Linux flaw exposed nearly 40% of the web to malicious redirects

Going unnoticed for over ten years, a vulnerability in Linux servers has left 38% of web domains exposed to DNS poisoning.

As part of the ACM CCS 2021, a symposium dedicated to cybersecurity, researchers from the University of California have unveiled a computer flaw housed in Linux systems that allows attacking servers DNS to redirect traffic to fraudulent sites. Over 38% of domain names would have been vulnerable for years.

DNS servers work a bit like telephone operators from the 1950s. At that time, to make a phone call, you had to first call a switchboard which was responsible for redirecting the call to the desired line. Likewise, when you type journaldugeeek.com in your browser, your computer will contact the DNS which will consult the list of domain names – the web directory, in short – to provide it with the target’s IP address.

DNS servers, a prime target for hackers

This architecture works exceptionally well … as long as the database remains intact. The problem is, this hub status has turned DNS servers into prime targets for hackers. Certain very cunning individuals have thus developed a formidable attack which exploits the cache of these servers in order to enter them durably; we are talking about “DNS poisoning”.

© okta

Once properly installed, the pirate has a very frightening weapon. In practice, it can now redirect the user to any site of their choice. And this from trustworthy domains like google.com. A particularly pernicious trickery since an uninformed user could easily miss any warning signs.

A decade of “DNS poisoning

When this vulnerability was first identified in 2008, the server cache was very poorly protected. It was enough to use brute force to crack a vulgar 16-bit key; this amounts to testing 54,536 possibilities, child’s play for a specialized machine.

The discovery of this flaw triggered a real upheaval. The whole industry has had to redouble its efforts to close this breach at full speed. Ars Technica explains that the problem was solved by changing the port used to send the web request. Until then, requests from all users went through port 53; now, it is chosen randomly, which increases the number of possibilities well beyond 104 million. It is therefore a system immensely more complicated to compromise, because it is almost inconceivable to test so many combinations by brute force in a reasonable time.

All’s well that ends well, and the DNS server cache is now perfectly secure… or at least, that’s what we thought. Because last year, these American researchers found a way to bypass this randomization to poison the DNS. Many updates later, this backdoor has fortunately been closed…. temporarily.

Other attack surfaces still hidden?

Because this same team announced in its research paper that there were still many discrete accesses to the cache of DNS servers. They even talk about channels “even more open, which have existed in Linux kernels for over a decade”. Concretely, this is a flaw in the protocol ICMP, which is usually used to transmit control and error messages. The problem is that a hidden function of this protocol makes it possible to scan open UPD ports, and thus to avoid port randomization. In total, “38% of front-end IPs and 14% of back-end IPs ”would be vulnerable.

Due to its fairly critical and priority status, and based on previous episodes, we can expect this vulnerability to be repaired fairly quickly. The researchers have also proposed several avenues in this direction. All that remains is to hope that this is the last potentially exploitable attack surface. Otherwise, we might hear about DNS poisoning again in the near future. The text of the study is available here.


Source: Journal du Geek by www.journaldugeek.com.

*The article has been translated based on the content of Journal du Geek by www.journaldugeek.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!