Next Page >>
DNS resolver
All UDP protocols that are being inspected by the Cisco ASA UDP
inspection engine may be vulnerable. The following protocols are known
to use the Cisco ASA UDP inspection engine:
* Domain Name System (DNS)
* Session Initiation Protocol (SIP)
* Simple Network Management Protocol (SNMP)
* GPRS Tunneling Protocol (GTP)
* H.323, H.225 RAS
* Media Gateway Control Protocol (MGCP)
Summary
=======
The Cisco Application Control Engine Global Site Selector (GSS)
contains a vulnerability when processing specific Domain Name System
(DNS) requests that may lead to a crash of the DNS service on the
GSS.
Cisco has released free software updates that address this
vulnerability.
in the vendor's security bulletin and did not have an unique
vulnerability identifier assigned to them. As a result, the guidance and
the assessment of risk derived from reading the vendor's security
bulletin may overlook or misrepresent actual threat scenarios.
Nicolas found that the Windows SMTP Service does its own DNS resolution
of MX records rather that use the DNS resolver from the operating system
while investigating CVE-2010-0024
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0024].
Furthermore, he found that the patch referenced in MS10-024 fixed two
severe bugs that were not disclosed as such in the bulletin and had no
CVE identifiers assigned to them. Basic analysis of the vulnerabilities
vulnerabilities.
Details
=======
The Domain Name System is an integral part of networks that are based
on TCP/IP such as the Internet. Simply stated, the Domain Name System
is a hierarchical database that contains mappings of hostnames and IP
addresses. The DNS protocol is part of the TCP/IP protocol suite and
allows DNS clients to query the DNS database to resolve hostnames to IP
addresses.
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
parameters are required for a newly initialized client. A client and
server may negotiate for the transmission of only those parameters
required by the client or specific to a particular subnet. DHCP allows but
does not require the configuration of client parameters not directly
related to the IP protocol. DHCP also does not address registration of
newly configured clients with the Domain Name System (DNS).
The DCHP message definition includes a variable length field called
“options€? which are in turn indication of an additional variable length
payload to the base DHCP message. The entire list of official DHCP
options, also known as “vendor extensions€? in BOOTP terminology, is
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4
src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2
src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11
src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3
src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6
src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7
RELENG_6_4
src/UPDATING 1.416.2.40.2.13
NEXTPAGE = J21_REBOOT,
PASSWORD = 2wire
4. IMPACTS AND ADVISORY
A successful attack is unlikely to be noticed by the end-user with the lack of warning that comes with a CSRF attack, especially when performed through XMLHttpRequest. A likely exploitation would involve the alteration of the victim router’s Domain Name System (DNS) records, enabling a Man-in-the-Middle (MITM) attack vector. This allows for severe Advanced Persistent Threats (APT) to the victim.
Hence, it is advised for SingTel and 2Wire to push the updated firmware to its subscribers as soon as possible.
While the issue is pending resolution, SingTel Internet service customers with firmware major version 5 (and below) are advised to:
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.5
src/contrib/bind9/bin/named/server.c 1.1.1.2.2.4
src/contrib/bind9/lib/dns/api 1.1.1.2.2.5
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.4
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.3
src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.8
RELENG_6_3
src/UPDATING 1.416.2.37.2.8
src/sys/conf/newvers.sh 1.69.2.15.2.7
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.3.2.1
src/contrib/bind9/bin/named/server.c 1.1.1.2.2.2.2.1
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.c 1.1.1.1.4.1
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.h 1.1.1.1.4.1
src/contrib/bind9/lib/dns/rdata/generic/txt_16.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c 1.1.1.1.4.1
src/contrib/bind9/lib/dns/request.c 1.1.1.1.4.4
src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.10
src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.5
src/contrib/bind9/lib/dns/view.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/xfrin.c 1.1.1.2.2.5
src/contrib/bind9/lib/isc/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/isc/api 1.1.1.2.2.5
advisory is being published. Email will be sent to the freebsd-security
mailing list when the binaries are available via freebsd-update.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
Dynamic update messages may be used to update records in a master zone
on a nameserver.
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A logic error in the BIND code causes the BIND daemon to accept bogus
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
e. Service Console package bind updated to 9.3.6-4.P1.el5_4.2
BIND (Berkeley Internet Name Daemon) is by far the most widely used
Domain Name System (DNS) software on the Internet.
A vulnerability was discovered which could allow remote attacker to
add the Authenticated Data (AD) flag to a forged NXDOMAIN response
for an existing domain.
b. Updated bind package for the service console fixes a flaw with the
way ISC BIND processed certain DNS query responses.
ISC BIND (Berkeley Internet Name Domain) is an implementation of
the DNS (Domain Name System) protocols. Under some circumstances, a
malicious remote user could launch a Denial-of-Service attack on
ESX Server hosts that had enabled DNSSEC validation.
(CVE-2007-0494)
Note: These issues only affect the service console network, and are
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A remote attacker could cause the BIND resolver to cache an invalid
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.
1. An interface must have IPv6 enabled.
2. One or more of the following IPv4 UDP-based services must be
enabled:
TACACS - port 49
Domain Name System (DNS) server - port 53
Resource Reservation Protocol (RSVP) - port 1698
Layer Two Forwarding (L2F)/Layer Two Tunnel Protocol (L2TP) -
port 1701
IP SLA Responder - port 1967
Media Gateway Control Protocol (MGCP) - port 2427
g. Updated Service Console package bind
Service Console package bind updated to version 9.3.6-4.P1.el5
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server
(named); a resolver library (routines for applications to use when
interfacing with DNS); and tools for verifying that the DNS server
is operating correctly.
A flaw was found in the way BIND handles dynamic update message
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
A denial of service condition in Ruby's XML document parsing module
(REXML) could cause a Ruby application using the REXML module to use
an excessive amount of CPU and memory via XML documents with large
XML entitity definitions recursion (CVE-2008-3790).
The Ruby DNS resolver library used predictable transaction IDs and
a fixed source port when sending DNS requests. This could be used
by a remote attacker to spoof a malicious reply to a DNS query
(CVE-2008-3905).
The updated packages have been patched to correct these issues.
randomization did still not use difficult-to-predict random numbers.
This is corrected in this security update.
Here is the text of the original advisory:
Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses
a weak random number generator to create DNS transaction IDs and UDP
source port numbers. As a result, cache poisoning attacks were
simplified. (CVE-2008-1637)
In the light of recent DNS-related developments (documented in DSAs
Vulnerability : design flaw
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1637
Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a
weak random number generator to create DNS transaction IDs and UDP
source port numbers. As a result, cache poisoning attacks were
simplified. (CVE-2008-1637)
For the stable distribution (etch), these problems have been fixed in
Debian-specific: no
CVE Id(s) : CVE-2009-0858
Debian Bug : 518169
Matthew Dempsky discovered that Daniel J. Bernstein's djbdns, a Domain
Name System server, does not constrain offsets in the required manner,
which allows remote attackers with control over a third-party subdomain
served by tinydns and axfrdns, to trigger DNS responses containing
arbitrary records via crafted zone data for this subdomain.
The old stable distribution (etch) does not contain djbdns.
module, allowing for a Denial of Service and a cache poisoning attack.
Background
==========
Net::DNS is a Perl implementation of a DNS resolver.
Affected packages
=================
-------------------------------------------------------------------
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-4022
CERT advisory : VU#418861
Michael Sinatra discovered that the DNS resolver component in BIND
does not properly check DNS records contained in additional sections
of DNS responses, leading to a cache poisoning vulnerability. This
vulnerability is only present in resolvers which have been configured
with DNSSEC trust anchors, which is still rare.
or cause a denial of service (system crash) via unspecified
vectors. (CVE-2010-2492)
The DNS resolution functionality in the CIFS implementation in the
Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled,
relies on a user's keyring for the dns_resolver upcall in the
cifs.upcall userspace helper, which allows local users to spoof the
results of DNS queries and perform arbitrary CIFS mounts via vectors
involving an add_key call, related to a cache stuffing issue and
MS-DFS referrals. (CVE-2010-2524)
Next Page>>
|
