Jeremy Begg
2007-07-25 05:18:00 UTC
Hi,
I was wondering if the recent NAMED-020_A052 MultiNet update includes the
fixes described below?
Thanks,
Jeremy Begg
===========================================================================
A U S C E R T A L E R T
AL-2007.0089 -- AUSCERT ALERT
[UNIX/Linux][Win]
New BIND 9 versions released fixing DNS cache poisoning vulnerability
25 July 2007
===========================================================================
AusCERT Alert Summary
---------------------
Product: BIND 9.40 and 9.41
BIND 9.5.0a1 to 9.5.0a5
BIND 9.3.0 to 9.3.4
BIND 9.2.0 to 9.2.8
BIND 9.1.x (all versions)
BIND 9.0.x (all versions)
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Reduced Security
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2007-2926 CVE-2007-2925
OVERVIEW:
When BIND 9 is used as a resolver or DNS cache, future DNS query IDs
may be guessed by a remote attacker due to a flaw in the random number
generation.
Two new attack methods have been disclosed, with proof of concept code
publicly released, that make DNS poisoning efficient and feasible
using this weakness.
New versions of BIND 9 have now been released fixing this vulnerability.
In addition to this weakness, versions of BIND 9 prior to this new
release did not set access control lists (ACLs) correctly by default.
The previous default settings allowed anyone to make recursive queries
or query the cache contents.
Note however that the first vulnerability of cache poisoning may still
be exploited even if recursion is restricted to internal hosts, by
enticing an internal user or host to click on a link or resolve an
attacker-controlled domain name in any other way.
IMPACT:
A remote attacker may cause false information to be inserted into the
BIND 9 DNS cache, for domain names of the attacker's choosing.
The BIND server will then serve the false information to internal hosts,
potentially directing all internal users and computers to access
malicious sites when a legitimate domain name is queried.
Attackers may attempt to use this vulnerability to steal users'
login passwords for trusted websites by directing users to a fake
login screen, or alternatively may direct internal computers to a
malicious server in order to attempt installation of malicious software
via separate client software vulnerabilities or social engineering.
MITIGATION:
New versions of BIND 9 have now been released fixing the DNS poisoning
vulnerability. The fixed versions are BIND 9.4.1-P1, BIND 9.5.0a6,
BIND 9.3.4-P1 and BIND 9.2.8-P1 [4].
To address the second issue (weak ACLs set by default) ISC has also
recommended the following configuration changes if not already
implemented: [1]
- Set allow-query-cache and allow-recursion acls to
{ localnets; localhost; };
- If recursion for local clients is required:
options {
recursion yes; // default
allow-recursion { localnets; localhost; };
allow-query-cache { localnets; localhost; };
...
};
- If recursion is not required:
options {
recursion no;
allow-query-cache { localnets; localhost; };
...
};
DETAILS:
The weak random number generation for DNS query ids allows a 1 in 8 chance
of guessing the next query id for 50% of the query ids.
This issue affects outgoing queries, generated by BIND 9 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers.
Further details of the vulnerability and attacks are provided in
the paper "BIND 9 DNS Cache Poisoning" [2][3].
REFERENCES:
[1] ISC BIND 9 security announcements
http://www.isc.org/index.pl?/ws/bind/bind-security.php
[2] BIND 9 DNS Cache Poisoning paper - Amit Klein
http://www.trusteer.com/docs/bind9dns.html
[3] BIND 9 DNS Cache Poisioning executive summary - Amit Klein
http://www.trusteer.com/docs/bind9dns_s.html
[4] ISC BIND 9.4.1 Release
http://www.isc.org/sw/bind/view/?release=9.4.1
I was wondering if the recent NAMED-020_A052 MultiNet update includes the
fixes described below?
Thanks,
Jeremy Begg
===========================================================================
A U S C E R T A L E R T
AL-2007.0089 -- AUSCERT ALERT
[UNIX/Linux][Win]
New BIND 9 versions released fixing DNS cache poisoning vulnerability
25 July 2007
===========================================================================
AusCERT Alert Summary
---------------------
Product: BIND 9.40 and 9.41
BIND 9.5.0a1 to 9.5.0a5
BIND 9.3.0 to 9.3.4
BIND 9.2.0 to 9.2.8
BIND 9.1.x (all versions)
BIND 9.0.x (all versions)
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Reduced Security
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2007-2926 CVE-2007-2925
OVERVIEW:
When BIND 9 is used as a resolver or DNS cache, future DNS query IDs
may be guessed by a remote attacker due to a flaw in the random number
generation.
Two new attack methods have been disclosed, with proof of concept code
publicly released, that make DNS poisoning efficient and feasible
using this weakness.
New versions of BIND 9 have now been released fixing this vulnerability.
In addition to this weakness, versions of BIND 9 prior to this new
release did not set access control lists (ACLs) correctly by default.
The previous default settings allowed anyone to make recursive queries
or query the cache contents.
Note however that the first vulnerability of cache poisoning may still
be exploited even if recursion is restricted to internal hosts, by
enticing an internal user or host to click on a link or resolve an
attacker-controlled domain name in any other way.
IMPACT:
A remote attacker may cause false information to be inserted into the
BIND 9 DNS cache, for domain names of the attacker's choosing.
The BIND server will then serve the false information to internal hosts,
potentially directing all internal users and computers to access
malicious sites when a legitimate domain name is queried.
Attackers may attempt to use this vulnerability to steal users'
login passwords for trusted websites by directing users to a fake
login screen, or alternatively may direct internal computers to a
malicious server in order to attempt installation of malicious software
via separate client software vulnerabilities or social engineering.
MITIGATION:
New versions of BIND 9 have now been released fixing the DNS poisoning
vulnerability. The fixed versions are BIND 9.4.1-P1, BIND 9.5.0a6,
BIND 9.3.4-P1 and BIND 9.2.8-P1 [4].
To address the second issue (weak ACLs set by default) ISC has also
recommended the following configuration changes if not already
implemented: [1]
- Set allow-query-cache and allow-recursion acls to
{ localnets; localhost; };
- If recursion for local clients is required:
options {
recursion yes; // default
allow-recursion { localnets; localhost; };
allow-query-cache { localnets; localhost; };
...
};
- If recursion is not required:
options {
recursion no;
allow-query-cache { localnets; localhost; };
...
};
DETAILS:
The weak random number generation for DNS query ids allows a 1 in 8 chance
of guessing the next query id for 50% of the query ids.
This issue affects outgoing queries, generated by BIND 9 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers.
Further details of the vulnerability and attacks are provided in
the paper "BIND 9 DNS Cache Poisoning" [2][3].
REFERENCES:
[1] ISC BIND 9 security announcements
http://www.isc.org/index.pl?/ws/bind/bind-security.php
[2] BIND 9 DNS Cache Poisoning paper - Amit Klein
http://www.trusteer.com/docs/bind9dns.html
[3] BIND 9 DNS Cache Poisioning executive summary - Amit Klein
http://www.trusteer.com/docs/bind9dns_s.html
[4] ISC BIND 9.4.1 Release
http://www.isc.org/sw/bind/view/?release=9.4.1