Funkwerk Enterprise Communications Information for VU#800113

Multiple DNS implementations vulnerable to cache poisoning



Vendor Statement


| FEC Security Bulletin |

Bulletin ID: 2008-07-28-001-ipa
Revision: 1.0

Multiple DNS implementations vulnerable to cache poisoning
(US-CERT Vulnerability Note VU#800113)

Multiple FEC products may be subjected to the vulnerability described in US-CERT Note VU#800113. This vulnerability describes the principal possibility of DNS cache poisoning. An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver’s clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control.

Products affected:
All FEC products running the BOSS operating system are affected.

Details (full details at:
The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. DNS cache poisoning is not a new concept; in fact, there are published articles that describe a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning. The following are examples of these deficiencies and defects:
a) Insufficient transaction ID space
The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed.
b) Multiple outstanding requests
Some implementations of DNS services contain a vulnerability in which multiple identical queries for the same resource record (RR) will generate multiple outstanding queries for that RR. This condition leads to the feasibility of a 'birthday attack,' which significantly raises an attacker's chance of success. This problem was previously described in VU#457875. A number of vendors and implementations have already added mitigations to address this issue.
c) Fixed source port for generating queries
Some current implementations allocate an arbitrary port at startup (sometimes selected at random) and reuse this source port for all outgoing queries. In some implementations, the source port for outgoing queries is fixed at the traditional assigned DNS server port number, 53/udp.

Software Patches and Recommendation:
Susceptibility to the vulnerabilities has been removed and patches are available in the download area of our web site at For security reasons it is recommended to update all affected FEC products with the appropriate software patch (see the following list for more details):

VPN Access Series: 7.4.1 PATCH 11
X8500            : 7.4.1 PATCH 11
R200 Series      : 7.6.1 PATCH 2
R1200            : 7.6.1 PATCH 2
R3x00 Series     : 7.6.1 PATCH 2
R4x00 Series     : 7.6.1 PATCH 2
TR200            : 7.6.1 PATCH 2
Wx002 Series     : 7.6.1 PATCH 2
WI Series        : 7.6.1 PATCH 2

To determine the software version running on a FEC router, log in to the device and issue the command "show rev". For products offering the Funkwerk Configuration Interface, point your browser at the IP address of your FEC product. You can find the version information on the status page. This will display the current software version running on the  system (see row denoted with Boss). A description how to update a FEC router can be found within the product documentation (see chapter Gateway Management). If you want to update  your software, make sure you read the relevant Release Notes. They describe all changes  introduced with the new system software.

Copyright (c) 2008, Funkwerk Enterprise Communications GmbH. All Rights Reserved

----- End Security Bulletin 2008-07-28-001-ipa -----

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References



There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.