<< Previous
DNSSEC
necessary changes.
Details follow:
Michael Sinatra discovered that Bind did not correctly validate certain
records added to its cache. When DNSSEC validation is in use, a remote
attacker could exploit this to spoof DNS entries and poison DNS caches.
Among other things, this could lead to misdirected email and web traffic.
Updated packages for Ubuntu 6.06 LTS:
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1910
It was discovered that BIND, an implementation of the DNS protocol,
does not correctly process certain large RRSIG record sets in DNSSEC
responses. The resulting assertion failure causes the name server
process to crash, making name resolution unavailable. (CVE-2011-1910)
In addition, this update fixes handling of certain signed/unsigned
zone combinations when a DLV service is used. Previously, data from
technologies. Email reputation)
* Fighting phishing and pharming
* Fighting malware
* Internet protocol security
* IPv6 security
* DNSsec
* Security of network infrastructure services (DNS, NTP, etc.)
* Web security
* DoS/DDoS response and mitigation, botnets
* Authentication and access control
* Security in the cloud
replacement will trigger an assertion failure and cause the name
server process to exit.
Workarounds: Install 9.8.0-P1 or higher.
Active exploits: None. However, some DNSSEC validators are known to
send type=RRSIG queries, innocently triggering the failure.
Solution: Use RPZ only for forcing NXDOMAIN responses and not for
RRset replacement.
that we need to fill, so if you are interested in speaking at this
year’s event please submit a paper via our CFP address of ‘cfp <at>
layerone <dot> info’. Our current selection of speakers covers a wide
range of interests. We will have presentations covering such topics as
Web Application Security, GnuRadio, Lockpicking Forensics, Security
Consulting, and DNSSEC. Our speakers come from a wide variety of
backgrounds and are all subject matter experts in their respective
fields.
Pre-Registration has opened for this year’s event. The
pre-registration price is 100.00USD and is available through our
Mapping"[1]:
3.2 Utility and effectiveness of some reverse mapping uses
Especially in the absence of strong anti-spoofing
mechanisms, like the DNS Security Extensions, a check
for matching reverse DNS mapping should be regarded as
an extremely weak form of authentication. Even
moderately skilled attackers have available to them
tools to spoof DNS responses.
[...]
Debian-specific: no
CVE Id(s) : CVE-2009-3602
It was discovered that Unbound, a DNS resolver, does not properly
check cryptographic signatures on NSEC3 records. As a result, zones
signed with the NSEC3 variant of DNSSEC lose their cryptographic
protection. (An attacker would still have to carry out an ordinary
cache poisoning attack to add bad data to the cache.)
The old stable distribution (etch) does not contain an unbound
package.
> odd to have to keep fixing it-- i fixed it in bind4 and bind8 when theo
> de raadt offered me his random number generator to use. bind9 should've
> used that same one but apparently didn't. note that with this fix, the
> difficulty in poisoning someone's cache rises from "a few tens of seconds"
> to "a few minutes". it's a 16-bit field. not a lot of room for
> randomness or unpredictability. only DNSSEC, a protocol change, fixes
> this problem, which is fundamentally a protocol problem. but since folks
> just won't leave it alone and keep on reporting it year after decade, we
> will keep on improving our random number generator for this dinky little
> 16-bit field. i just wish the reporters wouldn't be so smarmy and self
> congradulatory about it. it's not like this hasn't been reported, and
way ISC BIND processed certain DNS query responses.
ISC BIND (Berkeley Internet Name Domain) is an implementation of
the DNS (Domain Name System) protocols. Under some circumstances, a
malicious remote user could launch a Denial-of-Service attack on
ESX Server hosts that had enabled DNSSEC validation.
(CVE-2007-0494)
Note: These issues only affect the service console network, and are
not remote vulnerabilities for ESX Server hosts that have been set
up with the security best practices provided by VMware.
> de raadt offered me his random number generator to use. bind9 should've
> used that same one but apparently didn't. note that with this fix, the
> difficulty in poisoning someone's cache rises from "a few tens of
> seconds"
> to "a few minutes". it's a 16-bit field. not a lot of room for
> randomness or unpredictability. only DNSSEC, a protocol change, fixes
> this problem, which is fundamentally a protocol problem. but since folks
> just won't leave it alone and keep on reporting it year after decade, we
> will keep on improving our random number generator for this dinky little
> 16-bit field. i just wish the reporters wouldn't be so smarmy and self
> congradulatory about it. it's not like this hasn't been reported, and
> typically DNS is provided by an ISP or some other agency with a formal
> legal relationship, and there is the possibility of liability on the
> part of the lax DNS provider. Hopefully we will continue to see rapid
> uptake of the DNS fix over the next few weeks.
In general, DNS is not fixable without deploying DNSSEC.
a) The current "fix" just reduces the probability of an attack. If
attacker and victim have sufficient bandwidth, it can still be done in
under a day.
> And because mail server name and email address does not need to be any
> connection also checking of signature of certificate agaist CA does not
> help much. It does not protect attack agaist MX records on DNS.
true - so in an ideal world, we would need DNSSec everywhere and strict
certificate checking to significantly reduce the possibility of MiTM
attacks. In a not so ideal world, every little bit helps, so if we can
get mail servers to routinely use encryption between each other, that's
a nice first step and using valid certificates that can actually be
verified is a second one. Both will help significantly already.
<<Previous
|
