CyberSecurityBoard
Sponsor Register Login

Attacks abuse Microsoft DHCP to spoof DNS records The Register

A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers.
We're told the attacks - which are usable against servers running the default configuration of Microsoft Dynamic Host Configuration Protocol servers - don't require any credentials.
Akamai says it reported the issues to Redmond, which isn't planning to fix the issue.
Microsoft did not respond to The Register's inquiries.
The good news, according to Akamai, is that it hasn't yet seen a server under this type of attack.
While the current report doesn't provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof - short for DHCP DNS Spoof.
The DHCP attack research builds on earlier work by NETSPI's Kevin Roberton, who detailed ways to exploit flaws in DNS zones.
DHCP is a commonly used network management protocol, and Microsoft's DHCP server is widely used in corporate networks.
Organizations can create DNS record using a DHCP feature called DHCP DNS Dynamic Updates.
When the DHCP server registers or modifies a DNS record on behalf of its clients, it uses DNS Dynamic Updates - and therein lies the problem.
DHCP DNS Dynamic Updates does not require any authentication by the DHCP client, and Microsoft DHCP servers enable DHCP DNS Dynamic Updates by default.
While Roberton's earlier ADIDNS spoofing attacks required valid domain credentials, using the DHCP server doesn't, and thus makes the attacks a lot more accessible to a wider array of miscreants.
This type of DHCP DNS spoofing attack was also covered by Hans Lakhan of TrustedSec.
In addition to creating non-existent DNS records, unauthenticated attackers can also use the DHCP server to overwrite existing data, including DNS records inside the ADI zone in instances where the DHCP server is installed on a domain controller, which David says is the case in 57 percent of the networks Akamai monitors.
In addition to abusing Microsoft's DHCP to create or overwrite DNS records, the team found another feature, DNSUpdateProxy group, that also poses a security risk - and potentially contains a bug.
DNSUpdateProxy is intended to allow clients to update DNS records and is especially useful in the case of upgrading from a legacy client to a newer Windows build.
It also solves the problem of multiple DHCP servers needing to work together.
Akamai also spotted what it says appears to be a bug in the DNSUpdateProxy feature.
Again, we're still waiting to hear from Microsoft about all of these issues and will update this story if and when we do.
In the meantime, we'd suggest following Akamai's advice and disable DHCP DNS Dynamic Updates if you don't already and avoid DNSUpdateProxy altogether.


This Cyber News was published on go.theregister.com. Publication date: Thu, 07 Dec 2023 22:43:04 +0000


Cyber News related to Attacks abuse Microsoft DHCP to spoof DNS records The Register

How to Prevent DNS Attacks: DNS Security Best Practices - To protect against attack, best practices must be applied to protect the DNS protocol, the server on which the DNS protocol runs, and all access to the DNS processes. Implementing these best practices will not only protect DNS but also network ...
10 months ago Esecurityplanet.com
Attacks abuse Microsoft DHCP to spoof DNS records The Register - A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers. We're told the attacks - which are ...
11 months ago Go.theregister.com
What Is Dynamic Host Configuration Protocol (DHCP)? - DHCP, or Dynamic Host Configuration Protocol, is a network protocol that allows devices on a network to be automatically assigned an IP address. DHCP is used extensively in both home and enterprise networks, as it simplifies the process of ...
1 year ago Heimdalsecurity.com
Electronic Frontier Foundation - We're not just talking about the ballot box, but the everyday power we all have to demand government agencies make their records and data available to public scrutiny. At every level of government in the United States, there are laws that empower the ...
7 months ago Eff.org
Researchers Uncovered an Active Directory DNS spoofing exploit - In the intricate web of our interconnected world, the Domain Name System stands as a linchpin, directing users to their online destinations. Even this vital system is not impervious to the dark art of malicious manipulation. In a recent revelation by ...
10 months ago Gbhackers.com
DNS Tunneling Abuse Expands to Tracking & Scanning Victims - Attackers are taking malicious manipulation of DNS traffic to the next level, abusing DNS tunneling to scan a victim's network infrastructure as well as track victims' online behavior. Researchers from Palo Alto Networks' Unit 42 have identified ...
5 months ago Darkreading.com
Understanding DNS Zones: A Comprehensive Guide - DNS stands for Domain Name System, and it is one of the most important components of the Internet. It is a network of servers that coordinates the registration, updating and resolution of domain names, so that users can easily access websites and ...
1 year ago Heimdalsecurity.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
11 months ago Microsoft.com
Microsoft tests Windows 11 encrypted DNS server auto-discovery - Microsoft is testing support for the Discovery of Network-designated Resolvers internet standard, which enables automated client-side discovery of encrypted DNS servers on local area networks. Without DNR support, users must manually enter the info ...
11 months ago Bleepingcomputer.com
Hackers use DNS tunneling for network scanning, tracking victims - Threat actors are using Domain Name System tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. DNS tunneling is the encoding of data or commands that are sent ...
5 months ago Bleepingcomputer.com
Data Breaches in US Schools Exposed 37.6M Records - Since 2005, educational institutions in the United States have experienced 3713 data breaches, impacting over 37.6m records. According to new data by Comparitech, 2023 marked a record year, with 954 breaches recorded - a dramatic rise from 139 in ...
5 months ago Infosecurity-magazine.com
47 Years Later: Serious Security – How Deliberate Typos Might Improve DNS Security - The Domain Name System (DNS) is an internet infrastructure that has been around since the early 80s and still plays an integral part in how websites and online services are accessed. Although it has been in use for almost 47 years, security issues of ...
1 year ago Nakedsecurity.sophos.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
10 months ago Techtarget.com
KeyTrap attack: Internet access disrupted with one DNS packet - A serious vulnerability named KeyTrap in the Domain Name System Security Extensions feature could be exploited to deny internet access to applications for an extended period. Tracked as CVE-2023-50387, KeyTrap is a design issue in DNSSEC and impacts ...
8 months ago Bleepingcomputer.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
SANS Internet Storm Center - A DNS suffix is a configuration of the Windows DNS client to have it append suffixes when doing domain lookups. If a DNS suffix local is configured, then Windows' DNS client will not only do a DNS lookup for example.com, but also for example.com. ...
5 months ago Isc.sans.edu
DNSSEC vulnerability puts big chunk of the internet at risk The Register - A 20-plus-year-old security vulnerability in the design of DNSSEC could allow a single DNS packet to exhaust the processing capacity of any server offering the system for domain-name resolution, effectively disabling the machine. Yes, a single DNS ...
8 months ago Go.theregister.com
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
5 months ago Tenable.com
CVE-2024-47716 - In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP ...
2 weeks ago Tenable.com
'KeyTrap' DNS Bug Threatens Widespread Internet Outages - Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System security extension, which under certain circumstances could be exploited to take down wide expanses of the ...
8 months ago Darkreading.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
9 months ago Microsoft.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
4 months ago Msrc.microsoft.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)