New SAD DNS attack version for substituting fictitious data in DNS cache

A group of researchers from California University in Riverside published a new version of the attack Sad DNS ( CVE-2021-20322 ), despite defense, added last year to block the Vulnerability of CVE-2020-25705. The new method is generally similar to last year’s vulnerability and differs only by using another type of ICMP packets to verify active UDP ports. The proposed attack allows the substitutive data substitutive data to the DNS server cache, which can be used to substitute in the IP address of an arbitrary domain and redirect access to the domain to the attacker server.

The proposed method is operational only in the Linux network stack due to binding to the features of the ICMP processing mechanism in Linux, which serves as a source of data leakage that simplify the definitions of the UDP port number used by the server to send an external request. Correction reduces the transition to the use of SIPHASH hashing algorithm in network caches instead of Jenkins Hash. Changes blocking information leakage, Adopted in Composition Linux kernel at the end of August (The correction was included in the kernel of 5.15 and the September updates of the LTS-branches of the nucleus). Vulnerability Status In distributions can be estimated on these pages: Debian , RHEL , Fedora , SUSE , Ubuntu .

According to the problem of vulnerability researchers who have identified about 38% of open resolvers located, including popular DNS services, such as OpenDNS and QUAD9 (9.9.9.9). As for the server software, the attack can be carried out when using such packages such as Bind, Unbound and DNSmasq on the Linux server. On DNS servers running using Windows and BSD systems, the problem is not manifested. To successfully make an attack, you must use the IP spoofing, i.e. Required the attacking provider does not block packets with a fake source IP address.

Recall that the SAD DNS attack allows you to bypass the protection added to the DNS servers to block the classic method

/Media reports.