<< Previous Next >>
Berkeley Internet Name Domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: BIND: Denial of Service
Date: August 01, 2009
Bugs: #279508
ID: 200908-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02097674
Version: 1
HPSBUX02519 SSRT100004 rev.1 - HP-UX Running BIND, Remote Compromise of NXDOMAIN Responses
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-04-21
Last Updated: 2010-04-21
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-09:04.bind Security Advisory
The FreeBSD Project
Topic: BIND DNSSEC incorrect checks for malformed signatures
Category: contrib
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01174368
Version: 1
HPSBOV02261 SSRT071449 rev.1 - HP OpenVMS running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-09-19
Last Updated: 2007-09-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: BIND: Weak random number generation
Date: August 18, 2007
Bugs: #186556
ID: 200708-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
In 1997 a practical implementation of a blind remote DNS cache poisoning
attack that relies solely on exploiting the predictability of the ID
field of DNS query packets was described by Arce and Kargieman [3]. This
was followed up by further refinements and advancement of attack
techniques by Vagner Sacramento [4] and Joe Stewart [5] in 2002. Amit
Klein further investigated query Id predictability in BIND version 9[6]
and Windows DNS[7] server implementations in 2007. In 2008 a much
publicized advancement of the DNS cache poisoning technique was
disclosed by Dan Kaminsky [8] in conjunction with the release of
security fixes by several vendors. Microsoft's MS08-037
[http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx]Security
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: BIND: Incorrect signature verification
Date: March 09, 2009
Bugs: #254134, #257949
ID: 200903-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: BIND: Cache poisoning
Date: July 11, 2008
Bugs: #231201
ID: 200807-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Mandriva Linux Security Advisory MDVSA-2009:304
http://www.mandriva.com/security/
_______________________________________________________________________
Package : bind
Date : November 26, 2009
Affected: 2009.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01527346
Version: 1
HPSBTU02358 SSRT080058 rev.1 - HP Tru64 UNIX running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-08-12
Last Updated: 2008-08-13
ESX Service Console updates for newt, nfs-utils, and glib2 packages.
vMA updates for newt, nfs-util, glib2, kpartx, libvolume-id,
device-mapper-multipath, fipscheck, dbus, dbus-libs, ed, openssl,
bind, expat, openssh, ntp and kernel packages.
2. Relevant releases
VMware ESX 4.0.0 without patch ESX400-201002404-SG, ESX400-201002407-SG,
ESX400-201002406-SG
Mandriva Linux Security Advisory MDVSA-2009:313-1
http://www.mandriva.com/security/
_______________________________________________________________________
Package : bind
Date : December 3, 2009
Affected: 2008.0
_______________________________________________________________________
Problem Description:
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01523520
Version: 1
HPSBOV02357 SSRT080058 rev.1 - HP OpenVMS TCP/IP Services running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-08-13
Last Updated: 2008-08-13
> although I would think you'd be better off simply using a larger pool. I haven't
> tested it, but you should be able to set the pool size to 16384 for that magical
> 30 bits of entropy you want (you probably want to set the refresh to a very
> large value in this case).
Does BIND choose those ports in a cryptographically secure way? Can it
be configured not to re-use a socket for multiple queries in a row? Not
sure what the current algorithms are... please pardon my ignorance. If
BIND is reusing bound UDP ports for multiple queries in a row, then that
definitely reduces the entropy.
4) Historical Notes
Predictable DNS transaction IDs are a common and rather well researched
problem.
It was first noticed that BIND 4.9.6 and below use sequential
transaction IDs (http://www.cert.org/advisories/CA-1997-22.html).
Microsoft fixed sequential DNS transaction IDs in a post-SP3 hotfix for
Windows NT 4.0 (http://support.microsoft.com/kb/167629/EN-US/).
After that a birthday attack against BIND was published by Vagner
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01283837
Version: 1
HPSBUX02289 SSRT071461 rev.1 - HP-UX Running BIND 8, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-11-19
Last Updated: 2007-11-19
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01154600
Version: 1
HPSBTU02256 SSRT071449 rev.1 - HP Tru64 UNIX or HP Tru64 Internet Express running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-29
Last Updated: 2007-08-29
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-09:12.bind Security Advisory
The FreeBSD Project
Topic: BIND named(8) dynamic update message remote DoS
Category: contrib
Mandriva Linux Security Advisory MDVSA-2009:181
http://www.mandriva.com/security/
_______________________________________________________________________
Package : bind
Date : July 29, 2009
Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________
Rating: Major
Exposure Level Classification:
Remote System User Deterministic Weakness
Updated Versions:
bind=conary.rpath.com@rpl:2/9.4.2_P1-2-0.1
bind-utils=conary.rpath.com@rpl:2/9.4.2_P1-2-0.1
rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-2378
https://issues.rpath.com/browse/RPL-2563
Rating: Severe
Exposure Level Classification:
Remote User Deterministic Vulnerability
Updated Versions:
bind=conary.rpath.com@rpl:1/9.4.3_P5-1.1-1
bind=conary.rpath.com@rpl:2/9.4.3_P5-0.1-1
bind-utils=conary.rpath.com@rpl:1/9.4.3_P5-1.1-1
bind-utils=conary.rpath.com@rpl:2/9.4.3_P5-0.1-1
caching-nameserver=conary.rpath.com@rpl:1/9.4.3_P5-1.1-1
===========================================================
Ubuntu Security Notice USN-888-1 January 20, 2010
bind9 vulnerabilities
CVE-2009-4022, CVE-2010-0097, CVE-2010-0290
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01837667
Version: 1
HPSBTU02453 SSRT091037 rev.1 - HP Tru64 UNIX BIND Server, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-08-06
Last Updated: 2009-08-06
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01837667
Version: 1
HPSBTU02453 SSRT091037 rev.1 - HP Tru64 UNIX BIND Server, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-08-06
Last Updated: 2009-08-06
Amit Klein wrote:
> Hello BugTraq
>
> Recently I've been looking at the OpenBSD PRNG implementation for
> DNS transaction ID (OpenBSD ported BIND 9 into their code tree,
> but rolled their own PRNG for the DNS transaction ID field). I
> discovered a serious weakness in OpenBSD's PRNG, which allows an
> attacker to predict the next transaction ID (typically up to 8-10
> guesses) given a series of consecutive 12-15 transaction IDs. As
> you may appreciate, this enables DNS cache poisoning for OpenBSD
Hello BugTraq
Recently I've been looking at the OpenBSD PRNG implementation for
DNS transaction ID (OpenBSD ported BIND 9 into their code tree,
but rolled their own PRNG for the DNS transaction ID field). I
discovered a serious weakness in OpenBSD's PRNG, which allows an
attacker to predict the next transaction ID (typically up to 8-10
guesses) given a series of consecutive 12-15 transaction IDs. As
you may appreciate, this enables DNS cache poisoning for OpenBSD
much like my earlier attacks on BIND 9, BIND 8 and Microsoft
>
> Thanks for your response, it was informative.
>
>> Yes, ISC has finally gotten around to randomizing the source ports, as of
>> 9.5.0a2. It is controlled by the "use-queryport-pool" option in the server
>> section of the BIND configuration file. It defaults to "yes".
>>
>> You can control how big the pool is with the "queryport-pool-ports" option. It
>> defaults to 8 (an extra 3 bits of entropy).
>>
>> This set of ports is refreshed periodically, with a frequency controlled by the
(November 13th, 2007) - six and a half months after being informed
- Microsoft released a fix for this vulnerability. As the fix is
now publicly available, I can finally share my research finding
with you.
For those of you who read my research papers on BIND 8 and 9
(http://www.trusteer.com/docs/research.html) - it is the same
type of attack but a different vulnerability and a different DNS
server. It's interesting that both BIND and Microsoft had
different, and at the same time fundamentally flawed
implementations of DNS (with Microsoft's implementation being
I'm put in an awkward position of having to respond to a message which
wasn't sent to me in the first place. But still...
"This bug was reported over and over again" - I find this statement
confusing. The bug class of "DNS transaction ID not being random enough"
was sure reported for several DNS server, including BIND. My paper
clearly references e.g.
http://www.openbsd.org/advisories/res_random.txt (as reference [7]).
However, I'm not familiar with public reports that outline the
seriousness of the non-randomness of BIND *9*, to the extent my report
did. So the way I see it is that this particular bug, in BIND 9, was not
At this time, it is not possible to implement the recommended
countermeasures in the GNU libc stub resolver. The following
workarounds are available:
1. Install a local BIND 9 resoler on the host, possibly in
forward-only mode. BIND 9 will then use source port randomization
when sending queries over the network. (Other caching resolvers can
be used instead.)
2. Rely on IP address spoofing protection if available. Successful
<<Previous Next>>
|
