|Security Advisory ID SYMSA1057|
Initial Publication Date:
15 Mar 2005
Symantec released a hotfix addressing a DNS cache poisoning and redirection issue reported on March 4, 2005 that impacts some Symantec security gateways products identified below. Affected Symantec security gateway products configured as a DNS caching server or as a primary DNS server were experiencing problems with name resolution whereby hostnames lookups to common sites were resolving to bogus addresses. In-depth analysis of this incident and the stance of Symantec’s security gateway products provided details that allowed Symantec to harden DNSd even further against unknown attack vectors for this class of attack.
Symantec Gateway Security 5400 Series, v2.x
Symantec Gateway Security 5300 Series, v1.0
Symantec Enterprise Firewall, v7.0.x (Windows and Solaris)
Symantec Enterprise Firewall v8.0 (Windows and Solaris)
Symantec VelociRaptor, Model 1100/1200/1300 v1.5
Affected Symantec security gateways include a DNS proxy, called DNSd, which can be configured to function as a DNS caching server (default) or as a primary DNS server. Under specific conditions, DNSd may be susceptible to DNS cache poisoning. DNS cache poisoning occurs when incorrect or false DNS records are inserted into a DNS server’s cache tables, overwriting a valid name server record with its own DNS server address. Subsequent queries for a targeted site would then be redirected to the rogue DNS server, which would respond with its own addresses for those lookups, preventing users from accessing the legitimate site. In this case, reporting on this activity from the Internet Storm Center, SANS, http://www.isc.sans.org, indicated that some users were being redirected to web sites that attempted to download spyware/adware modules to the users browsers. Shortly after the abnormal activity was initially reported, the offending IP addresses were blocked by their ISP until the offending DNS servers’ configuration was corrected.
According to information posted on the Internet Storm Center, non-Symantec product users reported similar activity so this malicious action appears not to have been limited to Symantec security gateway products.
Note: DNSd is not required for the operations of the affected Symantec security gateway products. This issue does not affect users whose security policy does not include use of DNSd. However, Symantec recommends even users who do not use DNSd download and apply the appropriate hotfix in the event that DNSd may be enabled at some future date.
A CVE Candidate name has been requested from the Common Vulnerabilities and Exposures (CVE) initiative for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems
Symantec posted hotfix updates on March 4, 2005 that address the initial issue being reported by ISC and a small number of Symantec customers.
An updated hotfix was released on March 14, 2005 that further hardens the DNSd for protection against an additional potential vector identified by Symantec engineers during our post-analysis of this incident. Symantec recommends customers immediately apply the latest hotfix for their affected product versions to protect against this type of threat. Product specific hotfixes are available via the Symantec Enterprise Support site http://www.symantec.com/techsupp.
On March 7, 2005 Symantec Security Response also released adware detection, http://securityresponse.symantec.com/avcenter/venc/data/adware.abxtoolbar.html, Adware.ABXToolbar, for the attempted browser helper object download. Symantec products that support expanded threats can now detect this version of adware
Updated hotfix release to further harden DNSd against redirection attempts. This additional finding is included in the latest available hotfix, which supersedes previous DNSd hotfixes for the affected products listed below.
Symantec recommends all customers immediately apply this latest hotfix. Product specific hotfixes are available via the Symantec Enterprise Support site http://www.symantec.com/techsupp.