Yesterday (25th July 2007) we were made aware of a vulnerability in BIND (a very common DNS server) that can allow false information to be added into the DNS cache. The problem is with the random number generation, giving a 1 in 8 chance of an attacker guessing the next query id for 50% of the query ids. Perhaps they need a true random number generator.

If this attack were exploited in an organization such as, say, a major ISP, then the attacker could change the cached IP address in the DNS entry for a popular site like youtube.com to an IP address that the attacker controls. Then when the customers of the ISP log into YouTube they would be directed to the attackers system. If the attacker had a mock up of the YouTube web site, it could be used to obtain login details from that ISP's entire customer base, or to attempt to send web browser exploits to all of their computers. This would also be possible with other web sites like banking web sites, or the entire .com domain, as attackers have done with previous poisoning vulnerabilities.

The developers of BIND have already released a fix for this and we recommend upgrading. Further information is available on our alert (AL-2007.0089) and subsequent bulletins for Red Hat and Debian.

Richard