Two more vulnerabilities in widespread open source systems are not as serious as reported
May 6, 2014
May 6, 2014
Two more vulnerabilities have been discovered in open source systems used worldwide only weeks after the discovery of the Heartbleed bug.
Two students from the Israel Institute of Technology (Technion) have discovered a serious vulnerability in the BIND software. BIND was originally developed at University of Berkeley and is currently maintained by the Internet Systems Consortium. It remains the most widespread software used by the DNS (Domain Name System) servers worldwide. In case there are more authoritative name servers for certain domain, the vulnerability allows an attacker to manipulate the value of Smooth Round Trip Times and thus determine which of them will be chosen to resolve next DNS request. That makes the possible MitM attacks simpler and allows for hardly detectable phishing attacks in case the attacker controls one of the name servers. However, due to the complexity of the attack, there is belief that the vulnerability has not yet been abused since it itself is not sufficient for a successful attack.
The second vulnerability concerns the OAuth system. It is the most widespread system used for third party authentication. It provides a third party service delegated access to server on behalf of the user without knowledge of user’s credentials. It is provided by most major internet companies including Facebook, Google, PayPal, Amazon, Microsoft and many others. The vulnerability Covert Redirect discovered by student Wang Jing from Singapore is supposed to allow the attacker to hijack the authenticating token and abuse it. The following analysis however showed that the successful attack on both OAuth and OpenID needs some specific interaction from the user (allowing access to the vulnerable application and clicking on the malicious link) and that it is not a vulnerability of the protocol itself but rather of its implementation by certain providers.