Kaminsky DNS Flaw Details Leaked Accidentally

Technical details of a flaw in the Domain Name System that made headlines earlier in July were accidentally posted to a well-read security blog July 21. Dan Kaminsky advises immediate patching.

Details of the DNS flaw uncovered by security researcher Dan Kaminsky have found their way into the public arena.

Kaminsky, who is the director of penetration testing for the security company IOActive, had planned on keeping the specifics of his discovery close to his vest until the Black Hat conference in August in Las Vegas. Now, the details of his findings appear to have leaked out by accident.

The flaw, which can be exploited to launch DNS (Domain Name System) cache poisoning attacks against DNS servers and redirect Internet traffic, was discovered by Kaminsky several months ago and led a number of vendors to cooperate and coordinate the release of a patch two weeks ago. This is an important flaw that affects multiple products-basically any recursive DNS server. If a server is compromised, attackers could redirect traffic from that server to anywhere they wanted, say, to a fake "google.com" that was actually a malicious site.

Reverse engineering expert and Zynamics CEO Halvar Flake posted speculation about the bug on a blog July 21. In response, security research and development firm Matasano, which was aware of the true details of the flaw, posted confirmation of Flake's speculation on the Matasano company blog. The Matasano post has since been taken down, but remains alive courtesy of a Google search.

"The cat is out of the bag," read the now-removed Matasano post. "Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat."

Late the same day, Matasano's Thomas Ptacek apologized on the company blog, explaining the firm had "dropped the ball."

Ptacek wrote, "Earlier today, a security researcher posted their hypothesis regarding Dan Kaminsky's DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread."

Kaminsky's attempts to keep a tight lid on details of the flaw until Black Hat sparked controversy among some security professionals who felt details of the vulnerability should have been released.

For now, IT pros can fall back on the patches vendors have made available, as well as suggested mitigations.

Kaminsky has posted a tool on his Web site that allows anyone to check to see if a DNS server is vulnerable. DNSstuff launched a piece of freeware July 16 on its site that does the same.

"Patch," Kaminsky advised on his blog. "Today. Now."