*CWE-406: Insufficient Control of Network Message Volume* (detected by DNS) or External Service Interaction - DNS*
Description: Reported by scanner or audit - the entry of certain data as a parameter will trigger the resolution of a hostname.
Detected by a vulnerability scanner (the BURP scanner is one), the issue is described as follows:
External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences.
In cases where DNS-based interactions can be triggered, it is normally possible to trigger interactions using other service types, and these are reported as separate issues. If a payload that specifies a particular service type (e.g. a URL) triggers only a DNS-based interaction, then this strongly indicates that the application attempted to connect using that other service, but was prevented from doing so by egress filters in place at the network layer. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.
Specification of a value as a parameter (such as a value submitted in a form) which causes an unexpected action on an external server and might allow an attacker to attack another system via the values submitted to the server having the weakness (the server receiving the suspicious parameter).
Analysis Analysis of the code shows that the DNS name resolution through the “rsa:ClientAddress” parameter described in the report, is not a weakness. The DNS name resolution is expected and is not part of a larger action on the Authentication Manager server to reference an external service. No attack against the server specified in the parameter can be performed.
Additional Information The RSA Authentication Manager Appliance is a network infrastructure tool and as such is expected to be configured and work with network information such as hostnames and IP addresses. The application will be configured with network information including references to hostname and IP of external third-party services (such as SMS providers, authentication agents, email servers, etc.) as well as other network systems such as DNS and NTPD time servers. The interaction with these other systems and services are expected.
In the particular case, we attempt to resolve the ClientAddress provided name (via DNS or hosts file) but there is no corresponding action performed by Authentication Manager targeting the server referenced by the parameter.
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.