There is a huge issue that was raised a few weeks ago about a vulnerability in DNS and how a DNS server’s cache can be poisoned. There is a lot of information out there describing this latest vulnerability. Basically what it boils down to is that non-randomized source ports combined with request IDs within DNS create a vulnerability environment in which your DNS cache can be poisoned.
This is very important for attackers who would like to redirect your customers to their own websites. Uses? How about phishing? An end user enters www.yourbank.com into their browser. Unknown to the user is that fact that their service’s (ISP/Company’s ISP) DNS cache has been poisoned. So instead of being directed to their bank in Hometown USA, they are directed to a phantom bank in China (for example). Once there, they are presented with a website that looks normal (except maybe for a few misspellings on the page ;). They enter in their account credentials which are then captured for later malicious use. Or an even simpler example might be to poison the cache entry for Google and watch as your victims are instead delivered to a website loaded with malware after they enter ‘www.google.com’ into their browser.
Check Point Vulnerabilities
- No Check Point products are vulnerable to this attack. This means there is no need to patch any Check Point gateways.
- Check Point customers have been protected against this attack vector since 2005 through SmartDefense. As long as you are using R55W, R60, R61, or R65 you have the ability to “scramble” the source port for DNS. The following screenshot shows where this is configured.
Most of the buzz has been around patching DNS, but what has not been getting equal attention is that Hide NAT also affects this vulnerability. You may have a patched DNS server, but if it is sitting behind a device that is performing Hide NAT then you are once again vulnerable to not having your source ports randomized. This is not a bug, but rather the way that Hide Nat works.
- If you are not a Check Point customer and you are using Hide NAT for your DNS servers (patched or unpatched) you are still vulnerable. This means that you are probably going to have to go back and change from Hide NAT to Static NAT. Hope you have some spare routable IPs that you can use.
- If you are a Check Point customer using Hide NAT with DNS servers (patched or unpatched) then all you have to do is check a radio button and you are protected. Pretty simple.
So the message for Check Point customers is that whether you have unpatched DNS servers and/or are using Hide NAT, you are protected with a simple radio button that has been around since 2005. In most cases this protection is there whether your subscription to SmartDefense is up to date or not. If you do not see that update, and/or are not currently using Smart Defense then now is the time to open that tab in SmartDashboard and maybe request a 30 day SmartDefense demo from Check Point.