UDP Port randomization, regarding DNS Vulnerabilities.

Unanswered Question
Jul 26th, 2008

There are all kind of nice features regarding TCP port randomization, however with these new DNS problems starting I'm curious about UDP port randomization, for DNS especially.

My internal recursive DNS servers were vulnerable to this new port randomization problem: http://tools.cisco.com/security/center/viewAlert.x?alertId=16183

I've taken the time to patch everything as I'm sure everyone else has, however the way the Cisco ASA translates UDP requests I get the feeling that either I've missed something or that there is still a problem when one uses PAT through a PIX or ASA (and probably other PAT devices.)

So here are some logs, as you can tell my newly patched DNS servers are doing the right thing and completely randomizing the source ports, and as you can clearly see my ASA is clearly negating every singe one of them. Obviousely this only happens when going through a shared 'global'. Am I missing something or is there no way to randomize UDP translations?

%ASA-6-302015: Built outbound UDP connection 1855997200 for outside:O.D.N.S/53 (O.D.N.S/53) to backside:192.168.22.10/64700 (I.N.A.T/27287)

%ASA-6-302015: Built outbound UDP connection 1855997201 for outside:O.D.N.S/53 (O.D.N.S/53) to backside:192.168.22.10/18132 (I.N.A.T/27288)

%ASA-6-302015: Built outbound UDP connection 1855997202 for outside:O.D.N.S/53 (O.D.N.S/53) to backside:192.168.22.10/30062 (I.N.A.T/27289)

%ASA-6-302015: Built outbound UDP connection 1855997203 for outside:O.D.N.S/53 (O.D.N.S/53) to backside:192.168.22.10/7317 (I.N.A.T/27290)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
SecureWorks Dev... Sat, 07/26/2008 - 16:17

I think 8.0(4) will address this - I was told it will be released Monday.

Can anyone validate this?

SecureWorks Dev... Tue, 07/29/2008 - 07:25

We talked to two different TAC reps yesterday - both told us that 8.0(4) was pushed back to 8/04. While the release date matching the version number is cute, it really leaves us in a bind.

Checkpoint, Juniper, even iptables, have had this fixed for a while now. It's pretty disconcerting that a market leader like Cisco is leaving their customers in such a bind, especially given the attention this issue is getting from the press and upper management types.

elparis Tue, 07/29/2008 - 12:33

Yes, but we are still fully supporting PIX software. We're not selling the PIX anymore (the ASA family has replaced it) but will continue to support it and patch the software for serious bugs and vulnerabilities.

Cheers,

Eloy Paris.-

Cisco PSIRT

http://www.cisco.com/go/psirt/

w-schultz Tue, 07/29/2008 - 13:10

Thank you for your response,

Is a fix for the 6 tree to be expected in the same time table?

elparis Tue, 07/29/2008 - 13:27

Hi w-schultz,

We have 6.3.5.145 ready today, which has the fix for CSCsr28354 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr28354). This is the bug that was filed to take care of the problem with sequential port allocation when doing PAT.

If you open a case with the TAC you can ask them to post this image for you while I try to make this image available for download from a more accessible location.

Cheers,

Eloy Paris.-

Cisco PSIRT

http://www.cisco.com/go/psirt/

elparis Tue, 07/29/2008 - 14:59

Yes, correct - we pushed out the update of this advisory a couple of hours ago. I started to compose a reply to one of your earlier messages in this discussion to let people know about the update but got sidetracked and didn't get to it.

The goal of the update was to bring attention to the problem that Cisco products bring to the table when doing PAT in the light of the recent DNS issue. Basically the reason why you started this discussion here.

We thought the new information was relevant, which is why we bumped the revision number to 2.0 instead of 1.3.

Thanks for bringing up the update to the advisory here. That'll help other people who may be wondering how Cisco products are impacted.

Cheers,

Eloy Paris.-

Cisco PSIRT

http://www.cisco.com/go/psirt/

elparis Tue, 07/29/2008 - 12:31

devmgmt,

Correct, the new cisco.com date for 8.0.4 is next Monday because we found a couple of issues during regression testing.

I feel everybody's pain, I really do. We're scrambling to get fixes out as soon as possible. The fix itself came very quickly but longish regression testing cycles and the nature of the fix have delayed availability of fixed software.

If you don't mind my asking, how bad is this problem in your particular case; do you have DNS servers behind ASA or PIX firewalls operating in PAT mode for the DNS servers?

Cheers,

Eloy Paris.-

Cisco PSIRT

http://www.cisco.com/go/psirt/

bsiegenthaler Sat, 08/02/2008 - 01:10

> If you don't mind my asking, how bad is this problem in your particular case; do you have DNS servers behind ASA or PIX firewalls operating in PAT mode for the DNS servers?

Hi Eloy,

I found this thread in search for the NAT/PAT issues. I cannot found information about a Roadmap for a Fix for non PIX/ASA devices, eg Routers? I have several patched BIND Servers behind ADSL-Routers.

regards

Beat

elparis Mon, 08/11/2008 - 10:52

Hi Beat,

My apologies for the late reply.

> I found this thread in search for the

> NAT/PAT issues. I cannot found information

> about a Roadmap for a Fix for non PIX/ASA

> devices, eg Routers? I have several patched

> BIND Servers behind ADSL-Routers.

Cisco IOS is also affected. The bug that I filed for IOS is CSCsr29691 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr29691). IOS is moving slower than PIX/ASA in the sense that they are still working on the fix, and PIX/ASA already have a fix that has been committed and is making into into fixed software.

Are your ADSL routers doing PAT for the BIND servers that are behind them?

Cheers,

Eloy Paris.-

elparis Mon, 08/11/2008 - 10:36

Correct:

http://www.cisco.com/cgi-bin/tablebuild.pl/asa

I checked as soon as I saw the message from today asking for it and it wasn't there. Then I started to ping people internally to see where we were with it but then it got released and you beat me to it.

Cheers,

Eloy Paris.-

Cisco PSIRT

Actions

This Discussion