Breaking: Now Patch Your Firewalls Because the DNS Patch Won’t Work With Leading Firewalls

By John Furrier
5 Comments

Just breaking right now is that the DNS exploit (the energizer bunny of exploits that keeps going) just ran into another major issue. It looks like the DNS patch is being underminded by leading Firewalls. I’m looking into which vendors right now it’s being talked about that Cisco firewalls are affected.

Some are speculating that there’s an issue running even patched DNS servers behind NAT/PAT firewalls. I’m getting emails and IM that they defeat the port/source randominzation fix.

DNS vendors, services, firewall vendors are scrambling. I’m expecting responses from Cisco folks shortly.

But the major development might be that most leading (not just Cisco) firewalls have problems with the patch installed. Specifically I’m hearing a case that Cisco ASAs don’t randomize UDP ports when running in PAT mode.

More as this develops…

Update: In talking to friends this is not just Cisco product problem specifically, but more like Firewall implementation issue in general. The DNS exploit patches fix the nameservers but most DNS nameserviers sit behind firewalls. So now it appears that the Firewalls needs to be patched. Why? Because once you fix the nameservers it looks like the firewalls are now underminding the DNS nameserver patch.

5 Comments »

RSS TrackBack URL

  1. Jimmy says

    John
    Thanks for posting this. Not many people understand that this is a big problem. Patches are great but knowing the implementation consequences is important. Nomimum has a great solution to this.

    Looking forward to hearing more about how this develops

    on July 29, 2008 @ 6:44 pm

  2. [...] I blogged yesterday that Cisco firewalls were affected and rendered the DNS patch useless. Well that was true BUT it’s not just Cisco - it’s everyone. There is a bigger picture. DNS sucks. There is too much legacy and critical infrastructure that is more important then some sort of url rewrite and a hacking of a 16 bit port translation (or PAT - Port Address Translation).  It’s called ‘industrial strength’ software.  Companies like Infoblox and Nominum have growing businesses because they took DNS and scaled it with security.  Can vendors do more with it or has it reached it’s peak?  Either way this DNS shit is a problem for IT and network operators.   It seem like they are chasing too many holes out there.  Is it time to rip and replace.  I’ll keep my official opinion to myself. [...]

    on July 30, 2008 @ 3:19 pm

  3. [...] the story gets worse.  Recent news suggests that firewalls may have been impacted, including those widely deployed to protect servers.  Compatibility issues between the DNS vulnerability patch and firewalls have [...]

    on July 31, 2008 @ 12:42 pm

  4. [...] the story gets worse. Recent news suggests that firewalls may have been impacted, including those widely deployed to protect servers. Compatibility issues between the DNS vulnerability patch and firewalls have [...]

    on July 31, 2008 @ 6:41 pm

  5. [...] July 29, 2008 - Breaking News:  Now Patch Your Firewalls Because the DSN Patch Won’t Work Wit… [...]

    on August 7, 2008 @ 11:53 am

Leave a comment

Broadband Developments - Unified Communications, Virtualization, Security, and Web 2.0 is (c) 2008
Powered by WordPress