attacks against DNS have been discovered in the past, including the recent DNS SAD, a variant of DNS cache poisoning that allows an attacker to inject malicious DNS records into a DNS cache, thereby redirecting everything. traffic to their own server and become a man in the middle (MITM).

More recently, some of the researchers who first disclosed SAD DNS discovered side channel vulnerabilities that had not been detected in the Linux kernel for over a decade. These vulnerabilities allow the use of ICMP probes to scan ephemeral UDP ports and have allowed researchers to develop new DNS cache poisoning attacks.

Specifically, the research focused on two types of ICMP error messages, Required ICMP Fragment (or ICMP Too Big Packet in IPv6) and ICMP Redirection. As the researchers show, the Linux kernel processes these messages using shared resources that form secondary channels. Basically, this means that an attacker can target a specific port where they are sending ICMP probes. If the targeted port is correct, it will cause a change in the state of the shared resource which can be observed indirectly, thus confirming that the guess was correct. For example, an attack could reduce a server’s MTU, manifested in the fragmentation of subsequent responses.

The newly discovered secondary channels affect the most popular DNS software, including BIND, Unbound, and dnsmasq running on Linux, according to the researchers. It is estimated that 13.85% of open resolvers are affected. Additionally, researchers show that an end-to-end attack against the latest BIND resolver and a home router only takes a few minutes to succeed.

This new attack can be avoided by setting appropriate socket options, for example asking the operating system not to accept the ICMP messages needed for frag, which will completely eliminate the side channel; by randomizing the shared kernel caching structure itself; and rejecting ICMP redirects.

Following the disclosure of this new vulnerability, the Linux kernel has been patched for both IPv4 and IPv6 in order to randomize the shared kernel structure. Additionally, BIND 9.16.20 defines IP_PMTUDISC_OMIT on IPv6 sockets.



Comments are closed.