WordPress Installations Exposed to Spoofed Password Reset from Cache Poisoning Threat
Hidden DNS (domain name system) resolvers create a way to carry out email redirection and account takeover attacks, security researchers warn.
In a technical blog postSEC Consult explains how it is possible to manipulate the DNS name resolution of these so-called closed DNS resolvers using a variant of cache poisoning attacks (PDF), which were first unveiled by renowned network security researcher Dan Kaminsky in 2008.
Chaos Cache
Previous research by SEC Consult showed how it is possible for an attacker to take control of web application user accounts by manipulating DNS name resolution.
Closed DNS resolvers are used by many hosting providers and other Internet Service Providers (ISPs) to provide services to their customers. As their name suggests, closed DNS resolvers reside on closed networks or intranets.
However, “closed” is a bit of a misnomer in the context of SEC Consult’s research, as the researchers showed how it might be possible for external actors to abuse web application functionality to easily attack closed resolvers.
They discovered that attack recognition is possible by exploiting the way closed DNS resolvers interact with spam protection mechanisms on the open Internet.
This could help an attacker understand DNS security features such as source port randomization, DNSSEC, IP fragmentation, and more simply by exploiting logging, password reset, and newsletter features of web applications that rely on closed resolvers.
Browse the web
SEC Consult used two open source tools – DNS Reset Checker and the DNS analysis server – analyze the DNS traffic of the targeted systems in order to identify vulnerabilities.
Concretely, this attack reconnaissance work consisted of sending emails to certain well-known domains and specifying the analysis domain as the sending domain. This allowed the researchers to identify thousands of systems that were using static source ports, a security oversight that left them vulnerable to Kaminsky-type attacks.
“After sending emails to around 50,000 domains, we received and analyzed DNS data from around 7,000 of them,” explains SEC Consult. “Of those 7,000 domains, at least 25 were using static source ports. Going down the rabbit hole again, thousands more domains using static source ports were discovered.
None of the 25 vulnerable resolvers in a sample used or enforced additional security features such as DNSSEC, SEC Consult found.
The affected services operated behind domains operated by both small and large companies, and sites providing government services and political campaigning.
Keep up to date with the latest DNS security news and analysis
DNS cache poisoning insecurities can be exploited to manipulate records and redirect emails – a security gap that would allow an attacker to abuse the password reset features of WordPress and Joomla installations, among others .
The attack technique can be used to hijack even a fully patched WordPress installation, SEC Consult was able to demonstrate.
The infosec company refrained from publicly releasing the exploit code it developed to attack WordPress systems because it feared that knowledge of the problem was low, leaving many web-based systems accessible via closed DNS resolvers open to attacks.
SEC consult spoke to ISPs, hosting providers and computer emergency response teams (CERTs) about the issue in the months before it released its findings last week.
Exit cache
Independent DNS security experts said the research highlighted a valid concern.
Cricket Liu, chief DNS architect at Infoblox, said The daily sip“I don’t think this is particularly new – we talked about this sort of thing back in the heyday of the Kaminsky vulnerability – but it’s relevant as there are still DNS servers out there that don’t use port randomization source.”
Containing Exotic Attacks
While Kaminsky’s legacy attacks are certainly not the “next big thing,” it would be unwise to dismiss the issue as old-fashioned, according to SEC Consult.
Timo Longin, security consultant at SEC Consult, said The daily sip“DNS provides some very exotic and unknown attack vectors that should be brought to the attention of the infosec community!” For example, we found some hosting providers where it would potentially be possible to compromise all hosted servers by hijacking users by password reset through the providers’ control panel.
To protect systems, vulnerable DNS resolvers must be patched and configured securely. Some best practices for securing your own DNS resolvers are available at Google and to DNS Flag Day. Alternatively, large public DNS providers such as Google, Cloudflare or Cisco can also be used.
Countermeasures for new DNS attacks are usually implemented quickly by these large vendors, according to SEC Consult.
YOU MIGHT ALSO LIKE The policy-as-code approach against “cloud-native” security risks
