Security Alerts
DNS Vulnerability Advisory Alert
This is a critical advisory and affects most companies
What Is It?
DNS vulnerability affects almost everyone on the Internet. A fundamental flaw in the design of how Internet addresses (URL) are routed can severely impact you. Consider this: When you type www.google.com, this flaw can result in your affected DNS server taking you to a malicious site potentially opening you to viruses, malwares and security attacks. Every website you visit goes bad, every email you send could go someplace else.
Why Should You Care?
This vulnerability has universal impact since it stems from a design flaw. Every computer uses DNS to know where to find other computers. Using this flaw, an attacker can infect your DNS servers and redirect your traffic to arbitrary & malicious locations. In corporate environments like yours, an attacker could disrupt or monitor operations by rerouting network traffic, capturing emails and other sensitive business data.
BIND, Cisco, Microsoft, and many other DNS server implementations are vulnerable. Based on this vulnerability FAQ, you should care if your servers are of the following kind:
- BIND Installations are at risk. Some other DNS servers have always randomized source ports, and are not likely at risk.
- Recursive are at risk. No ifs, ands, or buts about it.
Read the FAQ for more details on the impact
How Can You Get Safe?
The good news is that vendors and service providers are already aware and providing patches for fixing this issue. As a generic solution to fix this issue, do the following:
- Apply a patch from your vendor
Patches have been released by a number of vendors to implement source port randomization in the name server.
- Restrict access
Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion.
- Filter traffic at network perimeters
Because the ability to spoof IP addresses is necessary to conduct these attacks, administrators should take care to filter spoofed addresses at the network perimeter. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
- Disable recursion
Disable recursion on any name server responding to DNS requests made by entrusted systems.
How Can You Protect Yourself In The Future?
To protect yourself from vulnerabilities such as this in the future, you should consider doing regular penetration testing. Gartner, leading analyst firm, recommends that "Penetration Testing that goes beyond simple vulnerability assessment should be conducted regularly".
iViZ, world's only on-demand automated end-to-end penetration testing solution can help you keep your organization's IT safe. Unlike conventional penetration testing methods which are manual, time-intensive and expensive, iViZ's on-demand solution offers superior benefits.
On-Demand, Easy and Affordable: can be used anytime, anywhere and anyhow using Software-as-a-Service subscription model
Fast & Accurate and Comprehensive: iViZ simulates multi-stage attack path to provide comprehensive solutions
Easy Compliance: with built-in compliance reporting for SOX, HIPAA, ISO27001, PCI DSS.
To learn more about iViZ, please visit www.iviztechnosolutions.com or send us an email at info@technosolutions.com.
Where Can I Learn More About BGP Vulnerability?
|
