WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
March 15, 2005
Symantec security gateway DNS redirection

Revision History
5/24/2005 -

Updated hotfix release to further harden DNSd against redirection attempts. This additional finding is included in the latest available hotfix, which supersedes previous DNSd hotfixes for the affected products listed below.

Symantec recommends all customers immediately apply this latest hotfix. Product specific hotfixes are available via the Symantec Enterprise Support site http://www.symantec.com/techsupp.

Risk Impact

Symantec released a hotfix addressing a DNS cache poisoning and redirection issue reported on March 4, 2005 that impacts some Symantec security gateways products identified below. Affected Symantec security gateway products configured as a DNS caching server or as a primary DNS server were experiencing problems with name resolution whereby hostnames lookups to common sites were resolving to bogus addresses. In-depth analysis of this incident and the stance of Symantecís security gateway products provided details that allowed Symantec to harden DNSd even further against unknown attack vectors for this class of attack.

Affected Components
Symantec Gateway Security 5400 Series, v2.x
Symantec Gateway Security 5300 Series, v1.0
Symantec Enterprise Firewall, v7.0.x (Windows and Solaris)
Symantec Enterprise Firewall v8.0 (Windows and Solaris)
Symantec VelociRaptor, Model 1100/1200/1300 v1.5

Affected Symantec security gateways include a DNS proxy, called DNSd, which can be configured to function as a DNS caching server (default) or as a primary DNS server. Under specific conditions, DNSd may be susceptible to DNS cache poisoning. DNS cache poisoning occurs when incorrect or false DNS records are inserted into a DNS serverís cache tables, overwriting a valid name server record with its own DNS server address. Subsequent queries for a targeted site would then be redirected to the rogue DNS server, which would respond with its own addresses for those lookups, preventing users from accessing the legitimate site. In this case, reporting on this activity from the Internet Storm Center, SANS, http://www.isc.sans.org, indicated that some users were being redirected to web sites that attempted to download spyware/adware modules to the users browsers. Shortly after the abnormal activity was initially reported, the offending IP addresses were blocked by their ISP until the offending DNS serversí configuration was corrected.

According to information posted on the Internet Storm Center, non-Symantec product users reported similar activity so this malicious action appears not to have been limited to Symantec security gateway products.

Note: DNSd is not required for the operations of the affected Symantec security gateway products. This issue does not affect users whose security policy does not include use of DNSd. However, Symantec recommends even users who do not use DNSd download and apply the appropriate hotfix in the event that DNSd may be enabled at some future date.

Symantec Response
Symantec posted hotfix updates on March 4, 2005 that address the initial issue being reported by ISC and a small number of Symantec customers.

An updated hotfix was released on March 14, 2005 that further hardens the DNSd for protection against an additional potential vector identified by Symantec engineers during our post-analysis of this incident. Symantec recommends customers immediately apply the latest hotfix for their affected product versions to protect against this type of threat. Product specific hotfixes are available via the Symantec Enterprise Support site http://www.symantec.com/techsupp.

On March 7, 2005 Symantec Security Response also released adware detection, http://securityresponse.symantec.com/avcenter/venc/data/adware.abxtoolbar.html, Adware.ABXToolbar, for the attempted browser helper object download. Symantec products that support expanded threats can now detect this version of adware.

A CVE Candidate name has been requested from the Common Vulnerabilities and Exposures (CVE) initiative for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

PDF Symantec Vulnerability Response Policy PGP Symantec Product Vulnerability Management PGP Key

Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Initial Post on: Tuesday, 15-March-05 14:56:12
Last modified on: Tuesday, 24-May-2005 15:17:49 PDT