Domain Name System
Summary
=======
The Cisco Application Control Engine Global Site Selector (GSS)
contains a vulnerability when processing specific Domain Name System
(DNS) requests that may lead to a crash of the DNS service on the
GSS.
Cisco has released free software updates that address this
vulnerability.
vulnerabilities.
Details
=======
The Domain Name System is an integral part of networks that are based
on TCP/IP such as the Internet. Simply stated, the Domain Name System
is a hierarchical database that contains mappings of hostnames and IP
addresses. The DNS protocol is part of the TCP/IP protocol suite and
allows DNS clients to query the DNS database to resolve hostnames to IP
addresses.
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
e. Service Console package bind updated to 9.3.6-4.P1.el5_4.2
BIND (Berkeley Internet Name Daemon) is by far the most widely used
Domain Name System (DNS) software on the Internet.
A vulnerability was discovered which could allow remote attacker to
add the Authenticated Data (AD) flag to a forged NXDOMAIN response
for an existing domain.
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
b. Updated bind package for the service console fixes a flaw with the
way ISC BIND processed certain DNS query responses.
ISC BIND (Berkeley Internet Name Domain) is an implementation of
the DNS (Domain Name System) protocols. Under some circumstances, a
malicious remote user could launch a Denial-of-Service attack on
ESX Server hosts that had enabled DNSSEC validation.
(CVE-2007-0494)
Note: These issues only affect the service console network, and are
g. Updated Service Console package bind
Service Console package bind updated to version 9.3.6-4.P1.el5
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server
(named); a resolver library (routines for applications to use when
interfacing with DNS); and tools for verifying that the DNS server
is operating correctly.
A flaw was found in the way BIND handles dynamic update message
parameters are required for a newly initialized client. A client and
server may negotiate for the transmission of only those parameters
required by the client or specific to a particular subnet. DHCP allows but
does not require the configuration of client parameters not directly
related to the IP protocol. DHCP also does not address registration of
newly configured clients with the Domain Name System (DNS).
The DCHP message definition includes a variable length field called
“options€? which are in turn indication of an additional variable length
payload to the base DHCP message. The entire list of official DHCP
options, also known as “vendor extensions€? in BOOTP terminology, is
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used to match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.
NEXTPAGE = J21_REBOOT,
PASSWORD = 2wire
4. IMPACTS AND ADVISORY
A successful attack is unlikely to be noticed by the end-user with the lack of warning that comes with a CSRF attack, especially when performed through XMLHttpRequest. A likely exploitation would involve the alteration of the victim router’s Domain Name System (DNS) records, enabling a Man-in-the-Middle (MITM) attack vector. This allows for severe Advanced Persistent Threats (APT) to the victim.
Hence, it is advised for SingTel and 2Wire to push the updated firmware to its subscribers as soon as possible.
While the issue is pending resolution, SingTel Internet service customers with firmware major version 5 (and below) are advised to:
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
1. An interface must have IPv6 enabled.
2. One or more of the following IPv4 UDP-based services must be
enabled:
TACACS - port 49
Domain Name System (DNS) server - port 53
Resource Reservation Protocol (RSVP) - port 1698
Layer Two Forwarding (L2F)/Layer Two Tunnel Protocol (L2TP) -
port 1701
IP SLA Responder - port 1967
Media Gateway Control Protocol (MGCP) - port 2427
advisory is being published. Email will be sent to the freebsd-security
mailing list when the binaries are available via freebsd-update.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
Dynamic update messages may be used to update records in a master zone
on a nameserver.
10. *References*
[1] Schuba, Christoph, "Addressing Weaknesses in the Domain Name System
Protocol", 1993.
[http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/schuba-DNS-msthesis.pdf]
[2] Vixie, Paul, "5th USENIX UNIX Security Symposium", 1995.
[http://www.usenix.org/publications/library/proceedings/security95/full_papers/vixie.txt]
[3] Arce, Ivan, Kargieman, Emiliano, "BIND vulnerbailities and
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication as part of responses to DNS queries.
FreeBSD includes software from the OpenSSL Project. The OpenSSL
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A remote attacker could cause the BIND resolver to cache an invalid
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A logic error in the BIND code causes the BIND daemon to accept bogus
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected packages
=================
-------------------------------------------------------------------
Debian-specific: no
CVE Id(s) : CVE-2009-0858
Debian Bug : 518169
Matthew Dempsky discovered that Daniel J. Bernstein's djbdns, a Domain
Name System server, does not constrain offsets in the required manner,
which allows remote attackers with control over a third-party subdomain
served by tinydns and axfrdns, to trigger DNS responses containing
arbitrary records via crafted zone data for this subdomain.
The old stable distribution (etch) does not contain djbdns.
|
