April 7, 2016

To illegally infiltrate computer systems and remote networks, attackers often use software vulnerabilities. Yet, incorrect configurations of server applications and other programs may pose a more dangerous threat. Doctor Web specialists discovered some misconfiguration of hardware belonging to a company that supplies DNS and web hosting services.

It is known that DNS (Domain Name System) servers are responsible for Web addressing, providing clients with information on domains. They can be administered by the domain’s owners or by a company to which a website using the domain belongs. However, some other commercial companies can take the responsibility for DNS servers administration. One of them is easyDNS Technologies, Inc. (easydns.com). Among its clients, there are many frequently visited websites, including informer.com and php.net, which are in top ranking according to Alexa.net. The company also rents DNS servers out to its clients. This service is quite popular among those who do not want to handle and maintain their server space by themselves.

Doctor Web security researchers registered that one of DNS servers belonging to easyDNS Technologies, Inc. is configured incorrectly. As a result, it processes incoming AXFR requests for DNS zone transfer from any external sources. AXFR is a type of transaction used to replicate DNS databases. Therefore, clients of easyDNS Technologies, Inc. reveal a list of their registered subdomains—in particular, ones for internal use—to the world. These domains can be used to organize non-public servers, version control systems (VCS), bug trackers, various monitoring services, wiki resources, etc. Having this domain list, attackers can easily examine the network of a potential victim in order to find vulnerabilities.

DNS zone transfer does not pose any financial threat to a company, to which a vulnerable server belongs; yet, a successfully processed AXFR request provides a very detailed information on implemeted software and development tools. For example, cybercriminals can get access to a beta version of a company’s official site, find how many IP addresses are used, and try to crack login credentials to VCS and other internal resources. System administrators primary pay attention to the main website of the company at the expense of non-public resources, to which Internet users do not have any access. However, if these internal resources are in a trusted IP zone, use outdated software with known vulnerabilities, and allow open registration to users, attackers can take advantage of this and gain unauthorized access to confidential data.

Such cases of security misconfiguration are certainly nothing new. Moreover, techniques to search vulnerable DNS servers and find subdomains, involving search engine resources, have long been automated. In particular, all these functions are implemented in the dnsenum utility that comes with the Kali Linux distribution, a penetration testing platform, which proves that this attack vector is rather popular among cybercriminals. Thus, despite the fact that it is convenient to shift responsibility for DNS server administration to third-party organizations, website owners should take care of their information security—better safe than sorry, as the saying goes.

Doctor Web security researchers have already informed easyDNS Technologies, Inc. about the discovered vulnerability. At present, its specialists are taking necessary actions to resolve the problem.