So if you’re even tangentially exposed to news about the internet (or listen to NPR’s All Things Considered!), you might have heard about a major, major weakness that was discovered not too long ago in the security behind the way that hostnames are turned into IP addresses, a weakness that could easily lead to all kinds of hacks, exploitations, and general insecurity on the ‘net. Most of the folks responsible for the DNS servers — the bits of software that are affected by this — were quickly briefed about the flaw and given a chance to respond, and nearly all of them just as quickly released patches to their software to make the hacks much harder to accomplish. Apple was certainly part of the former group (having been briefed on May 5th), but was not part of the latter group; by July 8th, all other operating system vendors had patched the vulnerability, while it took Apple until July 31st to roll the patch out the door. And within a few days, folks were noticing that Apple’s patch only handled half of the issue, remedying Mac servers while ignoring Mac client (i.e., desktop) machines.
Interested in which other Apple platforms were both affected by the DNS flaw and unpatched, I did a little playing with my Airport Extreme wifi router today — I figured it was a good platform to test, seeing as the way it fits into the environment that surrounds this particular DNS flaw is more as a server (a device being asked to resolve DNS names) than as a client (a device doing the asking). Additionally, there’s currently a lot of concern that even with all the patches released over the past month, it’s exactly devices like these — home routers that do DNS resolution alongside network address translation — that are going to prove the hardest to secure. Fortunately, after doing a bit of network sniffing, I can report that the Airport Extreme currently does exhibit patched behavior, properly choosing random ports from which to send its DNS queries. (And thus, that ISS post I linked to isn’t exactly correct when it says that no NAT vendor is performing source port randomization — clearly, Apple is doing the right thing when it comes to the Airport Extreme.)
For those who care about the technical details: my home network is a little more complex than most, with a recursive DNS server on the network segment on which my Airport Extreme sits. My Airport Extreme is the latest model, an 802.11n one with gigabit ethernet ports, and is running firmware version 7.3.2. I set up a packet sniffer on a PC on this same network segment, and then from a laptop machine attached via wifi to the Airport Extreme, forced a bunch of DNS lookups; this is what the sniffer saw:
13:30:13.189925 IP [airport].55519 > [server].53: 699+ A? www.canada.com. (32)
13:30:13.866376 IP [airport].2444 > [server].53: 3410+ A? a123.g.akamai.net. (35)
13:30:15.305895 IP [airport].61097 > [server].53: 27164+ A? amch.questionmarket.com. (41)
13:30:15.807890 IP [airport].56850 > [server].53: 12934+ A? members.canada.com. (36)
13:30:19.695419 IP [airport].47638 > [server].53: 33628+ A? media.canada.com. (34)
13:30:22.155456 IP [airport].63084 > [server].53: 43481+ A? www.msnbc.com. (31)
13:30:22.620355 IP [airport].39089 > [server].53: 16339+ A? www.msnbc.msn.com. (35)
13:30:24.817435 IP [airport].8236 > [server].53: 7999+ A? msnbcmedia4.msn.com. (37)
As you’ll see from that list, the source port is, indeed, randomized.
That makes it a little more difficult to exploit. :)
• Posted by: Partners in Grime on Aug 10, 2008, 1:20 PM7.3.2 I think came our very recently - in the last couple weeks. And it wont apply to the older generation of Airports (Extreme-saucer, White-saucer, and the original graphite.) the 7.3.2 version however does apply to the Express Airport and I’ll check on the pre-gigabit n-based router.It should.
I’m not in a position to test those. However the OS on those devices is not as far as I know based on OSX. I don’t know what it’s based on but whatever patch applies probably still must exist.
• Posted by: Steven on Aug 11, 2008, 11:15 AM