itman 1,752 Posted December 15, 2020 Share Posted December 15, 2020 This is a new vulnerability recently discovered: https://www.cs.ucr.edu/~zhiyunq/SADDNS.html Appears most ISP and public DNS servers are vulnerable to this. One of the few mitigations currently for it is IDS detection. However, Eset removed DNS poisoning protection in recent ver. 14. Link to comment Share on other sites More sharing options...
itman 1,752 Posted December 15, 2020 Author Share Posted December 15, 2020 (edited) Well, I am feeling a bit better in that Cloudfare states that they are no longer vulnerable: Quote As part of a coordinated disclosure effort earlier this year, the researchers contacted Cloudflare and other major DNS providers and we are happy to announce that 1.1.1.1 Public Resolver is no longer vulnerable to this attack. https://blog.cloudflare.com/sad-dns-explained/ Great if your using FireFox w/DoH enabled and using default Clouldflare DNS servers. However, I know per this test that my ISP DNS servers are vulnerable which I would be using for non-browser based DNS lookups. Also this is just not a Linux vulnerability but affects all Win Server OS versions: https://dirteam.com/sander/2020/12/10/dns-spoofing-vulnerability-sad-dns-important-cve-2020-25705-adv200013/ Edited December 15, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,752 Posted December 15, 2020 Author Share Posted December 15, 2020 (edited) Found a slide show on this attack here: https://www.saddns.net/slides.pdf I would say until ISP and DNS providers mitigate this, it would be best to always use two-factored authorization on your financial web sites and/or manually verify prior to site logon that the site you arrived at is actually your bank's web site via certificate thumbprint validation. The later is something I have requested from Eset for some time in their Banking & Payment Protection feature. Edited December 16, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,752 Posted December 16, 2020 Author Share Posted December 16, 2020 (edited) In light of this new DNS poisoning vulnerability, it might be informative for some to review the original Kaminsky DNS cache vulnerability. Gibson Research gets into great detail on this on their web site here: https://www.grc.com/dns/dns.htm . Unfortunately, it appears they haven't updated their test for this new DNS cache vulnerability. Also on the Gibson Research web site is additional detail on how to retrieve your banking web site certificate thumbprint I mentioned previously: https://www.grc.com/fingerprints.htm . This is also a lead in to what I would like to see added to Eset Banking & Payment Protection. That is it perform automatically this certificate chain validation using Eset web servers whenever a URL is entered. This BTW is the only foolproof method to prevent DNS spoofing. The problem currently is it appears Eset is attempting to expand B&PP use to normal browser use. This will obviously put an unacceptable load on Eset servers that would perform this independent chaining validation. As such, Eset would have to provided capability via a financial web site URL list for example, that would be used for this validation. Edited December 16, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts