Date: 25 July 2007
References: ESB-2007.0557 ESB-2007.0559 ESB-2007.0564 ESB-2007.0580 ESB-2007.0590 ESB-2007.0634 ESB-2007.0668 ESB-2007.0702 ESB-2007.0718 ESB-2007.0913
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2007.0089 -- AUSCERT ALERT
[UNIX/Linux][Win]
New BIND 9 versions released fixing DNS cache poisoning vulnerability
25 July 2007
===========================================================================
AusCERT Alert Summary
---------------------
Product: BIND 9.40 and 9.41
BIND 9.5.0a1 to 9.5.0a5
BIND 9.3.0 to 9.3.4
BIND 9.2.0 to 9.2.8
BIND 9.1.x (all versions)
BIND 9.0.x (all versions)
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Reduced Security
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2007-2926 CVE-2007-2925
OVERVIEW:
When BIND 9 is used as a resolver or DNS cache, future DNS query IDs
may be guessed by a remote attacker due to a flaw in the random number
generation.
Two new attack methods have been disclosed, with proof of concept code
publicly released, that make DNS poisoning efficient and feasible
using this weakness.
New versions of BIND 9 have now been released fixing this vulnerability.
In addition to this weakness, versions of BIND 9 prior to this new
release did not set access control lists (ACLs) correctly by default.
The previous default settings allowed anyone to make recursive queries
or query the cache contents.
Note however that the first vulnerability of cache poisoning may still
be exploited even if recursion is restricted to internal hosts, by
enticing an internal user or host to click on a link or resolve an
attacker-controlled domain name in any other way.
IMPACT:
A remote attacker may cause false information to be inserted into the
BIND 9 DNS cache, for domain names of the attacker's choosing.
The BIND server will then serve the false information to internal hosts,
potentially directing all internal users and computers to access
malicious sites when a legitimate domain name is queried.
Attackers may attempt to use this vulnerability to steal users'
login passwords for trusted websites by directing users to a fake
login screen, or alternatively may direct internal computers to a
malicious server in order to attempt installation of malicious software
via separate client software vulnerabilities or social engineering.
MITIGATION:
New versions of BIND 9 have now been released fixing the DNS poisoning
vulnerability. The fixed versions are BIND 9.4.1-P1, BIND 9.5.0a6,
BIND 9.3.4-P1 and BIND 9.2.8-P1 [4].
To address the second issue (weak ACLs set by default) ISC has also
recommended the following configuration changes if not already
implemented: [1]
- Set allow-query-cache and allow-recursion acls to
{ localnets; localhost; };
- If recursion for local clients is required:
options {
recursion yes; // default
allow-recursion { localnets; localhost; };
allow-query-cache { localnets; localhost; };
...
};
- If recursion is not required:
options {
recursion no;
allow-query-cache { localnets; localhost; };
...
};
DETAILS:
The weak random number generation for DNS query ids allows a 1 in 8 chance
of guessing the next query id for 50% of the query ids.
This issue affects outgoing queries, generated by BIND 9 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers.
Further details of the vulnerability and attacks are provided in
the paper "BIND 9 DNS Cache Poisoning" [2][3].
REFERENCES:
[1] ISC BIND 9 security announcements
http://www.isc.org/index.pl?/ws/bind/bind-security.php
[2] BIND 9 DNS Cache Poisoning paper - Amit Klein
http://www.trusteer.com/docs/bind9dns.html
[3] BIND 9 DNS Cache Poisioning executive summary - Amit Klein
http://www.trusteer.com/docs/bind9dns_s.html
[4] ISC BIND 9.4.1 Release
http://www.isc.org/sw/bind/view/?release=9.4.1
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRqajWSh9+71yA2DNAQJqgQQAh1ercELD7WuAOJLvwZhEcyFhHkDtJt+x
kw20qnRjL7EcKQMqthqi9yS9m36GapkUJzAygkbrmyT6yCC5NXleIEgViuHHaiuO
PLmMDBB8pgCq8bWtPiPumQG4HnzbP5vKw9Ur5aSdwjI6Gz4GMQfo5p8KMKNc1sVy
4BscEzxfZa4=
=XGbQ
-----END PGP SIGNATURE-----
|