| CVSS 元临时分数 | 当前攻击价格 (≈) | CTI兴趣分数 |
|---|---|---|
| 5.0 | $0-$5k | 0.00 |
摘要
已经发现一个属于致命类别的漏洞,位于ISC BIND 9.8.1-P1。 受此问题影响的是某些未知功能的组件:SRTT Algorithm Handler。 由于被操作,进而引发 权限提升。 而且,有现成的漏洞利用。 建议采取所推荐的变通措施。
细节
已经发现一个属于致命类别的漏洞,位于ISC BIND 9.8.1-P1。 受此问题影响的是某些未知功能的组件:SRTT Algorithm Handler。 由于被操作,进而引发 权限提升。 漏洞的CWE定义是 CWE-269。 此漏洞的脆弱性 2013-08-14由公示人Roee Hay, Jonathan Kalechstein and Dr. Gabi Nakibly、公示人身份Subverting BIND’s SRTT Algorithm: Derandomizing NS Selection、公示人类型为Blog Post (网站)所公布。 阅读公告的网址是securityintelligence.com。 该公开发布已与厂商完成协调。 该披露包含:
Our attack abuses non-open resolvers, i.e. NSs that do not answer on queries that they are not authoritative of. Most of the resolvers around the Internet are non-open. The attacker does not need to control them, but simply needs to know their IP address. We will see how the attacker can take leverage of them in order lower the SRTT value of an arbitrary NS to an arbitrary value on some target resolver. The attacker also hosts a malicious NS. We assume that this malicious NS is the authority of some domain, i.e. malicious.foo. Let’s also assume that we want to lower the SRTT value of one of the authoritative NSs of ibm.com. It’s important to mention that our attack does not depend on the amount of authoritative NSs the target zone has, but for the sake of simplicity, in this example, the zone has two nameservers: NS1 and NS2. We will lower the SRTT of NS2 on the target resolver, so it will be queried before NS1.
未提供技术细节。 此漏洞的受欢迎程度高于平均值。 而且,有现成的漏洞利用。 该漏洞利用已公开,攻击者可能会加以利用。 当前漏洞利用的价值为美元大约是$0-$5k 。 该漏洞由MITRE ATT&CK项目分配为T1068。 通告提到:
An off-path DNS cache poisoning is an attack at which we assert that the adversary does not see the traffic between the DNS resolver and some name server (NS), but manages to poison the cache of the DNS resolver nevertheless. In order to do so, the attacker usually induces a request between the DNS resolver and the NS, and then races against the genuine DNS answer.
如果有长度,则声明为 概念验证。 以下网址提供该漏洞利用:securityintelligence.com。 作为零日漏洞,其地下市场的估计价格约为$25k-$100k。 公告指出:
The attack begins by first querying the resolver for some domain the malicious NS is authoritative of, e.g. 666.malicious.foo. The resolver will eventually approach the malicious NS, which replies with a DNS delegation that contains: (1) A large list of non-open resolvers, (2) The NS that we try to lower the SRTT of, NS2. We assume that NS2 was already on the SRTT cache of the resolver and was contacted prior to the attack, so its SRTT is based on some real RTT value. Since the non-open resolvers were not on the cache, they will be added with very low values between 1 and 32 microseconds according to the SRTT algorithm. This means that they will be queried before NS2 by the NS selection. The resolver will query each of them and they will refuse since they are non-open resolvers. After each query the SRTT value of NS2 will be decayed, i.e. multiplied by 0.98. The resolver will time out after 30 seconds and we can force this timeout if the amount of non-open resolvers is sufficiently large. This means that the resolver will not even get to querying NS2 and at the end of the attack the SRTT of NS2 will be 0.98^n of ist original value, where n is the amount of non-open resolvers which were queried before the timeout.
建议采取所推荐的变通措施。 在漏洞披露后 立即,已经有可能的缓解措施发布。 该公告包含如下评论:
The root cause of this vulnerability is that the resolver maintains a shared cache of SRTT values. The cache is shared in the sense that a malicious NS can affect SRTT values of NSs which are not related to it. We suggest to split the cache. For example, it can be split according to the currently queried zone.
产品
类型
供应商
名称
版本
许可证
网站
- 供应商: https://www.isc.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB 向量: 🔍VulDB 可靠性: 🔍
CVSSv3
VulDB 元基础分数: 5.4VulDB 元临时分数: 5.0
VulDB 基本分数: 5.4
VulDB 临时得分: 5.0
VulDB 向量: 🔍
VulDB 可靠性: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 向量 | 复杂性 | 身份验证 | 保密 | 完整性 | 可用性 |
|---|---|---|---|---|---|
| 开锁 | 开锁 | 开锁 | 开锁 | 开锁 | 开锁 |
| 开锁 | 开锁 | 开锁 | 开锁 | 开锁 | 开锁 |
| 开锁 | 开锁 | 开锁 | 开锁 | 开锁 | 开锁 |
VulDB 基本分数: 🔍
VulDB 临时得分: 🔍
VulDB 可靠性: 🔍
利用
分类: 权限提升CWE: CWE-269 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
身体的: 否
本地: 否
远程: 是
可用性: 🔍
访问: 公共
状态: 概念验证
作者: Roee Hay/Jonathan Kalechstein/Dr. Gabi Nakibly
下载: 🔍
价格预测: 🔍
当前价格估算: 🔍
| 0-Day | 开锁 | 开锁 | 开锁 | 开锁 |
|---|---|---|---|---|
| 今天 | 开锁 | 开锁 | 开锁 | 开锁 |
威胁情报
利益: 🔍活跃演员: 🔍
活跃的APT团体: 🔍
对策
建议: 解决方法状态: 🔍
反应时间: 🔍
0天时间: 🔍
曝光时间: 🔍
利用延迟时间: 🔍
时间轴
2013-08-12 🔍2013-08-14 🔍
2013-08-14 🔍
2013-08-14 🔍
2013-08-15 🔍
2019-03-21 🔍
来源
供应商: isc.org公告: Subverting BIND’s SRTT Algorithm: Derandomizing NS Selection
研究人员: Roee Hay, Jonathan Kalechstein, Dr. Gabi Nakibly
状态: 已确认
确认: 🔍
已协调: 🔍
GCVE (VulDB): GCVE-100-9946
OSVDB: 96276
scip Labs: https://www.scip.ch/en/?labs.20161013
条目
已创建: 2013-08-15 12時20分已更新: 2019-03-21 10時32分
更改: 2013-08-15 12時20分 (57), 2019-03-21 10時32分 (2)
完整: 🔍
Cache ID: 216:9E9:103
暂时没有任何评论。 语言: zh + en.
请登录后发表评论。