Skip to main content
Resources

ICANN Cybersecurity Incident Log

This cybersecurity incident log is part of the ICANN organization's commitment to transparency.

Reporting Guidelines

These guidelines describe how the ICANN org handles vulnerabilities that have the potential to exploit or threaten the security, stability, or resiliency of the ICANN org systems and services. These principles apply whether the vulnerabilities are discovered by the ICANN org or are reported by a third party.

  • Cybersecurity Transparency Guidelines [PDF, 17 KB]. In general, we will disclose major security vulnerabilities and resulting incidents that cause significant risk to the security of ICANN's systems, or to the rights and interests of data subjects, or otherwise require disclosure under applicable legal requirements.

Cybersecurity Incident Log

Announcement Date

Issue or Incident

Status

Related Information

7 Nov 2019 Pathable Software Vulnerability Closed

A vulnerability was discovered in Pathable, Inc. software, which is used in ICANN's meeting application. Pathable, Inc. published a notification explaining the vulnerability and mitigation on their website. Pathable, Inc. and ICANN completed review of the issue and found no evidence of a data compromise. ICANN has confirmed the mitigation is in place.

16 July 2019 SAP Concur Incident Closed

An external party reported a misconfiguration in the SAP Concur Travel Application related to the delegation and autocomplete features, which could lead to personal information disclosure in certain limited circumstances, such as name, title, phone number and email address. No legal risk was determined. Mitigations were put in place and confirmed effective.

12 April 2019

Community Wiki (community.icann.org) Restored

Closed

On 11 April 2019, at 1642 UTC, ICANN org took the Community Wiki (community.icann.org) offline. This step was taken as a result of the ICANN Engineering & IT observing performance issues with the service. The team immediately contacted the vendor, Atlassian Systems, which supplies the Community Wiki platform (Confluence). At 1700 UTC, Atlassian informed ICANN org that the performance issue seemed related to a vulnerability in the Confluence software. The vulnerability was noted by Atlassian on 20 March 2019. ICANN org was not directly notified of this vulnerability; however, on 25 March, public vulnerability records (called a CVE, for Common Vulnerability and Exposures) were recorded by Atlassian. The CVEs are: CVE-2019-3395 and CVE-2019-3396. Preliminary analysis by ICANN InfoSec engineers reflects that these vulnerabilities were being exploited by a Crypto-Miner. (Crypto-miner software hijacks vulnerable machines to leverage CPU horsepower for doing crypto-currency “mining” work.) It appears that this was the cause of the slow performance of the system. In an abundance of caution, the ICANN Engineering & IT team restored a backup from 11 April 2019, taken at 0400 UTC.  The restored software’s vulnerability was patched. The Community Wiki has been restored and is available to its users. Also, ICANN org is now on the Atlassian direct-notification list, so we will be immediately alerted of vulnerabilities in the future. The Engineering & IT InfoSec team is continuing to perform forensics on any potential impact on the system. If there are significant findings, we will inform you with updates. We apologize for the disruption of this service and thank you for your patience. Update 13 April 2019 at 0116 UTC: The Engineering & IT Infosec team has completed its analysis and has found no impacts on the system.

30 January 2019

Intermittent Network Issue

Closed

ICANN experienced an intermittent network issue on Monday, January 28. This issue delayed the rollout of the new CZDS for several hours. The outage was traced to a network resource constraint. We have expanded our resource to mitigate the issue. No further issues have been reported by CZDS or other services that were impacted.

9 January 2019

IMRS Statistics site (http://stats.dns.icann.org) vulnerability

Closed

An external party reported that a database schema could be discovered (read only) through an SQL injection vulnerability. The issue affected only the public facing presentation of the gathered DNS Statistics for the ICANN Managed Root Server.

24 October 2018

VoIP Phones Firmware Vulnerability

Closed

An external party reported that he could access and impersonate an ICANN org IP-based telephone. The issue affected two ICANN phones. The vulnerability was corrected by taking the affected phones off-line.

24 October 2018

ICANN Meeting Registration Kiosk System Vulnerability

Closed

An external party reported that the kiosk web form was accessible without authentication. So, by guessing the URL and inputting an attendee's email address, the badge information (name, company, affiliation, and region) and hotel name submitted by the individual could be viewed and edited. A software fix and new registration procedures were put into place to address the issue.

12 October 2018

Reported RADAR System Vulnerability

Closed

An external party reported a security vulnerability in its Registrar Contact Information Database (RADAR) system and it was subsequently taken offline on 2 October 2018. The vulnerability had to do with a unique second factor authentication "cookie" that RADAR users must enable to access the system. The system was taken down for maintenance shortly after the vulnerability was reported, while the engineering team implemented a software "fix." It was determined by ICANN that the vulnerability was not exploited by third parties. The system was back online on 3 October 2018 at 6:40PM UTC.

28 August 2018

DDoS on www.icann.org

Closed

Identified one page on the site receiving unusually high traffic, causing a cascading effect on the site and other ICANN web properties. Corrective action was put in place and the DDoS was mitigated. It is not certain whether this was malicious or the result of an errant configuration external to ICANN.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."