Domain Name Service (DNS) servers can cache "spoofed" results (CERT/CC VU#800113, CVE-2008-1447)

  [JSA10384] Show Article Properties


Legacy Advisory Id:
PSN-2008-06-040
Product Affected:
•   Network Firewall running ScreenOS software release 5.1 or higher
•   JUNOS Enhanced Services software running on J-series service routers
Problem:
A DNS server can be tricked into accepting and caching incorrect translations of network names. A malicious user can use this vulnerability to "hijack" the target, redirecting all accesses to a substitute network host or service. DNS servers that cache the incorrect results will continue to redirect all clients to the substitute host or service indefinitely.

This vulnerability is tracked by CERT/CC as VU#800113.
Solution:
Juniper Networks has modified several of its software products to include improved DNS forgery resilience mechanisms as suggested by Internet drafts and other sources.

Consult the following table to determine if your Juniper Networks product is susceptible to this vulnerability and what action is required to remedy the issue.
Product Vulnerable? Action Required
Network Firewall running ScreenOS software release 5.1 or higher Yes Upgrade to ScreenOS release 5.4r10, 6.0r5a, 6.1R2, or higher, or disable the Proxy DNS Address Splitting service if you have previously enabled it. ScreenOS software releases prior to release 5.1 do not implement the Proxy DNS Address Splitting service; therefore those releases are not vulnerable and no action is required.
JUNOS Enhanced Services software running on J-series service routers Yes Upgrade to a software release built on or after May 23, 2008, or disable DNS services
JUNOS software running on Juniper EX-series switch products No No action required; this product does not include DNS services
All other JUNOS software running on M-series, T-series, MX-series, TX-series, or J-series routing platforms No No action required; this product does not include DNS services
JUNOSe software running on E-series platforms No No action required; this product does not include DNS services
Service Deployment System (SDX) No Consult the provider of the underlying operating system on which the SDX application is installed for any additional information
Session and Resource Control (SRC-PE running on C-series appliances) No DNS services are not enabled by default
Steel-Belted Radius (application) No Consult the provider of the underlying operating system on which the SBR application is installed for any additional information
Steel-Belted Radius (network appliance) No No action required; DNS services are not enabled
WAN Accelerators (WX) No No action required; this product does not include DNS services
Data Center Accelerators (DX) No No action required; although this product includes DNS services, it acts only as a proxy for domain names not explicitly configured on the device. Since no results are cached, it is not susceptible to this vulnerability.
Secure Access Products (SSL/VPN) No No action required

NOTE:In some situations, the Windows Secure Access Manager (WSAM) will pass DNS requests to the underlying Windows operating system. Therefore, we urge customers to upgrade all Windows Mobile and Windows client systems with the latest patches.
Intrusion Detection (IDP) No No action required; this product does not include DNS services
Network Systems Manager (NSM and NSMXpress) No No action required; these products do not include DNS services
Unified Access Control (UAC) No No action required; this product does not include DNS services
Circuit-to-Packet Gateway No No action required; this product does not include DNS services
Security Threat Response Manager (STRM) No No action required; this product does not include DNS services
Implementation:
Customers running vulnerable products are strongly urged to take the appropriate steps identified in the above table. Where a software upgrade is required or recommended, please visit the Juniper Networks Customer Support web-site at

http://www.juniper.net/customers/support/

or contact the Juniper Networks Technical Assistance Center (JTAC).
Modification History:
Modification History:

2017-03-05: Category restructure.

Related Links:
Severity Level:
High
Severity Assessment:
This vulnerability allows a remote attacker to hijack any arbitrary network service and divert traffic to an alternate server. The alternate server can mimic the real server while unknowingly collecting User IDs, passwords, and other sensitive personal data.