CWE for DNS/PTR/etc shenanigans

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CWE for DNS/PTR/etc shenanigans

Kurt Seifried
So Florian Weimer just posted this (Credit to Simo Sorce for the blog posting):



TL;DR: Kerberos, and many applications/etc, do bad things with DNS canonicalization and PTR lookups resulting in situations where an attacker can subvert things like Kerberos (which has mutual authentication, so this is definitely not supposed to happen). I wanted to start a discussion here on what if any specific CWE's might be needed for this, we have a few that sort of broadly cover this, but are to generic to be of much help: CWE-171 and CWE-441. I'm broadly thinking:

CWE related to hijacking DNS lookups via canonicalization and/or PTR lookups for protocols like Kerberos that are explicitly supposed to mutually authenticate (client to server AND server to client).

I would note that the above could also cover things like SSL/TLS in web browsers (e.g. I wanted to go to facebook.com, not facebook.com.example.org). I suspect DNS local search path is more of a problem then we'd like to admit at this point. 

--
Kurt Seifried
[hidden email]
To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].