__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN BIND Version 8 Vulnerable [US-CERT Vulnerability Note VU#927905] August 28, 2007 16:00 GMT Number R-333 [REVISED 7 Dec 2007] ______________________________________________________________________________ PROBLEM: ISC BIND version 8 generates cryptographically weak DNS query IDS which could allow a remote attacker to poison DNS caches. PLATFORM: ISC BIND 8 HP-UX B.11.11 DAMAGE: Could allow a remote attacker to poison DNS caches. SOLUTION: Upgrade to appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Could allow a remote attacker to poison DNS ASSESSMENT: caches. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-333.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/927905 ADDITIONAL LINK: Visit Hewlett-Packard's Subscription Service for: HPSBUX02289 SSRT071461 rev. 1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-2930 ______________________________________________________________________________ REVISION HISTORY: 12/07/2007 - revised R-333 to add a link to Hewlett-Packard HPSBUX02289 SSRT071461 rev. 1 for HP-UX B.11.11 Running Bind 8. [***** Start US-CERT Vulnerability Note VU#927905 *****] Vulnerability Note VU#927905 BIND version 8 generates cryptographically weak DNS query identifiers Overview ISC BIND version 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches. I. Description The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). Version 8 of the BIND software uses a weak algorithm to generate DNS query identifiers. This condition allows an attacker to reliably guess the next query ID, thereby allowing for DNS cache poisoning attacks. ISC states that this bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFY messages to slave name servers. Note that although this vulnerability is similar in nature and impact to VU#252735, it is a distinct issue. II. Impact A remote attacker with the ability to predict DNS query IDs and respond with arbitrary answers, could poison DNS caches. III. Solution Upgrade or apply a patch Users should obtain a patch from their operating system vendor when available. Please see the Systems Affected section of this document for more information about specific vendors. Users who compile their own versions of BIND 8 from the original ISC source code are encouraged to take the following actions described by ISC: This issue is addressed in ISC BIND 8.4.7-P1, available as patch that can be applied to BIND 8.4.7. The more definitive solution is to upgrade to BIND 9. BIND 8 is being declared "end of life" by ISC due to multiple architectural issues. See ISC's website at http://www.isc.org for more information and assistance. Systems Affected Vendor Status Date Updated Apple Computer, Inc. Unknown 27-Aug-2007 BlueCat Networks, Inc. Not Vulnerable 28-Aug-2007 Check Point Software Technologies Unknown 27-Aug-2007 Conectiva Inc. Unknown 27-Aug-2007 Cray Inc. Unknown 27-Aug-2007 Debian GNU/Linux Unknown 27-Aug-2007 EMC Corporation Unknown 27-Aug-2007 Engarde Secure Linux Unknown 27-Aug-2007 F5 Networks, Inc. Unknown 27-Aug-2007 Fedora Project Unknown 27-Aug-2007 FreeBSD, Inc. Unknown 27-Aug-2007 Fujitsu Unknown 27-Aug-2007 Gentoo Linux Unknown 27-Aug-2007 Gnu ADNS Unknown 27-Aug-2007 GNU glibc Unknown 27-Aug-2007 Hewlett-Packard Company Unknown 27-Aug-2007 Hitachi Unknown 27-Aug-2007 IBM Corporation Unknown 27-Aug-2007 IBM Corporation (zseries) Unknown 27-Aug-2007 IBM eServer Unknown 27-Aug-2007 Immunix Communications, Inc. Unknown 27-Aug-2007 Infoblox Not Vulnerable 27-Aug-2007 Ingrian Networks, Inc. Unknown 27-Aug-2007 Internet Software Consortium Vulnerable 27-Aug-2007 Juniper Networks, Inc. Unknown 27-Aug-2007 Lucent Technologies Unknown 27-Aug-2007 Mandriva, Inc. Not Vulnerable 27-Aug-2007 Men & Mice Unknown 27-Aug-2007 Metasolv Software, Inc. Unknown 27-Aug-2007 Microsoft Corporation Not Vulnerable 28-Aug-2007 MontaVista Software, Inc. Unknown 27-Aug-2007 NEC Corporation Unknown 27-Aug-2007 NetBSD Unknown 27-Aug-2007 Nortel Networks, Inc. Unknown 27-Aug-2007 Novell, Inc. Unknown 27-Aug-2007 OpenBSD Unknown 27-Aug-2007 Openwall GNU/*/Linux Unknown 27-Aug-2007 QNX, Software Systems, Inc. Unknown 27-Aug-2007 Red Hat, Inc. Unknown 27-Aug-2007 Shadowsupport Unknown 27-Aug-2007 Silicon Graphics, Inc. Unknown 27-Aug-2007 Slackware Linux Inc. Unknown 27-Aug-2007 Sony Corporation Unknown 27-Aug-2007 Sun Microsystems, Inc. Unknown 27-Aug-2007 SUSE Linux Unknown 27-Aug-2007 The SCO Group Unknown 27-Aug-2007 Trustix Secure Linux Unknown 27-Aug-2007 Turbolinux Unknown 27-Aug-2007 Ubuntu Unknown 27-Aug-2007 Unisys Unknown 27-Aug-2007 Wind River Systems, Inc. Unknown 27-Aug-2007 References http://www.isc.org/index.pl?/sw/bind/bind8-eol.php http://www.trusteer.com/docs/bind8dns.html Credit Thanks to the Internet Systems Consortium (ISC) for reporting this vulnerability. ISC, in turn, credits Amit Klein from Trusteer for reporting this issue to them. This document was written by Chad Dougherty. Other Information Date Public 08/27/2007 Date First Published 08/28/2007 09:37:59 AM Date Last Updated 08/28/2007 CERT Advisory CVE Name CVE-2007-2930 Metric 2.14 Document Revision 13 [***** End US-CERT Vulnerability Note VU#927905 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-323: Vulnerability in Virtual PC and Virtual Server R-324: Vulnerability in Vector Markup Language R-325: Information Leakage Using IPv6 Routing Header R-326: tcpdump R-327: Cisco IOS Secure Copy Authorization Bypass Vulnerability R-328: Local Privilege Vulnerabilities in Cisco VPN Client R-329: Trend Micro ServerProtect Agent Vulnerabilities R-330: Asterisk Security Vulnerabilities R-331: HP-UX Running the Ignite-UX or the DynRootDisk (DRD) get_system_info Command R-332: MSN Messenger and Windows Live Messenger Webcam Vulnerability