SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   BIND Vendors:   ISC (Internet Software Consortium)
(NetBSD Issues Fix) BIND 8 Transaction ID Generation Algorithm Lets Remote Users Conduct DNS Cache Poisoning Attacks
SecurityTracker Alert ID:  1018695
SecurityTracker URL:  http://securitytracker.com/id/1018695
CVE Reference:   CVE-2007-2930   (Links to External Site)
Date:  Sep 14 2007
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8
Description:   A vulnerability was reported in BIND 8. A remote user can conduct DNS cache poisoning attacks.

A remote user can poison the cache of any BIND 8 server conducting caching due to a weakness in the transaction ID generation algorithm. A remote user can observe a few consecutive transaction ID values from the target DNS server to predict the next value.

The exploit method is different from that of the BIND 9 DNS cache poisoning attacks.

The vendor was notified on July 26, 2007.

The original advisory is available at:

http://www.trusteer.com/docs/bind8dns.html

Amit Klein of Trusteer reported this vulnerability.
Impact:   A remote user can poison the cache of the target DNS caching server.
Solution:   NetBSD has released a fix.

The NetBSD advisory is available at:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-007.txt.asc
Vendor URL:  www.isc.org (Links to External Site)
Cause:   Randomization error
Underlying OS:   UNIX (NetBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 28 2007 BIND 8 Transaction ID Generation Algorithm Lets Remote Users Conduct DNS Cache Poisoning Attacks


 Source Message Contents
Date:  Thu, 13 Sep 2007 22:56:46 +0100
Subject:  NetBSD Security Advisory 2007-007: BIND cryptographically weak query


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2007-007
		 =================================

Topic:		BIND cryptographically weak query IDs

Version:	NetBSD-current:	source prior to July 24, 2007
		NetBSD 4.0_BETA2:	affected
		NetBSD 3.1:		affected
		NetBSD 3.0.*:		affected
		NetBSD 3.0:		affected
		NetBSD 2.1:		affected
		NetBSD 2.0.*:		affected
		NetBSD 2.0:		affected

Severity:	Remote DNS cache poisoning

Fixed:		NetBSD-current:		July 24, 2007
		NetBSD-4 branch:	July 31, 2007
			(4.0 will include the fix)
		NetBSD-3-1 branch:	August 14, 2007
			(3.1.1 will include the fix)
		NetBSD-3-0 branch:	August 14, 2007
			(3.0.3 will include the fix)
		NetBSD-3 branch:	August 14, 2007
		NetBSD-2-1 branch:	September 13, 2007
		NetBSD-2-0 branch:	September 13, 2007
		NetBSD-2 branch:	September 13, 2007
		pkgsrc:			bind-9.4.1pl1 corrects the issue
					bind-8.4.7pl1 corrects the issue

Abstract
========

Due to the use of cryptographically weak query IDs an attacker can predict
query IDs and poison the cache by injecting their own responses.

This vulnerability has been assigned CVE references CVE-2007-2926 for BIND 9.x
and CVE-2007-2930 for BIND 8.x.

Technical Details
=================

- From www.isc.org:

BIND 9.x:
"The DNS query id generation is vulnerable to cryptographic analysis which
provides a 1 in 8 chance of guessing the next query id for 50% of the query
ids. This can be used to perform cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers."

BIND 8.x:
"This bug only affects outgoing queries, generated by BIND 8 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers."

Solutions and Workarounds
=========================

It is recommended that NetBSD users of vulnerable versions update
their binaries.

The following instructions describe how to upgrade your bind
binaries by updating your source tree and rebuilding and
installing a new version of bind.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2007-07-24
	should be upgraded to NetBSD-current dated 2007-07-25 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		dist/bind

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -d -P dist/bind
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2007-08-14 should be upgraded from NetBSD 3.* sources dated
	2007-08-15 or later.

	The following files need to be updated from the
	netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
		dist/bind/bin/named/client.c
		dist/bind/lib/dns/dispatch.c
		dist/bind/lib/dns/include/dns/dispatch.h

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -r <branch_name> dist/bind/bin/named/client.c
		# cvs update -r <branch_name> dist/bind/lib/dns/dispatch.c
		# cvs update -r <branch_name> \
			dist/bind/lib/dns/include/dns/dispatch.h
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2007-09-12 should be upgraded from NetBSD 3.* sources dated
	2007-09-13 or later.

	The following files need to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 branches:
		dist/bind/bin/named/ns_forw.c
		dist/bind/bin/named/ns_func.h
		dist/bind/bin/named/ns_main.c
		dist/bind/bin/named/ns_resp.c

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -r <branch_name> dist/bind/bin/named/ns_forw.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_func.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_main.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_resp.c
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

Thanks To
=========

Amit Klein for discovering and reporting this problem.

Revision History
================

	2007-09-13	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2007, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2007-007.txt,v 1.1 2007/09/12 21:45:39 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRumhsT5Ru2/4N2IFAQLQiwP/aLkPFQuSa56XdfbgYEdtWYmMAOMBvvYf
+U5hSdDK3K/02jQCkcUeHKVDOPEb3Ls21H/mMwk1AgVvI6+YW0ycPLGIMpXxgY15
Zn5WlqQtTtHkvdFHB9d0kGYVSuUxSRq0LCBEfcvk3aOQi57wuwO77O5yT+2yZJwl
ZREyrWwp7Dc=
=Oije
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC