There is a huge issue that was raised a few weeks ago about a vulnerability in DNS and how a DNS server’s cache can be poisoned. There is a lot of information out there describing this latest vulnerability. Basically what it boils down to is that non-randomized source ports combined with request IDs within DNS create a vulnerability environment in which your DNS cache can be poisoned.

This is very important for attackers who would like to redirect your customers to their own websites. Uses? How about phishing? An end user enters www.yourbank.com into their browser. Unknown to the user is that fact that their service’s (ISP/Company’s ISP) DNS cache has been poisoned. So instead of being directed to their bank in Hometown USA, they are directed to a phantom bank in China (for example). Once there, they are presented with a website that looks normal (except maybe for a few misspellings on the page ;). They enter in their account credentials which are then captured for later malicious use. Or an even simpler example might be to poison the cache entry for Google and watch as your victims are instead delivered to a website loaded with malware after they enter ‘www.google.com’ into their browser.

Check Point Vulnerabilities

There are different combinations of Hide NAT, DNS servers, and gateways that can affect all of this. For Check Point customers, there are several important facts to consider:

Hide NAT

Most of the buzz has been around patching DNS, but what has not been getting equal attention is that Hide NAT also affects this vulnerability. You may have a patched DNS server, but if it is sitting behind a device that is performing Hide NAT then you are once again vulnerable to not having your source ports randomized. This is not a bug, but rather the way that Hide Nat works.

  • If you are not a Check Point customer and you are using Hide NAT for your DNS servers (patched or unpatched) you are still vulnerable. This means that you are probably going to have to go back and change from Hide NAT to Static NAT. Hope you have some spare routable IPs that you can use.

So the message for Check Point customers is that whether you have unpatched DNS servers and/or are using Hide NAT, you are protected with a simple radio button that has been around since 2005. In most cases this protection is there whether your subscription to SmartDefense is up to date or not. If you do not see that update, and/or are not currently using Smart Defense then now is the time to open that tab in SmartDashboard and maybe request a 30 day SmartDefense demo from Check Point.

Mitigating CVE-2008-1447…DNS Cache Poisoning

Leave a Reply

Your email address will not be published. Required fields are marked *