In the interests of full transparency to the community I wanted to share the details of a whois security incident that APNIC fully resolved today.
Due to a technical error during the upgrade of APNIC’s whois database in June 2017, hashed authentication details for APNIC whois Maintainer and IRT objects were inadvertently included in downloadable whois data, which is released to certain external parties under an Acceptable Use Policy.
APNIC became aware of the issue on 12 October 2017 after Chris Barcellos from eBay’s Red Team reported that the downloadable whois data was being republished on a third party website.
We fixed the error to prevent further inclusion of the Maintainer and IRT hashes in the whois downloads on 13 October, and as a precaution, worked with resource holders to reset all Maintainer and IRT passwords in the subsequent days.
APNIC apologises for any inconvenience and concern that this error has caused. There are certainly lessons for APNIC after this error and we have now begun a post-incident review to determine how our processes failed and where we can improve to ensure this doesn’t happen again.
What was the issue?
A Maintainer (mntner) is an object in the APNIC Whois Database. Every object in the APNIC Whois Database is protected by a Maintainer via the ‘mnt-by’ attribute. This ensures that only authorized people that have access to this Maintainer can make changes to other objects that are protected by this Maintainer.
An Incident Response Team (IRT) object is an object in the APNIC Whois Database that contains contact information for an organization’s administrators responsible for receiving reports of network abuse activities.
The ‘auth’ attribute in a Maintainer or IRT object specifies the hashing format used and stores the password in its hashed format.
The error that occurred saw the ‘auth’ hashes included in the downloadable whois data feed (not published on APNIC’s whois itself).
Although password details are hashed, there is a possibility that passwords could have been derived from the hash if a malicious actor had the right tools.
If that occurred, whois data could potentially be corrupted or falsified for misuse. Our investigations to date have found no evidence of this occurring.
It is important to note, however, that any public misrepresentation of registry contents on whois would not result in a permanent transfer of IP resources, as the authoritative registry data is held internally by APNIC.
What action did APNIC take?
Firstly, we corrected the error to prevent the hashes from being included in future whois data downloads.
To eliminate any risk of the exposed hashes from being used, APNIC then decided to reset all Maintainer and IRT object passwords.
Most resource holders make updates using these objects very rarely (over 12 months between updates), and many use MyAPNIC to manage the process which means the passwords are invisible to the user when making updates. For these resource holders, APNIC reset all passwords immediately.
A smaller group of resource holders (around 60) very actively submit updates to APNIC via email. APNIC’s risk assessment determined it would be better to not reset these passwords remotely, but instead guide the active resource holders through the password reset process so to minimise disruption to their network operations.
This process was completed today, and we are sharing this full report now that there is no further risk to resource holders by doing so.
Do resource holders need to take any action?
APNIC is continuing to analyse its logs to search for any signs of misuse as a result of this error. So far, we have found no evidence of irregularities. However, we would recommend that resource holders check the whois details of their holdings to make sure that all is correct.
All Maintainer and IRT passwords have now been reset, so there is no need to change them again if you are an APNIC resource holder. However, if you wish to change the new passwords to something more memorable, you should not choose the previous password (and if the old password was being used elsewhere on other systems, you should change those passwords).
Please note, this issue is completely unrelated to MyAPNIC login credentials. If you have a MyAPNIC account, there is no need to change your MyAPNIC password.
If you are making updates with your Maintainer via email, APNIC recommends using PGP.
Of course, if you have any questions or concerns, our Helpdesk is happy to assist.
What will APNIC now do?
As I mentioned, APNIC’s post incident review is now underway to understand how this occurred and put in place improvements to prevent reoccurrence during whois upgrades.
As part of our review, the availability of the whois data download and the terms and conditions for its use will also be examined.
APNIC thanks resource holders for their patience and support during the resolution of this incident.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.