WordPress installations at risk from a cache poisoning attack due to faked password resets. Security researchers caution that hidden DNS resolvers can be used to launch account takeover and email redirection attacks.
The renowned network security researcher Dan Kaminsky originally revealed cache poisoning techniques in 2008. And SEC Consult details how it is feasible to influence the DNS name resolution of these so-called closed DNS resolvers using one of these attacks in a technical blog post (PDF).
Cache from chaos
SEC Consult’s earlier research has demonstrated how DNS name resolution manipulation can be used by an attacker to hijack user accounts in web applications.
Many hosting companies and other internet service providers (ISPs) employ closed DNS resolvers to offer services to their customers. Closed DNS resolvers are found on private networks or intranets, as the name suggests.
In the context of SEC Consult’s research, “closed” is a bit of a misnomer, though, as the researchers have demonstrated how it would be possible for outside actors to take advantage of web applications’ functionality to easily attack closed resolvers.
They discovered that it is possible to conduct attack reconnaissance by taking advantage of the way that closed DNS resolvers interact with spam filtering systems on the public internet.
By compromising the registration, password-reset, and newsletter functions of web apps that rely on closed resolvers. An attacker may be able to better grasp DNS security measures like source port randomization, DNSSEC, IP fragmentation, and more.
Scouring the web
Practically speaking, this assault reconnaissance activity entailed sending emails with the analysis domain specified as the sending domain to a few well-known domains. Due to this, the researchers were able to locate thousands of computers that were using static source ports. A security flaw that made them susceptible to assaults similar to Kaminsky’s.
SEC Consult states, “After sending emails to over 50k domains, we’ve received and reviewed DNS data for about 7,000 of them. At least 25 of the 7,000 domains used static source ports. Thousands more domains employing static source ports were found by going back down the rabbit hole.
SEC Consult found that none of a sample of 25 susceptible resolvers was utilizing or implementing additional security features like DNSSEC.
Services that were impacted lagged behind websites owned by both small and large enterprises. As well as sites that provided governmental services and ran political campaigns.
An attacker could misuse the password reset features of WordPress and Joomla installations, among others. By abusing DNS cache poisoning security flaws to change records and redirect emails.
SEC Consult has revealed how the attack method can be utilized to hijack even a fully patched WordPress system.
Because of worries that there may not be enough public awareness of the problem. This would leave many web-based systems accessible through closed DNS resolvers vulnerable to attack. The infosec firm has been reluctant to publicly release the exploit code it developed to attack WordPress servers.
Before making its findings public last week. The SEC consult discussed the problem with ISPs, hosting companies, and computer emergency response teams (CERTs).
According to independent DNS security specialists, the study raised a legitimate worry.
“I don’t think this is particularly novel but this sort of thing back in the heyday of the Kaminsky vulnerability. But it’s relevant because there are still some DNS servers out there that don’t use source port randomization,” said Cricket Liu.
Containing exotic attacks
SEC Consult said that even while historical Kaminsky assaults are unquestionably not the “next great thing,”. It would be foolish to write them off as irrelevant.
Security expert Timo Longin of SEC Consult told “the DNS offers many unusual. And undiscovered attack vectors that should be brought to the infosec community’s attention! For instance, we discovered some hosting companies where it would be simple to compromise all servers hosted by hijacking user accounts to change passwords.
Vulnerable DNS resolvers must be patched and securely configured in order to protect systems. Google and DNS flag day both offer some best practices for safeguarding your own DNS resolvers. Large public DNS service providers like Google, Cloudflare, or Cisco can also be used as an alternative.
According to SEC Consult, these large providers often develop countermeasures for fresh DNS attacks fast.