Knowledge Search


×
 

A number of NAT/PAT devices effectively defeat the DNS source port randomization feature that was implemented to address DNS Cache Poisoning (CERT/CC VU#800113, CVE-2008-1447).

  [JSA10403] Show Article Properties


Legacy Advisory Id:
PSN-2009-03-252
Product Affected:
DXOS 5.x
JUNOS 8.x, 9.x
JUNOSe 8.x, 9.x
ScreenOS 5.x, 6.x
Problem:
A vulnerability related to DNS Cache Poisoning was recently disclosed (see Juniper Networks PSN-2008-06-040). In order to address this vulnerability, operating systems were modified to use random source ports for all DNS queries originated on the device. While deploying this modified code, it was discovered that Network Address Translation (NAT) counteracted the random selection of source ports. This results from NAT implementations that map the source port to a statically-defined port, sequentially-assigned port, or some other easily-predicted NAT port.
Solution:
Upgrade is recommended to the following or later releases:
DXOS: 5.3.7
JUNOS: 8.5 (E-EOL); 9.0R4; 9.1R3; 9.2R2; 9.3R1; 9.4R1
JUNOSe: 8.1.4; 8.2.4; 9.0.2; 9.1.2; 9.2.1; 9.3.0; 10.0.0
ScreenOS: 5.4r12; 6.0r8; 6.1r4; 6.2r1

DXOS:
- Default behavior has been changed. Source port randomization is now turned on by default.

JUNOSe:
- Default behavior has been changed. Source port randomization is now turned on by default.

JUNOS:
- A new configuration option has been defined that is required to be set to enable source port randomization. Please refer to product documentation for details.

ScreenOS:
- Interface-based DIP pools: source port randomization is turned on by default.
- Policy-based DIP pools: a new keyword has been defined that is required to be set to enable source port randomization. Please refer to product documentation for details.
Modification History:
Modification History:

2017-03-05: Category restructure.

Related Links:
Risk Level:
Medium
Risk Assessment:
Lack of source port randomization could break the fix for PSN-2008-06-040.