ISC has been made aware of a deficiency in the Smoothed Round Trip Time (SRTT) algorithm implemented in BIND 9 that can theoretically allow an attacker to artificially lower the SRTT value that a recursive resolver has associated with an authoritative server.
This could allow the attacker to influence the selection of a specific authoritative server from an NS resource record set with multiple values, determining which of multiple authoritative servers for a domain will be queried.
SRTT selection is not used by authoritative-only servers, but recursive-only or recursive-authoritative hybrid servers are vulnerable to being influenced in this manner.
Posting date: 13 August 2013
Program Impacted: BIND 9
Versions affected: All currently existing versions of BIND 9
The Smoothed Round Trip Time (SRTT) algorithm is used by BIND to determine which authoritative server should be queried for a domain which has multiple listed servers in its NS record RRset.
The current implementation of the SRTT algorithm may be remotely exploited, allowing an attacker to influence the SRTT values assigned to the servers in an NS RRset. As a result, an attacker can influence which server (out of multiple possible servers) will receive queries for a specific domain.
By itself, this defect is considered to be of limited use as an attack vector, but it has security implications, as it may be used as a potential force magnifier when used in conjunction with other exploits. For example, if a single server from a multiple-server authoritative RRset is compromised, this technique would allow an attacker to ensure that queries were made to the compromised server, instead of whichever server would ordinarily have the lowest SRTT value.
ISC plans to address this deficiency by reimplementing the SRTT algorithm in future maintenance releases of the BIND 9 code.
The deficiency in the SRTT algorithm is not considered an exploitable security vulnerability on its own. However, we are announcing it in this operational notification because:
- An academic paper is going to be presented to a security conference and we believe that explaining the context will help operators understand the implications for their DNS security.
- The deficiency could hypothetically serve as a force multiplier for other attacks.
Future maintenance versions of BIND will reimplement the SRTT algorithm to address the deficiency, but for now the recommended strategy is to proceed with the awareness that the security of any service relying on DNS resolution for a specified domain is only as strong as the least secure server in the listed authoritative servers for that domain.
- Do you have Questions? Questions regarding this advisory should go to email@example.com.
- Additional information on our Operational Notifications is here: https://www.isc.org/software/notifications, and Phased Disclosure Process is here: https://www.isc.org/security-vulnerability-disclosure-policy
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be inferred. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use of, or reliance on, this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
© 2001-2014 Internet Systems Consortium