Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Symantec Enterprise Firewall DNSd Proxy Bug Lets Remote Users Poison the DNS Cache
SecurityTracker Alert ID: 1013452|
SecurityTracker URL: http://securitytracker.com/id/1013452
(Links to External Site)
Date: Mar 16 2005
Modification of system information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 7.0.x, 8.0 ; (Windows and Solaris)|
A vulnerability was reported in Symantec Enterprise Firewall in the DNSd proxy. A remote user may be able to poison the DNS cache.|
A remote user with control of a DNS server (or the ability to spoof DNS) can send specially crafted packets to poison the DNS on the target system. As a result, host name lookups performed using the Symantec product will return arbitrary addresses specified by the remote user.
Systems configured as a DNS caching server or as a primary DNS server may be affected.
A remote user may be able to poison the DNS cache and cause host name lookups performed via the target system to return an arbitrary (and incorrect) address.|
The vendor issued hotfixes on March 4, 2005 and on March 14, 2005 to address this vulnerability.|
Vendor URL: securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html (Links to External Site)
UNIX (Solaris - SunOS), Windows (NT), Windows (2000)|
Source Message Contents
Date: Wed, 16 Mar 2005 05:30:35 -0500|
March 15, 2005
Symantec security gateway DNS redirection
Symantec released a hotfix addressing a DNS cache poisoning and redirection issue
reported on March 4, 2005 that impacts some Symantec security gateways products
identified below. Affected Symantec security gateway products configured as a DNS
caching server or as a primary DNS server were experiencing problems with name
resolution whereby hostnames lookups to common sites were resolving to bogus
addresses. In-depth analysis of this incident and the stance of Symantecís security
gateway products provided details that allowed Symantec to harden DNSd even further
against unknown attack vectors for this class of attack.
Symantec Gateway Security 5400 Series, v2.x
Symantec Gateway Security 5300 Series, v1.0
Symantec Enterprise Firewall, v7.0.x (Windows and Solaris)
Symantec Enterprise Firewall v8.0 (Windows and Solaris)
Symantec VelociRaptor, Model 1100/1200/1300 v1.5
Affected Symantec security gateways include a DNS proxy, called DNSd, which can be
configured to function as a DNS caching server (default) or as a primary DNS server.
Under specific conditions, DNSd may be susceptible to DNS cache poisoning. DNS cache
poisoning occurs when incorrect or false DNS records are inserted into a DNS serverís
cache tables, overwriting a valid name server record with its own DNS server address.
Subsequent queries for a targeted site would then be redirected to the rogue DNS
server, which would respond with its own addresses for those lookups, preventing
users from accessing the legitimate site. In this case, reporting on this activity
from the Internet Storm Center, SANS, http://www.isc.sans.org, indicated that some
users were being redirected to web sites that attempted to download spyware/adware
modules to the users browsers. Shortly after the abnormal activity was initially
reported, the offending IP addresses were blocked by their ISP until the offending
DNS serversí configuration was corrected.
According to information posted on the Internet Storm Center, non-Symantec product
users reported similar activity so this malicious action appears not to have been
limited to Symantec security gateway products.
Note: DNSd is not required for the operations of the affected Symantec security
gateway products. This issue does not affect users whose security policy does not
include use of DNSd. However, Symantec recommends even users who do not use DNSd
download and apply the appropriate hotfix in the event that DNSd may be enabled at
some future date.
Symantec posted hotfix updates on March 4, 2005 that address the initial issue being
reported by ISC and a small number of Symantec customers.
An updated hotfix was released on March 14, 2005 that further hardens the DNSd for
protection against an additional potential vector identified by Symantec engineers
during our post-analysis of this incident. Symantec recommends customers immediately
apply the latest hotfix for their affected product versions to protect against this
type of threat. Product specific hotfixes are available via the Symantec Enterprise
Support site http://www.symantec.com/techsupp.
On March 7, 2005 Symantec Security Response also released adware detection,
Adware.ABXToolbar, for the attempted browser helper object download. Symantec
products that support expanded threats can now detect this version of adware.
A CVE Candidate name has been requested from the Common Vulnerabilities and Exposures
(CVE) initiative for this issue. This advisory will be revised accordingly upon
receipt of the CVE Candidate name.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.
Symantec takes the security and proper functionality of its products very seriously.
As founding members of the Organization for Internet Safety (OISafety), Symantec
follows the principles of responsible disclosure. Symantec also subscribes to the
vulnerability guidelines outlined by the National Infrastructure Advisory Council
(NIAC). Please contact email@example.com if you feel you have discovered a
potential or actual security issue with a Symantec product. A Symantec Product
Security team member will contact you regarding your submission.
Symantec has developed a Product Vulnerability Handling Process document outlining
the process we follow in addressing suspected vulnerabilities in our products. We
support responsible disclosure of all vulnerability information in a timely manner to
protect Symantec customers and the security of the Internet as a result of
vulnerability. This document is available from the location provided below.
Symantec strongly recommends using encrypted email for reporting vulnerability
information to firstname.lastname@example.org. The Symantec Product Security PGP key can be
obtained from the location provided below.
Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy
Symantec Product Vulnerability Response PGP Key Symantec Product Vulnerability Response PGP Key
Copyright (c) 2005 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not
edited in any way unless authorized by Symantec Security Response. Reprinting the
whole or part of this alert in any medium other than electronically requires
permission from email@example.com.
The information in the advisory is believed to be accurate at the time of publishing
based on currently available information. Use of the information constitutes
acceptance for use in an AS IS condition. There are no warranties with regard to this
information. Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use of, or reliance
on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are
registered trademarks of Symantec Corp. and/or affiliated companies in the United
States and other countries. All other registered and unregistered trademarks
represented in this document are the sole property of their respective
Go to the Top of This SecurityTracker Archive Page