Computer Emergency Response Team - Industrie Services et Tertiaire
DNS vulnerability

Reference: CERT-IST/AV-2008.310
Version: 4.5
Version date: 02 September 2008

Vulnerability Classification
Risk:
high
Impact: Integrity
Leverage
Confidence: Vendor-acknowledged
Attack expertise: Skilled
Attack requirements: Remote (no account) over a standard service

System Information
Affected Platform(s):
  • Platform independent
Affected Software(s):
  • DNS servers
  • DNS clients
Remarks: This vulnerability affects potentially all DNS servers and clients. The following vendors have published security advisories:
  • ISC BIND
  • Microsoft Windows
  • CISCO
  • Linux
  • Juniper
  • SUN

Description
Publication context:
 [Version 4.0] This advisory has been re-issued (04-Aug-08) following the release of new versions of BIND (9.5.0-P2, 9.4.2-P2 and 9.3.5-P2) that fix the performance issues noticed in the previous P1 releases. 

[Version 3.0] This advisory has been re-issued (22-Jul-2008) following the release of the CERT-IST/DG-2008.007 Potential Danger ("Technical information leak regarding the DNS flaw"). The risk has therefore been increased to "High". The impact on the performances of the ICS BIND patch has also been added.

[Version 2.0]:This advisory has been re-issued (10-jul-2008) because multiple vendors have published patches to fix the CVE-2008-1447 vulnerability.

Note: This advisory is about the vulnerability mentioned in the confidential note sent to the Cert-IST member representatives on July 2nd, 2008.
Problem description:
A vulnerability has been discovered in the DNS (Domain Name Service) protocol. This vulnerability affects any DNS server (all vendors are potentially affected), but also in a lesser way all DNS clients. This vulnerability could allow a remote attacker to corrupt DNS entries on vulnerable DNS servers and DNS clients. This corruption could allow a malicious person to redirect any network traffic (email, web, ftp, etc..) to a machine of his choice (DNS data of legitimate sites are corrupted).
Technical information:
Regarding the large scale of machines which could be affected by this vulnerability, the technical details which allow to exploit this vulnerability are still kept secret.

According to the US-CERT, this is due to a combination of several known vulnerabilities. Among them, the US-CERT mentions the following information:
  • the "transaction ID" field of DNS requests are weak (16 bits) and not as random as it should,
  • certain DNS implementations generate multiple "query" requests about DNS records,
  • certain DNS implementations use predictable port source numbers in DNS requests.
This vulnerability concerns DNS servers, but also the "resolvers" used on client systems. The attack of DNS servers affects all clients which use such servers. The DNS client attack only affects the targeted client. It is then mandatory to fix DNS servers first.

Solution

01 - Tools which help to identify vulnerable DNS servers

    The Cert-IST recommends the following approach to deploy patches against the DNS vulnerability:
    • 1) Identify DNS servers in your organisation.
    • 2) Identify the most vulnerable DNS servers.
    • 3) Apply patches on the most vulnerable DNS servers, then on less vulnerable ones.
    • 4) Apply patches for "DNS clients" on vulnerable systems.

    For step "2)" the following tools are available.

02 - Apply the ISC BIND patches regarding the DNS vulnerability

    ISC indicates that the following versions of BIND are affected:
    • BIND 8
    • BIND 9


    ISC released :
    • "Patched" versions of BIND : 9.5.0-P1, 9.4.2-P1 et 9.3.5-P1.
    • "Beta" versions of BIND :
      • BIND 9.5.1b1
      • BIND 9.4.3b2


    The "patched" versions will have a noticeable impact on the performance of BIND caching resolvers with query rates at or above 10,000 queries per second. The beta releases reduce the impact in performance to non-significant levels.

     On August 4th 2008, ISC released new BIND versions 9.5.0-P2, 9.4.2-P2 and 9.3.5-P2 that fix the performance issues present in previous P1 releases. 

    Refer to the ISC security advisory (listed in "Additional Resources" section below) for more information.

03 - Apply the Microsoft patches regarding the DNS vulnerability

    See the CERT-IST/AV-2008.307 advisory to get the details about the patches for Microsoft Windows platforms.

04 - Apply the CISCO patches regarding the DNS vulnerability

    Cisco indicates that the following products are affected:
    • Cisco IOS Software
    • Cisco Network Registrar
    • Cisco Application and Content Networking System
    • Cisco Global Site Selector Used in Combination with Cisco Network Registrar


    See the CISCO security advisory (listed in "Additional Resources" section below) to get the appropriate patch.

05 - Apply the Linux Debian patches regarding the DNS vulnerability

    Linux Debian released patches for Debian GNU/Linux 4.0 (Etch).

    Please refer to the Linux Debian security bulletins (listed in the "Additional Resources" section) to know the package to update depending on the platform.

06 - Apply the Linux Ubuntu patches regarding the DNS vulnerability

    Linux Ubuntu released patches for the distributions:
    • Linux Ubuntu 6.06 (Dapper Drake),
    • Linux Ubuntu 7.04 (Feisty),
    • Linux Ubuntu 7.10 (Gutsy),
    • Linux Ubuntu 8.04 LTS (Hardy).


    Please refer to the Linux Ubuntu security bulletin (listed in the "Additional Resources" section) to know the package to update depending on the platform.

07 - Apply the Sun patches regarding the DNS vulnerability





SparcIntel
Solaris 8109326-23109327-23
Solaris 9112837-15 114265-14
Solaris 10119783-06119784-06
OpenSolarissnv_95snv_95


08 - Apply the Linux Fedora patches regarding the DNS vulnerability

    Linux Fedora released patches for the distributions
    • Linux Fedora 8,
    • Linux Fedora 9.


    Refer to the Linux Fedora advisories listed in the "Additional Resources" section to get the details about these fixes.

09 - Apply the Linux Red Hat patches regarding the DNS vulnerability

    Linux Red Hat released patches for the distributions :
    • Red Hat Desktop (v. 3 and 4),
    • Red Hat Enterprise Linux AS (v. 2.1, 3 and 4),
    • Red Hat Enterprise Linux ES (v. 2.1, 3 and 4),
    • Red Hat Enterprise Linux WS (v. 2.1, 3 and 4),
    • Red Hat Enterprise Linux (v. 5 server),
    • Red Hat Enterprise Linux Desktop (v. 5 client),
    • Red Hat Enterprise Linux Desktop Workstation (v. 5 client).


    Refer to the Linux Red Hat advisory listed in the "Additional Resources" section to get the details about these fixes.

10 - Apply the Juniper patches regarding the DNS vulnerability

See the Juniper security bulletin PSN-2008-06-040 ("Additional Resources" section) to get the appropriate patch.
11 - Apply the Linux Mandriva patches regarding the DNS vulnerability

    Linux Mandriva released patches for the distributions Corporate Server 3.0, 4.0, Multi Network Firewall 2, 2007.1 and 2008.0.

    Refer to the Linux Mandriva advisory listed in the "Additional Resources" section to get the details about these fixes.

12 - Apply the Linux Slackware patches regarding the DNS vulnerability

    Linux Slackware released patches for the distributions 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1 and "current".

    Refer to the Linux Slackware advisories listed in the "Additional Resources" section to get the details about these fixes.

13 - Apply the Linux SuSE patches regarding the DNS vulnerability

    Linux SuSE released patches for the distributions :
    • OpenSUSE versions 10.2, 10.3 and 11.0
    • SUSE Linux Enterprise SDK 10 SP1 and SP2
    • SUSE Linux Enterprise Server versions 9, 10 SP1 and 10 SP2.
    • SUSE Linux Enterprise Desktop 10 SP1 and SP2
    • Open Enterprise Server
    • Novell Linux Desktop 9
    • Novell Linux POS 9


    Refer to the Linux SuSE advisories listed in the "Additional Resources" section to get the details about these fixes.

14 - Apply the FreeBSD patches regarding the DNS vulnerability

English translation not available yet
15 - Apply the Novell patches regarding the DNS vulnerability

    Novell is currently working on patches.

16 - Apply the HP patches regarding the DNS vulnerability

    • HP-UX B.11.11 with BIND 8.1.2: upgrade to BIND 9.2.0 or 9.3.2 then apply one of the patches mentioned below
    • HP-UX B.11.11 with BIND 9.2.0: BIND920v11.depot
    • HP-UX B.11.11 with BIND 9.3.2: Install revision C.9.3.2.3.0 or subsequent
    • HP-UX B.11.23 with BIND 9.2.0: PHNE_37865
    • HP-UX B.11.23 with BIND 9.3.2: Install revision C.9.3.2.3.0 or subsequent
    • HP-UX B.11.31: Install revision C.9.3.2.3.0 or subsequent


    HP provides ERP (Early Release Patch) for HP Tru64 UNIX and OpenVMS:
    • HP Tru64 UNIX v 5.1B-4: install patch T64KIT1001520-V51BB27-ES-20080808 (HP Tru64 UNIX v 5.1B-4 PK6 (BL27) is required). The patch will be included in the upcomming mainstream kit HP Tru64 UNIX v 5.1B-5.
    • HP Tru64 UNIX v 5.1B-3: install patch T64KIT1001522-V51BB26-ES-20080808 (HP Tru64 UNIX v 5.1B-3 PK5 (BL26) is required). This patch will be included in the mainstream kit HP Tru64 UNIX v 5.1B-5.
    • OpenVMS: Patches will be included in the next mainstream kit HP OpenVMS TCP/IP Services v 5.6 ECO 3
  • HP Alpha BIND Server Patch for TCP/IP Services for OpenVMS v 5.4 ECO 7, v 5.5 ECO 3, v 5.6 ECO 2

17 - Apply the IBM patches regarding the DNS vulnerability

    • APAR for AIX 5.2 TL10 : IZ26667
    • APAR for AIX 5.3 TL6 : IZ26668
    • APAR for AIX 5.3 TL7 : IZ26669
    • APAR for AIX 5.3 TL8 : IZ26670
    • APAR for AIX 6.1 TL0 : IZ26671
    • APAR for AIX 6.1 TL1 : IZ26672

18 - Apply the F5 patches regarding the DNS vulnerability

    The vulnerability affects the following products and versions :
    • 3-DNS versions 4.5 - 4.5.14, 4.6 - 4.6.1, and 4.6.2 - 4.6.4
    • BIG-IP versions 4.5 - 4.5.14, 4.6 - 4.6.1, and 4.6.2 - 4.6.4
    • BIG-IP LTM versions 9.3 - 9.3.1, 9.4 - 9.4.5, and 9.6 - 9.6.1
    • BIG-IP GTM versions 9.3 - 9.3.1 and 9.4 - 9.4.5
    • BIG-IP ASM versions 9.3 - 9.3.1 and 9.4 - 9.4.5
    • BIG-IP Link Controller versions 9.3 - 9.3.1 and 9.4 - 9.4.5
    • BIG-IP WebAccelerator versions 9.4 - 9.4.5
    • BIG-IP PSM version 9.4.5
    • BIG-IP SAM version 8.0
    • FirePass versions 5.5 - 5.5.2 and 6.0 - 6.0.2
    • Enterprise Manager versions 1.2 - 1.4.1 and 1.6
    • WANJet versions 5.0 - 5.0.2


    The vulnerability only affects products for which recursion is enabled. Reportedly only the BIG-IP LTM MSM module configured for local bind has recursion enabled by default. F5 recommends to disable the DNS recursion.

    See the F5 security advisory (listed in "Additional Resources" section below) to get more details.

19 - Apply the BlueCoat patches regarding the DNS vulnerability

    The following BlueCoat products are affected: ProxySG, Director, ProxyAV, ProxyRA, PacketShaper and iShaper.

    Regarding the BlueCoat products monitored by the Cert-IST, the editor mentions that:

    • ProxySG: The "transaction ID" field and the port source number are predictible. ProxySG versions 4.2.8.7 and 5.2.4.3 will fix this vulnerability.

    • ProxyAV: Uses the DNS to resolve names only for updates. Downloading of updates is protected by SSL, which prevents attacks based on spoofed DNS responses.


    See the BlueCoat security advisory (listed in "Additional Resources" section below) to get more details.

20 - Apply the OpenBSD patches regarding the DNS vulnerability

English translation not available yet
21 - Apply the NetBSD patches regarding the DNS vulnerability

  • NetBSD-current: July 10, 2008
  • NetBSD-4-0 branch: July 16, 2008 (4.0.1 will include the fix)
  • NetBSD-4 branch: July 16, 2008 (4.1 will include the fix)
  • NetBSD-3-1 branch: July 24, 2008 (3.1.2 will include the fix)
  • NetBSD-3-0 branch: July 24, 2008 (3.0.4 will include the fix)
  • NetBSD-3 branch: July 24, 2008 (3.2 will include the fix)
  • pkgsrc: bind-9.4.2pl1 and bind-9.5.0pl1 corrects the issue

22 - Apply the Secure Computing patches for CyberGuard regarding the DNS vulnerability

    Refer to the Secure Computing Knowledgebase article 11446.

23 - Apply the Apple patches regarding the DNS vulnerability

    The vulnerability is fixed in the 2008-005 security update for the following systems:
    • Mac OS X v10.4.11 (Client)
    • Mac OS X Server v10.4.11
    • Mac OS X v10.5 to v10.5.3 (Client)
    • Mac OS X Server v10.5 to v10.5.4

     Note: Several sources (SANS, nCircle) mention that, event after applying the patches, client installations remain vulnerable (port randomisation is not implemented on these installations). 

24 - Update Arkoon UTM FAST360 with the version 4.2/4 or 4.0/13

English translation not available yet

Standard vulnerability IDs

Additional Resources

History
Version Comment Date
4.5 Linux SuSE security advisory SUSE-SR:2008:017 02 September 2008
4.4 Hewlett-Packard advisories HPSBOV02357-SSRT080058 and HPSBTU02358-SSRT080058 14 August 2008
4.3 Patches for Solaris 8 and 9 11 August 2008
4.2 Updated the HP solution for BIND 8.1.2 07 August 2008
4.1 Arkoon security advisory (AK-2008-01) and issues on Mac OS X client 05 August 2008
4.0 New BIND versions that fix performance issues 04 August 2008
3.7 Apple security advisory (HT2647) 01 August 2008
3.8 Linux Debian security advisory (DSA-1623-1) for Dnsmasq 01 August 2008
3.6 Sun alert 240048 (Workarounds for Solaris 8 and 9) and secure Computing patches for CyberGuard 30 July 2008
3.3 Linux Debian security advisory (DSA-1617) for SELinux 25 July 2008
3.4 Security advisory for OpenBSD 4.2 and 4.3 25 July 2008
3.5 NetBSD security advisory (NetBSD-SA2008-007) 25 July 2008
3.2 Linux Slackware security advisory (SSA:2008-205) 24 July 2008
3.1 Linux Ubuntu security advisory (USN-627-1) 23 July 2008
3.0 CERT-IST/DG-2008.007 Potential Danger; update of the BIND solution (performances impacts) 22 July 2008
2.5 HP solution for BIND 9.2.0 21 July 2008
2.4 BlueCoat security advisory 18 July 2008
2.3 HP, IBM and F5 advisories 17 July 2008
2.2 FreeBSD and Novell security advisories 15 July 2008
2.1 Linux SuSE security advisory (SUSE-SA:2008:033) 11 July 2008
2.0 Multiple vendor patches released 10 July 2008
1.0 Advisory creation 09 July 2008

Copyright © 1999-2005 Cert-IST. All rights reserved