|
|
 |
Accueil | Resources | Public Advisories/Alerts
| Security Advisories
DNS vulnerability
| Reference: |
CERT-IST/AV-2008.310 |
| Version: |
4.5 |
| Version date: |
02 September 2008 |
|
Vulnerability Classification
| Risk: |
 |
high |
|
| Impact: |
Integrity
Leverage |
| Confidence: |
Vendor-acknowledged |
| Attack expertise: |
Skilled |
| Attack requirements: |
Remote (no account) over a standard service |
|
System Information
| Affected Platform(s): |
| |
| Affected Software(s): |
| |
Remarks: This vulnerability affects potentially all DNS servers and clients. The following vendors have published security advisories:
- ISC BIND
- Microsoft Windows
- CISCO
- Linux
- Juniper
- SUN
|
|
Description
| Publication context: |
|
[Version 4.0] This advisory has been re-issued (04-Aug-08) following the release of new versions of BIND (9.5.0-P2, 9.4.2-P2 and 9.3.5-P2) that fix the performance issues noticed in the previous P1 releases.
[Version 3.0] This advisory has been re-issued (22-Jul-2008) following the release of the CERT-IST/DG-2008.007 Potential Danger ("Technical information leak regarding the DNS flaw"). The risk has therefore been increased to "High". The impact on the performances of the ICS BIND patch has also been added.
[Version 2.0]:This advisory has been re-issued (10-jul-2008) because multiple vendors have published patches to fix the CVE-2008-1447 vulnerability.
Note: This advisory is about the vulnerability mentioned in the confidential note sent to the Cert-IST member representatives on July 2nd, 2008. |
|
| Problem description: |
|
| A vulnerability has been discovered in the DNS (Domain Name Service) protocol. This vulnerability affects any DNS server (all vendors are potentially affected), but also in a lesser way all DNS clients. This vulnerability could allow a remote attacker to corrupt DNS entries on vulnerable DNS servers and DNS clients. This corruption could allow a malicious person to redirect any network traffic (email, web, ftp, etc..) to a machine of his choice (DNS data of legitimate sites are corrupted). |
|
| Technical information: |
|
Regarding the large scale of machines which could be affected by this vulnerability, the technical details which allow to exploit this vulnerability are still kept secret.
According to the US-CERT, this is due to a combination of several known vulnerabilities. Among them, the US-CERT mentions the following information:
- the "transaction ID" field of DNS requests are weak (16 bits) and not as random as it should,
- certain DNS implementations generate multiple "query" requests about DNS records,
- certain DNS implementations use predictable port source numbers in DNS requests.
This vulnerability concerns DNS servers, but also the "resolvers" used on client systems. The attack of DNS servers affects all clients which use such servers. The DNS client attack only affects the targeted client. It is then mandatory to fix DNS servers first. |
|
Solution
01 - Tools which help to identify vulnerable DNS servers
The Cert-IST recommends the following approach to deploy patches against the DNS vulnerability:
- 1) Identify DNS servers in your organisation.
- 2) Identify the most vulnerable DNS servers.
- 3) Apply patches on the most vulnerable DNS servers, then on less vulnerable ones.
- 4) Apply patches for "DNS clients" on vulnerable systems.
For step "2)" the following tools are available. - PERL script to automate "DNS Checker" tool usage
- "DNS Checker" tool (written by Dan Kaminsky)
02 - Apply the ISC BIND patches regarding the DNS vulnerability
ISC indicates that the following versions of BIND are affected:
ISC released :
- "Patched" versions of BIND : 9.5.0-P1, 9.4.2-P1 et 9.3.5-P1.
- "Beta" versions of BIND :
- BIND 9.5.1b1
- BIND 9.4.3b2
The "patched" versions will have a noticeable impact on the performance of BIND caching resolvers with query rates at or above 10,000 queries per second. The beta releases reduce the impact in performance to non-significant levels.
On August 4th 2008, ISC released new BIND versions 9.5.0-P2, 9.4.2-P2 and 9.3.5-P2 that fix the performance issues present in previous P1 releases.
Refer to the ISC security advisory (listed in "Additional Resources" section below) for more information.
03 - Apply the Microsoft patches regarding the DNS vulnerability
See the CERT-IST/AV-2008.307 advisory to get the details about the patches for Microsoft Windows platforms. - Cert-IST security advisory CERT-IST/AV-2008.307 dated July 9, 2008
04 - Apply the CISCO patches regarding the DNS vulnerability
Cisco indicates that the following products are affected:
- Cisco IOS Software
- Cisco Network Registrar
- Cisco Application and Content Networking System
- Cisco Global Site Selector Used in Combination with Cisco Network Registrar
See the CISCO security advisory (listed in "Additional Resources" section below) to get the appropriate patch.
05 - Apply the Linux Debian patches regarding the DNS vulnerability
Linux Debian released patches for Debian GNU/Linux 4.0 (Etch).
Please refer to the Linux Debian security bulletins (listed in the "Additional Resources" section) to know the package to update depending on the platform.
06 - Apply the Linux Ubuntu patches regarding the DNS vulnerability
Linux Ubuntu released patches for the distributions:
- Linux Ubuntu 6.06 (Dapper Drake),
- Linux Ubuntu 7.04 (Feisty),
- Linux Ubuntu 7.10 (Gutsy),
- Linux Ubuntu 8.04 LTS (Hardy).
Please refer to the Linux Ubuntu security bulletin (listed in the "Additional Resources" section) to know the package to update depending on the platform.
07 - Apply the Sun patches regarding the DNS vulnerability
| Sparc | Intel |
| Solaris 8 | 109326-23 | 109327-23 |
| Solaris 9 | 112837-15 | 114265-14 |
| Solaris 10 | 119783-06 | 119784-06 |
| OpenSolaris | snv_95 | snv_95 |
08 - Apply the Linux Fedora patches regarding the DNS vulnerability
Linux Fedora released patches for the distributions
- Linux Fedora 8,
- Linux Fedora 9.
Refer to the Linux Fedora advisories listed in the "Additional Resources" section to get the details about these fixes. - Use "Yum" to update Fedora
09 - Apply the Linux Red Hat patches regarding the DNS vulnerability
Linux Red Hat released patches for the distributions :
- Red Hat Desktop (v. 3 and 4),
- Red Hat Enterprise Linux AS (v. 2.1, 3 and 4),
- Red Hat Enterprise Linux ES (v. 2.1, 3 and 4),
- Red Hat Enterprise Linux WS (v. 2.1, 3 and 4),
- Red Hat Enterprise Linux (v. 5 server),
- Red Hat Enterprise Linux Desktop (v. 5 client),
- Red Hat Enterprise Linux Desktop Workstation (v. 5 client).
Refer to the Linux Red Hat advisory listed in the "Additional Resources" section to get the details about these fixes. - Patches for Red Hat Enterprise Linux
10 - Apply the Juniper patches regarding the DNS vulnerability
See the Juniper security bulletin PSN-2008-06-040 ("Additional Resources" section) to get the appropriate patch.- Juniper security advisory PSN-2008-06-040 dated July 9, 2008
11 - Apply the Linux Mandriva patches regarding the DNS vulnerability
Linux Mandriva released patches for the distributions Corporate Server 3.0, 4.0, Multi Network Firewall 2, 2007.1 and 2008.0.
Refer to the Linux Mandriva advisory listed in the "Additional Resources" section to get the details about these fixes.
12 - Apply the Linux Slackware patches regarding the DNS vulnerability
Linux Slackware released patches for the distributions 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1 and "current".
Refer to the Linux Slackware advisories listed in the "Additional Resources" section to get the details about these fixes. - Linux Slackware 12.0 patches
- Patches for Linux Slackware 11.0
- Patches for Linux Slackware 10.2
- Patches for Linux Slackware 10.1
- Linux Slackware 10.0 patches
- Linux Slackware "current" patches
- Linux Slackware 9.1 patches
- Linux Slackware 9.0 patches
- Linux Slackware 8.1 patches
13 - Apply the Linux SuSE patches regarding the DNS vulnerability
Linux SuSE released patches for the distributions :
- OpenSUSE versions 10.2, 10.3 and 11.0
- SUSE Linux Enterprise SDK 10 SP1 and SP2
- SUSE Linux Enterprise Server versions 9, 10 SP1 and 10 SP2.
- SUSE Linux Enterprise Desktop 10 SP1 and SP2
- Open Enterprise Server
- Novell Linux Desktop 9
- Novell Linux POS 9
Refer to the Linux SuSE advisories listed in the "Additional Resources" section to get the details about these fixes. - SuSE patch for Opteron (x86_64) platforms
- SuSE patch for Intel platforms
14 - Apply the FreeBSD patches regarding the DNS vulnerability
English translation not available yet
15 - Apply the Novell patches regarding the DNS vulnerability
Novell is currently working on patches.
16 - Apply the HP patches regarding the DNS vulnerability
- HP-UX B.11.11 with BIND 8.1.2: upgrade to BIND 9.2.0 or 9.3.2 then apply one of the patches mentioned below
- HP-UX B.11.11 with BIND 9.2.0: BIND920v11.depot
- HP-UX B.11.11 with BIND 9.3.2: Install revision C.9.3.2.3.0 or subsequent
- HP-UX B.11.23 with BIND 9.2.0: PHNE_37865
- HP-UX B.11.23 with BIND 9.3.2: Install revision C.9.3.2.3.0 or subsequent
- HP-UX B.11.31: Install revision C.9.3.2.3.0 or subsequent
HP provides ERP (Early Release Patch) for HP Tru64 UNIX and OpenVMS:
- HP Tru64 UNIX v 5.1B-4: install patch T64KIT1001520-V51BB27-ES-20080808 (HP Tru64 UNIX v 5.1B-4 PK6 (BL27) is required). The patch will be included in the upcomming mainstream kit HP Tru64 UNIX v 5.1B-5.
- HP Tru64 UNIX v 5.1B-3: install patch T64KIT1001522-V51BB26-ES-20080808 (HP Tru64 UNIX v 5.1B-3 PK5 (BL26) is required). This patch will be included in the mainstream kit HP Tru64 UNIX v 5.1B-5.
- OpenVMS: Patches will be included in the next mainstream kit HP OpenVMS TCP/IP Services v 5.6 ECO 3
- HP Integrity BIND Server Patch for TCP/IP Services for OpenVMS v 5.5 ECO 3, v 5.6 ECO 2
- HP Alpha BIND Server Patch for TCP/IP Services for OpenVMS v 5.4 ECO 7, v 5.5 ECO 3, v 5.6 ECO 2
- HP updates for BIND 9.2.0
- HP patches download center (HP-UX, TRu64, etc...)
17 - Apply the IBM patches regarding the DNS vulnerability
- APAR for AIX 5.2 TL10 : IZ26667
- APAR for AIX 5.3 TL6 : IZ26668
- APAR for AIX 5.3 TL7 : IZ26669
- APAR for AIX 5.3 TL8 : IZ26670
- APAR for AIX 6.1 TL0 : IZ26671
- APAR for AIX 6.1 TL1 : IZ26672
- IBM patches for AIX systems
18 - Apply the F5 patches regarding the DNS vulnerability
The vulnerability affects the following products and versions :
- 3-DNS versions 4.5 - 4.5.14, 4.6 - 4.6.1, and 4.6.2 - 4.6.4
- BIG-IP versions 4.5 - 4.5.14, 4.6 - 4.6.1, and 4.6.2 - 4.6.4
- BIG-IP LTM versions 9.3 - 9.3.1, 9.4 - 9.4.5, and 9.6 - 9.6.1
- BIG-IP GTM versions 9.3 - 9.3.1 and 9.4 - 9.4.5
- BIG-IP ASM versions 9.3 - 9.3.1 and 9.4 - 9.4.5
- BIG-IP Link Controller versions 9.3 - 9.3.1 and 9.4 - 9.4.5
- BIG-IP WebAccelerator versions 9.4 - 9.4.5
- BIG-IP PSM version 9.4.5
- BIG-IP SAM version 8.0
- FirePass versions 5.5 - 5.5.2 and 6.0 - 6.0.2
- Enterprise Manager versions 1.2 - 1.4.1 and 1.6
- WANJet versions 5.0 - 5.0.2
The vulnerability only affects products for which recursion is enabled. Reportedly only the BIG-IP LTM MSM module configured for local bind has recursion enabled by default. F5 recommends to disable the DNS recursion.
See the F5 security advisory (listed in "Additional Resources" section below) to get more details.
19 - Apply the BlueCoat patches regarding the DNS vulnerability
The following BlueCoat products are affected: ProxySG, Director, ProxyAV, ProxyRA, PacketShaper and iShaper.
Regarding the BlueCoat products monitored by the Cert-IST, the editor mentions that:
- ProxySG: The "transaction ID" field and the port source number are predictible. ProxySG versions 4.2.8.7 and 5.2.4.3 will fix this vulnerability.
- ProxyAV: Uses the DNS to resolve names only for updates. Downloading of updates is protected by SSL, which prevents attacks based on spoofed DNS responses.
See the BlueCoat security advisory (listed in "Additional Resources" section below) to get more details.
20 - Apply the OpenBSD patches regarding the DNS vulnerability
English translation not available yet
21 - Apply the NetBSD patches regarding the DNS vulnerability
- NetBSD-current: July 10, 2008
- NetBSD-4-0 branch: July 16, 2008 (4.0.1 will include the fix)
- NetBSD-4 branch: July 16, 2008 (4.1 will include the fix)
- NetBSD-3-1 branch: July 24, 2008 (3.1.2 will include the fix)
- NetBSD-3-0 branch: July 24, 2008 (3.0.4 will include the fix)
- NetBSD-3 branch: July 24, 2008 (3.2 will include the fix)
- pkgsrc: bind-9.4.2pl1 and bind-9.5.0pl1 corrects the issue
22 - Apply the Secure Computing patches for CyberGuard regarding the DNS vulnerability
Refer to the Secure Computing Knowledgebase article 11446.
23 - Apply the Apple patches regarding the DNS vulnerability
The vulnerability is fixed in the 2008-005 security update for the following systems:
- Mac OS X v10.4.11 (Client)
- Mac OS X Server v10.4.11
- Mac OS X v10.5 to v10.5.3 (Client)
- Mac OS X Server v10.5 to v10.5.4
Note: Several sources (SANS, nCircle) mention that, event after applying the patches, client installations remain vulnerable (port randomisation is not implemented on these installations).
24 - Update Arkoon UTM FAST360 with the version 4.2/4 or 4.0/13
English translation not available yet- Arkoon updates (restricted access)
|
|
Standard vulnerability IDs
Additional Resources
- Microsoft security advisory MS08-037 dated July 10, 2008
- Microsoft security advisory 956187 dated July 25, 2008
- Interview of Dan Kaminsky by "Network Security Podcast" - dated July 8, 2008
- US-CERT security advisory TA08-190B dated July 8, 2008
- ISC security advisory dated July 8, 2008
- ISC Release Notes for BIND 9.5.0-P1
- ISC Release Notes for BIND 9.4.2-P1
- ISC Release Notes for BIND 9.3.5-P1
- Nortel security advisory 2008009038 dated August 28, 2008
- Cisco security advisory "cisco-sa-20080708-dns" dated July 8, 2008
- Linux Debian security advisory DSA-1603 dated July 8, 2008
- Linux Debian security advisory DSA-1604 dated July 8, 2008
- Linux Debian security advisory DSA-1605 dated July 8, 2008
- Linux Debian security advisory DSA-1617 dated July 25, 2008
- Linux Debian security advisory DSA-1619 dated July 27, 2008 (python-dns)
- Linux Debian security advisory DSA-1623-1 dated August 1, 2008 (Dnsmasq)
- Linux Red Hat security advisory RHSA-2008:0533-01 dated July 9, 2008
- Linux Red Hat security advisory RHSA-2008-0789 dated August 11, 2008 (dnsmasq)
- Linux Ubuntu security advisory usn-622-1 dated July 8, 2008
- Linux Ubuntu security advisory USN-627-1 dated July 22, 2008 (dnsmasq)
- Linux Fedora security advisory FEDORA-2008-6281 dated July 9, 2008
- Linux Fedora security advisory FEDORA-2008-6256 dated July 9, 2008
- Juniper security advisory PSN-2008-06-040 dated July 9, 2008
- Linux Mandriva security advisory MDVSA-2008:139 dated July 9, 2008
- Linux Slackware security advisory SSA:2008-191-02 dated July 9, 2008
- Linux Slackware security advisory SSA:2008-205 dated July 23, 2008 (dnsmasq)
- Sun security advisory 239392 dated July 8, 2008
- Sun security advisory 240048 dated July 28, 2008
- Linux SuSE security advisory SUSE-SA:2008:033 dated July 11, 2008
- Linux SuSE security advisory SUSE-SR:2008:017 dated August 29, 2008
- FreeBSD security advisory FreeBSD-SA-08:06 dated July 13, 2008
- Novell security advisory 7000912 dated July 14, 2008
- Hewlett-Packard security advisory HPSBUX02351 - SSRT080058 dated July 16, 2008
- IBM information regarding IBM product
- US-CERT information regarding F5 products
- F5 security advisory 8938 dated July 14, 2008 (restricted access)
- Blue Coat Systems security advisory dated July 14, 2008
- OpenBSD security advisory dated July 23, 2008 (OpenBSD 4.2)
- OpenBSD security advisory dated July 23, 2008 (OpenBSD 4.3)
- NetBSD security advisory NetBSD-SA2008-007 dated July 24, 2008
- Apple security advisory HT2647 dated August 1, 2008
- Arkoon security advisory AK-2008-01 dated July 22, 2008 (restricted access)
- Hewlett-Packard security advisory HPSBOV02357-SSRT080058 dated August 13, 2008
- Hewlett-Packard security advisory HPSBTU02358-SSRT080058 dated August 13, 2008
|
|
History
|
|
|
|
|
|
|
|
|
|
Version |
|
|
|
Comment |
|
|
|
Date |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.5 |
|
|
|
Linux SuSE security advisory SUSE-SR:2008:017 |
|
|
|
02 September 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.4 |
|
|
|
Hewlett-Packard advisories HPSBOV02357-SSRT080058 and HPSBTU02358-SSRT080058 |
|
|
|
14 August 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.3 |
|
|
|
Patches for Solaris 8 and 9 |
|
|
|
11 August 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.2 |
|
|
|
Updated the HP solution for BIND 8.1.2 |
|
|
|
07 August 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.1 |
|
|
|
Arkoon security advisory (AK-2008-01) and issues on Mac OS X client |
|
|
|
05 August 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.0 |
|
|
|
New BIND versions that fix performance issues |
|
|
|
04 August 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.8 |
|
|
|
Linux Debian security advisory (DSA-1623-1) for Dnsmasq |
|
|
|
01 August 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.7 |
|
|
|
Apple security advisory (HT2647) |
|
|
|
01 August 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.6 |
|
|
|
Sun alert 240048 (Workarounds for Solaris 8 and 9) and secure Computing patches for CyberGuard |
|
|
|
30 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.5 |
|
|
|
NetBSD security advisory (NetBSD-SA2008-007) |
|
|
|
25 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.4 |
|
|
|
Security advisory for OpenBSD 4.2 and 4.3 |
|
|
|
25 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.3 |
|
|
|
Linux Debian security advisory (DSA-1617) for SELinux |
|
|
|
25 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.2 |
|
|
|
Linux Slackware security advisory (SSA:2008-205) |
|
|
|
24 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.1 |
|
|
|
Linux Ubuntu security advisory (USN-627-1) |
|
|
|
23 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.0 |
|
|
|
CERT-IST/DG-2008.007 Potential Danger; update of the BIND solution (performances impacts) |
|
|
|
22 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.5 |
|
|
|
HP solution for BIND 9.2.0 |
|
|
|
21 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.4 |
|
|
|
BlueCoat security advisory |
|
|
|
18 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.3 |
|
|
|
HP, IBM and F5 advisories |
|
|
|
17 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.2 |
|
|
|
FreeBSD and Novell security advisories |
|
|
|
15 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.1 |
|
|
|
Linux SuSE security advisory (SUSE-SA:2008:033) |
|
|
|
11 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.0 |
|
|
|
Multiple vendor patches released |
|
|
|
10 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.0 |
|
|
|
Advisory creation |
|
|
|
09 July 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
