SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   BIND Vendors:   ISC (Internet Software Consortium)
(NetBSD Issues Fix) BIND Generates Predictable Query IDs That May Facilitate Cache Poisoning Attacks
SecurityTracker Alert ID:  1018694
SecurityTracker URL:  http://securitytracker.com/id/1018694
CVE Reference:   CVE-2007-2926   (Links to External Site)
Date:  Sep 14 2007
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.0.x, 9.1.x, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5
Description:   A vulnerability was reported in BIND. A remote user can conduct cache poisoning attacks.

The system generates query IDs that have a 1 out of 8 chance of being guessed for half of the query IDs. A remote user may be able to exploit this to conduct cache poisoning attacks.

Only outgoing queries are affected.

Amit Klein from Trusteer (www.trusteer.com) discovered this vulnerability.

Impact:   A remote user can conduct cache poisoning attacks.
Solution:   NetBSD has released a fix.

The NetBSD advisory is available at:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-007.txt.asc

Vendor URL:  www.isc.org/ (Links to External Site)
Cause:   Randomization error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  2.0, 2.1, 3.0, 3.1, 4.0

Message History:   This archive entry is a follow-up to the message listed below.
Jul 24 2007 BIND Generates Predictable Query IDs That May Facilitate Cache Poisoning Attacks



 Source Message Contents

Subject:  NetBSD Security Advisory 2007-007: BIND cryptographically weak query


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2007-007
		 =================================

Topic:		BIND cryptographically weak query IDs

Version:	NetBSD-current:	source prior to July 24, 2007
		NetBSD 4.0_BETA2:	affected
		NetBSD 3.1:		affected
		NetBSD 3.0.*:		affected
		NetBSD 3.0:		affected
		NetBSD 2.1:		affected
		NetBSD 2.0.*:		affected
		NetBSD 2.0:		affected

Severity:	Remote DNS cache poisoning

Fixed:		NetBSD-current:		July 24, 2007
		NetBSD-4 branch:	July 31, 2007
			(4.0 will include the fix)
		NetBSD-3-1 branch:	August 14, 2007
			(3.1.1 will include the fix)
		NetBSD-3-0 branch:	August 14, 2007
			(3.0.3 will include the fix)
		NetBSD-3 branch:	August 14, 2007
		NetBSD-2-1 branch:	September 13, 2007
		NetBSD-2-0 branch:	September 13, 2007
		NetBSD-2 branch:	September 13, 2007
		pkgsrc:			bind-9.4.1pl1 corrects the issue
					bind-8.4.7pl1 corrects the issue

Abstract
========

Due to the use of cryptographically weak query IDs an attacker can predict
query IDs and poison the cache by injecting their own responses.

This vulnerability has been assigned CVE references CVE-2007-2926 for BIND 9.x
and CVE-2007-2930 for BIND 8.x.

Technical Details
=================

- From www.isc.org:

BIND 9.x:
"The DNS query id generation is vulnerable to cryptographic analysis which
provides a 1 in 8 chance of guessing the next query id for 50% of the query
ids. This can be used to perform cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers."

BIND 8.x:
"This bug only affects outgoing queries, generated by BIND 8 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers."

Solutions and Workarounds
=========================

It is recommended that NetBSD users of vulnerable versions update
their binaries.

The following instructions describe how to upgrade your bind
binaries by updating your source tree and rebuilding and
installing a new version of bind.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2007-07-24
	should be upgraded to NetBSD-current dated 2007-07-25 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		dist/bind

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -d -P dist/bind
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2007-08-14 should be upgraded from NetBSD 3.* sources dated
	2007-08-15 or later.

	The following files need to be updated from the
	netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
		dist/bind/bin/named/client.c
		dist/bind/lib/dns/dispatch.c
		dist/bind/lib/dns/include/dns/dispatch.h

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -r <branch_name> dist/bind/bin/named/client.c
		# cvs update -r <branch_name> dist/bind/lib/dns/dispatch.c
		# cvs update -r <branch_name> \
			dist/bind/lib/dns/include/dns/dispatch.h
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2007-09-12 should be upgraded from NetBSD 3.* sources dated
	2007-09-13 or later.

	The following files need to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 branches:
		dist/bind/bin/named/ns_forw.c
		dist/bind/bin/named/ns_func.h
		dist/bind/bin/named/ns_main.c
		dist/bind/bin/named/ns_resp.c

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -r <branch_name> dist/bind/bin/named/ns_forw.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_func.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_main.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_resp.c
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

Thanks To
=========

Amit Klein for discovering and reporting this problem.

Revision History
================

	2007-09-13	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2007, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2007-007.txt,v 1.1 2007/09/12 21:45:39 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRumhsT5Ru2/4N2IFAQLQiwP/aLkPFQuSa56XdfbgYEdtWYmMAOMBvvYf
+U5hSdDK3K/02jQCkcUeHKVDOPEb3Ls21H/mMwk1AgVvI6+YW0ycPLGIMpXxgY15
Zn5WlqQtTtHkvdFHB9d0kGYVSuUxSRq0LCBEfcvk3aOQi57wuwO77O5yT+2yZJwl
ZREyrWwp7Dc=
=Oije
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC