Signature Detail

DNS: Symantec Enterprise Firewall DNSD Proxy Cache Poisoning

This signature detects attempts to exploit a known vulnerability within DNSD Proxy, a component of the Symantec Enterprise firewall which handles DNS responses. The DNSD Proxy can be poisoned by remote attackers pretending to be authoritative over domains for which they are not. An attacker may exploit this vulnerability to carry other types of attacks, such as man-in-the-middle attacks, spoofing attacks, or information gathering attacks.

Extended Description

It is reported that dnsd is prone to a cache poisoning vulnerability. Dnsd does not ensure that the data returned from a remote DNS server contains related information about the requested records. An attacker could exploit this vulnerability to deny service to legitimate users by redirecting traffic to inappropriate hosts. Man-in-the-middle attacks, impersonation of sites, and other attacks may be possible.

Affected Products

• Symantec Enterprise Firewall 7.0.4 NT/2000
• Symantec Enterprise Firewall 7.0.4 Solaris
• Symantec Enterprise Firewall 8.0.0
• Symantec Enterprise Firewall 8.0.0 NT/2000
• Symantec Enterprise Firewall 8.0.0 Solaris
• Symantec Gateway Security 5110 1.0.0
• Symantec Gateway Security 5200 1.0.0
• Symantec Gateway Security 5300 1.0.0
• Symantec Gateway Security 5310 1.0.0
• Symantec Gateway Security 5400 2.0.0
• Symantec Gateway Security 5400 2.0.1

References

• BugTraq: 10557
• CVE: CVE-2004-1754