CERT Coordination Center
HomeSite IndexSearchContactFrequently Asked Questions
Vulnerabilities, Incidents, and FixesSecurity Practices 
and EvaluationsSurvivability Research and AnalysisTraining and Education
 
Options

Advisories

US-CERT Vulnerability Notes Database

Incident Notes

Current Activity

 Related
Summaries

Tech Tips

AirCERT

Employment Opportunities

 more links
CERT Statistics

Vulnerability Disclosure Policy

CERT Knowledgebase

System Administrator courses

CSIRT courses

Other Sources of Security Information

Channels

 Message
wap.cert.org
Visit wap.cert.org for wireless advisories.

Related Sites
Link to 
US-CERT
cylab

CERT® Vulnerability Note VN-99-01

The CERT Coordination Center publishes vulnerability notes to provide information about vulnerabilities to the user community. Because our understanding of the scope of a vulnerability may change, information that originally appears in vulnerability notes may later become part of an advisory. Vulnerability notes may also be updated from time to time.

Topic: Potential for false authentication in registry transactions

Monday, June 21, 1999

Description

Internet registries are entities that have authority to delegate specific portions of domain name and/or IP address space to other entities. In some parts of the world, a registry may also be referred to as a registrar or a network information center (NIC).

Registries typically maintain databases of information objects related to their allocation of domain name and IP address resources. Commonly used objects include the following:

  • Point(s) of contact - Point of contact information is used to identify an individual or a role account that holds some level of responsibility for the domain name or IP address allocation. The point of contact information may be used by the registry to identify those who are authorized to modify registry database objects associated with a particular domain name or IP address allocation.

  • Delegated domain name servers - Delegated domain name server information identifies the name servers for a domain that contain authoritative DNS information about the domain. This information may be used by root name servers that are authoritative for domain names allocated by a registry. The root name servers for the domain name IN-ADDR.ARPA, which is used for mapping IP addresses to domain names, may also rely on delegated domain name server information in a registry database.

  • Host objects - Some registry databases use host objects to represent information about each delegated domain name server. These objects may include IP address information for the name server host as well as point of contact information. One host object may be associated with one or multiple domain name or IP address allocation records.

Registries facilitate transactions to create, modify, and remove database objects. The access to modify or remove existing registry database objects is typically controlled by various authentication methods that attempt to verify the person requesting the change is authorized to make the change. Authentication methods vary by registry.

One commonly used method of transaction authentication is used with email-based transaction processing. This method attempts to match the email address of the requester to an email address associated with an existing database object. This authentication method is sometimes called "MAIL-FROM" authentication. Because it is possible to forge an email address when sending email, this authentication scheme is not considered secure, and can leave database objects vulnerable to unauthorized modification or deletion.

Impact

Registry database objects that are protected only by email-address-based transaction authentication may be vulnerable to unauthorized modification or removal through the use of maliciously forged transaction requests.

The integrity of delegated name server information and host objects, if used, is critical to the expected operation of applications that rely on the domain name system. Unauthorized malicious alteration or removal of the registry objects for delegated name servers or hosts can lead to serious results such as denial of service, redirection of service, or compromise of trust relationships between networked systems.

Likewise, unauthorized malicious alteration of the registry objects for point of contact information can lead to resource hijacking and a compromise of trusted information used to authenticate registry transactions.

In the absence of secure transaction authentication, automated and manual registry transaction processes may be vulnerable to forged requests.

Intrusions

The CERT/CC has received reports of registry objects protected by email-address-based transaction authentication being modified by unauthorized sources using forged transaction requests.

Defenses

The CERT/CC encourages the use of more secure mechanisms for authorization of registry transactions. These methods include

  • Cryptographic (e.g., PGP) signing and verification of transaction requests transmitted via e-mail
  • Verification by encrypted password sent over a secure communications channel (e.g., SSL, https, etc.)
The CERT/CC encourages you to review the transaction authentication mechanisms currently available from your registry and insure that any existing or new database objects under your control are secured from unauthorized modification.


This document is available from: http://www.cert.org/vul_notes/VN-99-01.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 1999 Carnegie Mellon University