CVE-2012-1033: Ghost Domain Names: Revoked Yet Still Resolvable

After completing our analysis of the DNS exploit reported by Professor Haixin Duan of Tsinghua University, ISC has determined that the behavior he describes, while verifiable, is due to design issues in the DNS protocol. No immediate steps are planned to address the issue. Further information concerning the implications of the reported
vulnerability can be found in the complete problem description below.

CVE: CVE-2012-1033

Document Version: 2.2

Posting date: 07 Feb 2012

Program Impacted: BIND

Versions affected: All versions of BIND 9

Severity: High

Exploitable: remotely

Description:

On February 7th, in anticipation of a paper being presented by Professor Haixin Duan, ISC issued a security announcement for CVE-2012-1033. We moved quickly to make an announcement in advance of Professor Duan's paper, scheduled to be presented at the Network and Distributed System Security Symposium the following day, because we wanted to ensure that we were not withholding any information with potential security
implications for our users.

Our initial disclosure stated that we were assessing the implications of this vulnerability. After completing our analysis, we wish to share our conclusions:

• The behavior in question arises from a side-effect of design decisions in the DNS protocol. It is not caused by a bug in BIND or other affected software. BIND and other software affected by this behavior are so affected because of the inherent, longstanding design of the DNS protocol.
• To the best of our current knowledge, the extent of the exposure for users of BIND or other affected software is this: every resource record in the Domain Name System hierarchy has a time-to-live (TTL) value associated with it, intended to control how long the information in the resource record can be kept in cache by a non-authoritative server. Dr. Duan's paper discloses a method whereby information can be prolonged in the cache beyond the period supposedly allowed by the TTL value, causing affected resolvers to potentially return incorrect answers. It does not allow arbitrary insertion,
  removal, or alteration of resource record data.
• ISC does not have current plans to release new versions of BIND with alterations to
  caching policy in response to this disclosure. We intend to do further analysis and to work with the IETF, the internet infrastructure community, and our customers to determine how to address the problem while remaining protocol-compliant. Relevant improvements to the protocol have been previously proposed by Paul Vixie [1] and ISC will continue to work for adoption of those or other protocol-level solutions.
• While the behavior in question is clearly not intended by design and may be exploitable in highly specific circumstances, unsecured DNS is not designed to be relied on for security. ISC continues to recommend that organizations with security needs who are reliant on the Domain Name System proceed with adoption of DNSSEC; DNSSEC is the best known method of mitigating this issue.

(Original Description:Tsinghua University researchers discovered "a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers." The issue, which is in all versions of BIND 9 to our knowledge, "exploits a vulnerability in DNS cache update policy, which prevents effective domain name revocation. Attackers could cause a malicious domain name to be continuously resolvable even after the delegated data has been deleted from the domain registry and after the TTL associated with entry supposedly expires." (quoted sections are from the Tsinghua University research document))

CVSS Score: 5

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Workarounds:  
If you are aware that you have cached bad records, clearing the cache will remove them but is not an effective or practical preventative approach.

Active exploits:

No known active exploits, but the paper describing the issue is public and has been presented in public forums. The Ghost Names exploit might assist cyber-criminal activity.

Solution:

On further review, ISC has determined that this is not an issue which needs an immediate patch. The issue is being reviewed at the protocol level and will be addressed there. Implementing DNSSEC is the safest mitigation measure.

**Delayed Update of 29 May --

The following releases, 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0, and subsequent releases have changes to address this issue:

3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884]**

Acknowledgment: ISC would like to thank the research team who found this exploit:

Jian Jiang, Network Research Center, Tsinghua University jiang-j08@mails.tsinghua.edu.cn

Haixin Duan, Network Research Center, Tsinghua University duanhx@tsinghua.edu.cn

Jianping Wu, Network Research Center, Tsinghua University jianping@cernet.edu.cn

Kang Li, Department of Computer Science, University of Georgia kangli@cs.uga.edu

Jun Li, University of Oregon Carlos III University of Madrid, Institute IMDEA Networks lijun@cs.uoregon.edu

Jinjin Liang, Network Research Center Tsinghua University liangjj09@mails.tsinghua.edu.cn

Nicholas Weaver, International Computer Science Institute (ICSI) nweaver@icsi.berkeley.edu

The exploit was presented at the NDSS conference: "Ghost Domain Names: Revoked Yet Still Resolvable" https://www.ndss-symposium.org/ndss2012/ndss-2012-programme/ghost-domain-names-revoked-yet-still-resolvable/

Document Revision History:

1.0 -Notified Phase I, II & III (7 February, 2012)

2.0 -Updated Description, Summary, Workaround, Related Docs (8 February, 2012)

2.1 -Updated Summary description with changes made to code in the last releases (29 May, 2012)

2.2 -Removed broken link to Dr. Duan's paper, no longer available online (4 August, 2021)

Related Document:

[1] "Improvements to DNS Resolvers for Resiliency, Robustness, and Responsiveness", 2010, P. Vixie, R. Joffe, and F. Neves

References:

- Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.

This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2012-1033

- ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.

A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.

© 2001-2018 Internet Systems Consortium
For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.