DNS Rebinding Vulnerabilities Expose 496M Enterprise Devices to Risk

A decade-old attack vector is still a real risk for enterprises, potentially enabling hackers to gain access to private internal networks.

DNS Rebinding Armis

Internet of things (IoT) security vendor Armis released new research on July 20, estimating that approximately 496 million devices used by enterprises are at risk from DNS rebinding attacks.

The Armis research follows research published in June that found consumer devices were at risk of DNS rebinding attacks. Armis looked at enterprise devices to see if they were at risk from the decade-old attack vector that gives attackers access to a local network through a manipulation of how DNS (Domain Name Service) works.

"Enterprises might have thought that most of these devices essentially could get away with a very weak HTTP server because presumably they are sitting on an internal network and there are a bunch of firewalls that are protecting devices," Nadir Izrael, co-founder and CTO of Armis Security, told eWEEK. "DNS rebinding, in fact, gives you the ability to sidestep the firewall and use one of the internal network devices as a proxy into internal devices."

Armis is a cyber-security vendor that first launched its IoT security platform for IoT visibility and control in June 2017. The company's research team has found other IoT risks in the past, including the BlueBorne Bluetooth flaws that were disclosed in September 2017.

Armis found that approximately 77 percent of enterprise IP phones and 66 percent of printers across enterprises were potentially at risk from DNS rebinding. Additionally, 87 percent of switches, routers and access points were also identified as being at risk. Armis did not directly scan the entire internet to determine how many devices were vulnerable to DNS rebinding. Rather, the company scanned its own customers and then extrapolated using industry statistics to estimate a total number of devices that are impacted.

How DNS Rebinding Works

With DNS rebinding, a local private IP address is somehow exposed by an attacker and then is connected to a public address, enabling an attacker to access assets and resources that an organization has not made publicly accessible.

"You don't even have to have a single device that's accessible on the internal organization network for this attack to work," Izrael said. 

Basically, what would happen is an attacker creates a local malicious DNS server and tricks a victim into reaching out to the DNS server, via a phishing or other attack. Izrael said an attacker could use a victim's web browser as a proxy to connect to other devices within a network. By enabling access to devices that are not intended to be accessible to the public internet, Izrael said an attacker can discover other potentially vulnerable assets that can be compromised.

How to Defend Against DNS Rebinding

There are multiple things organizations can do to limit the risk of DNS rebinding attacks.

"In general, manufacturers of devices should be putting up very high security on any accessible server," Izrael said. "It's no excuse that these devices were meant to sit on an internal network. "

Additionally, Izrael suggests that organizations make sure that all devices are fully patched, even if they are only on the internal network. He said that there might be a perception in some organizations that because the devices are not publicly accessible that they don't need to be patched.

Using a DNS security proxy or third-party DNS service is also an option to help protect against DNS rebinding attacks, though Izrael noted that option isn't always practical for enterprises. Izrael said that many enterprises are likely to choose to only use their own local DNS servers for performance or administrative reasons.

"I would say most enterprises would not use that type of DNS solution, which is kind of a weird situation when it puts them at more risk than your average consumer comparatively," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.