Threatpost interviews Wiz CTO about a recently patched vulnerability for Amazon Route53 DNS service and Google Cloud DNS.
LAS VEGAS – Amazon and Google patched a domain name service (DNS) bug that allowed attackers to snoop into companies’ confidential network settings, revealing employee and computer names along with office locations and exposed web resources.
The vulnerability, described in a Black Hat USA 2021 talk last week, is a new class of vulnerabilities affecting major DNS-as-a-service (DNSaaS) providers, according to researchers at cloud security firm Wiz.
Ami Luttwak, co-founder and CTO of Wiz, said the bug allows an adversary to perform unprecedented reconnaissance on a target – that is, any vulnerable corporate network that inadvertently allows such eavesdropping on the network.
Going down the DNS lagoon
“We found a simple loophole that allowed us to intercept some of the world’s dynamic DNS traffic that passes through managed DNS providers like Amazon and Google. We basically ‘wiretapped’ the internal network traffic of 15,000 organizations (including Fortune 500 companies and government agencies) and millions of devices, ”Wiz wrote in a technical breakdown of the bug.
Luttwak calls what he found a “loophole” within the process used to handle the now obsolete dynamic DNS within modern DNS server configurations.
“We registered a new domain on the Route 53 platform with the same name as its official DNS server. (Technically, we created a new ‘hosted zone’ within the AWS nameserver ns-1611.awsdns-09.co.uk and named it ‘ns-852.awsdns-42.net’), ”the researchers explained.
The researchers then gained control of the hosted zone by registering thousands of domain name servers with the same name as the official DNSaaS server. “Whenever a DNS client queries this nameserver about itself (which thousands of devices do automatically to update their IP address within their managed network, more on that in a minute), that traffic goes directly to our IP address.” Wiz wrote.
What the researchers observed next was a flood of dynamic DNS traffic from Windows machines querying the “hijacked name server” for itself. In total, the researchers profiled 15,000 organizations (some Fortune 500 companies), 45 US government agencies, and 85 international government agencies.
Bad configuration or vulnerability?
The DNSaaS providers Route53 and Google Cloud DNS fixed the problem by not allowing the kind of spoof record that their own DNS server reflected.
As for Microsoft, the researchers said that the company considered it to be a misconfiguration problem.
“Microsoft could provide a global solution by updating its dynamic DNS algorithm. However, when we reported our discovery to Microsoft, they told us that they did not consider it a vulnerability, but rather a known misconfiguration that occurs when an organization works with external DNS resolvers, ”the researchers said.
Luttwak said that companies can prevent this type of DNS exploitation by properly configuring their DNS resolvers so that dynamic DNS updates do not leave the internal network.
Author: Tom Spring