copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


AL-2007.0089 -- [UNIX/Linux][Win] -- New BIND 9 versions released fixing DNS cache poisoning vulnerability

Date: 25 July 2007
References: ESB-2007.0557  ESB-2007.0559  ESB-2007.0564  ESB-2007.0580  ESB-2007.0590  ESB-2007.0634  ESB-2007.0668  ESB-2007.0702  ESB-2007.0718  ESB-2007.0913  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2007.0089 -- AUSCERT ALERT
   New BIND 9 versions released fixing DNS cache poisoning vulnerability
                               25 July 2007


        AusCERT Alert Summary

Product:              BIND 9.40 and 9.41
                      BIND 9.5.0a1 to 9.5.0a5
                      BIND 9.3.0 to 9.3.4
                      BIND 9.2.0 to 9.2.8
                      BIND 9.1.x (all versions)
                      BIND 9.0.x (all versions)
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Reduced Security
                      Provide Misleading Information
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-2926 CVE-2007-2925


	When BIND 9 is used as a resolver or DNS cache, future DNS query IDs 
	may be guessed by a remote attacker due to a flaw in the random number 
	Two new attack methods have been disclosed, with proof of concept code 
	publicly released, that make DNS poisoning efficient and feasible 
	using this weakness. 

	New versions of BIND 9 have now been released fixing this vulnerability.

	In addition to this weakness, versions of BIND 9 prior to this new 
	release did not set access control lists (ACLs) correctly by default. 
	The previous default settings allowed anyone to make recursive queries 
	or query the cache contents. 

	Note however that the first vulnerability of cache poisoning may still
	be exploited even if recursion is restricted to internal hosts, by 
	enticing an internal user or host to click on a link or resolve an 
	attacker-controlled domain name in any other way.


	A remote attacker may cause false information to be inserted into the
	BIND 9 DNS cache, for domain names of the attacker's choosing.  

	The BIND server will then serve the false information to internal hosts,
	potentially directing all internal users and computers to access 
	malicious sites when a legitimate domain name is queried.

	Attackers may attempt to use this vulnerability to steal users' 
	login passwords for trusted websites by directing users to a fake
	login screen, or alternatively may direct internal computers to a 
	malicious server in order to attempt installation of malicious software 
	via separate client software vulnerabilities or social engineering.


	New versions of BIND 9 have now been released fixing the DNS poisoning
	vulnerability. The fixed versions are BIND 9.4.1-P1, BIND 9.5.0a6, 
	BIND 9.3.4-P1 and BIND 9.2.8-P1 [4].

	To address the second issue (weak ACLs set by default) ISC has also 
	recommended the following configuration changes if not already 
	implemented: [1]

	- Set allow-query-cache and allow-recursion acls to 

	    { localnets; localhost; };
	- If recursion for local clients is required:

	    options {
	    recursion yes; // default
	    allow-recursion { localnets; localhost; };
	    allow-query-cache { localnets; localhost; };
	- If recursion is not required:

	    options {
	    recursion no;
	    allow-query-cache { localnets; localhost; };


	The weak random number generation for DNS query ids allows a 1 in 8 chance 
	of guessing the next query id for 50% of the query ids.

	This issue affects outgoing queries, generated by BIND 9 to answer 
	questions as a resolver, or when it is looking up data for internal uses, 
	such as when sending NOTIFYs to slave name servers.

	Further details of the vulnerability and attacks are provided in 
	the paper "BIND 9 DNS Cache Poisoning" [2][3].


	[1] ISC BIND 9 security announcements

	[2] BIND 9 DNS Cache Poisoning paper - Amit Klein

	[3] BIND 9 DNS Cache Poisioning executive summary - Amit Klein

	[4] ISC BIND 9.4.1 Release

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.