Symantec Fixes DNS Cache-Poisoning Flaw

Symantec late Tuesday issued patches for a DNS cache-poisoning and redirection vulnerability that affects multiple gateway security products.

The Cupertino, Calif.-based IT security powerhouse rates the issue as “high risk” and warns that affected gateway products configured as a DNS caching server or as a primary DNS server could be exploited to redirect users to bogus addresses.

The issue was first reported by the SANS ISC (Internet Storm Center) and is already being exploited by attackers to install malware on vulnerable systems.

According to the ISCs alert, attackers are redirecting traffic from popular domains such as google.com, ebay.com and weather.com to rogue sites that attempt to load the ABX toolbar spyware onto the victims machine.

Symantec Corp. confirmed the ISCs discovery and posted a separate advisory to explain the risk. The company said affected security gateways include a DNS proxy called DNSd, which can be configured to function as a DNS caching server (default) or as a primary DNS server.

Under specific conditions, Symantec said DNSd may be susceptible to DNS cache poisoning, which occurs when incorrect or false DNS records are inserted into a DNS servers cache tables, overwriting a valid-name server record with its own DNS server address.

“Subsequent queries for a targeted site would then be redirected to the rogue DNS server, which would respond with its own addresses for those lookups, preventing users from accessing the legitimate site,” according to the advisory.

/zimages/3/28571.gifClick here to read more about spammer tactics in the wake of the CAN-SPAM act.

In this case, some Symantec customers were being redirected to Web sites that attempted to download spyware or adware modules to the users browsers.

“Shortly after the abnormal activity was initially reported, the offending IP addresses were blocked by their ISP until the offending DNS servers configuration was corrected,” Symantec added.

/zimages/3/28571.gifRead more here about Symantecs spyware capture and removal offerings for enterprise.

Affected products include the Symantec Gateway Security 5400 Series, v2.x; Symantec Gateway Security 5300 Series, v1.0; Symantec Enterprise Firewall, v7.0.x (Windows and Solaris); Symantec Enterprise Firewall, v8.0 (Windows and Solaris); and Symantec VelociRaptor, Model 1100/1200/1300 v1.5.

Product-specific hotfixes are available via the Symantec Enterprise Support site.

Symantec Security Response also released adware detection for the Adware.ABXToolbar browser helper object download.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.