Multiple vendor compressed DNS packet denial of service

cisco-dns-dos (20712) The risk level is classified as LowLow Risk

Description:

Multiple Cisco products are vulnerable to a denial of service attack caused by improper handling of compressed Domain Name Server (DNS) packet. By sending a specially-crafted DNS packet containing a label length byte with an incorrect offset, a remote attacker could cause the affected device to crash.

Note: This vulnerability also affects other DNS implementations, including DeleGate, DNRD, and PowerDNS. See References.

Platforms Affected:

  • Cisco, Application and Content Networking Software
  • Cisco, ATA-186
  • Cisco, ATA-188
  • Cisco, IP Phone 7902
  • Cisco, IP Phone 7905
  • Cisco, IP Phone 7912
  • Cisco, Subscriber Edge Services Manager
  • Cisco, Unity Express
  • DeleGate, DeleGate 5.9
  • DeleGate, DeleGate 5.9.3
  • DeleGate, DeleGate 6.0
  • DeleGate, DeleGate 7.7.0
  • DeleGate, DeleGate 7.7.1
  • DeleGate, DeleGate 7.8.0
  • DeleGate, DeleGate 7.8.1
  • DeleGate, DeleGate 7.8.2
  • DeleGate, DeleGate 7.9.11
  • DeleGate, DeleGate 8.10
  • DeleGate, DeleGate 8.10.1
  • DeleGate, DeleGate 8.10.2
  • DeleGate, DeleGate 8.3.3
  • DeleGate, DeleGate 8.3.4
  • DeleGate, DeleGate 8.4.0
  • DeleGate, DeleGate 8.5.0
  • DeleGate, DeleGate 8.9
  • DeleGate, DeleGate 8.9.1
  • DeleGate, DeleGate 8.9.2
  • DeleGate, DeleGate 8.9.3
  • DeleGate, DeleGate 8.9.4
  • DeleGate, DeleGate 8.9.5
  • DeleGate, DeleGate 8.9.6
  • DNRD, DNRD 1.0
  • DNRD, DNRD 1.1
  • DNRD, DNRD 1.2
  • DNRD, DNRD 1.3
  • DNRD, DNRD 1.4
  • DNRD, DNRD 2.0
  • DNRD, DNRD 2.1
  • DNRD, DNRD 2.2
  • DNRD, DNRD 2.3
  • DNRD, DNRD 2.4
  • DNRD, DNRD 2.5
  • DNRD, DNRD 2.6
  • DNRD, DNRD 2.7
  • DNRD, DNRD 2.8
  • DNRD, DNRD 2.9
  • PowerDNS, PowerDNS 2.0 RC1
  • PowerDNS, PowerDNS 2.8
  • PowerDNS, PowerDNS 2.9.0
  • PowerDNS, PowerDNS 2.9.1
  • PowerDNS, PowerDNS 2.9.10
  • PowerDNS, PowerDNS 2.9.11
  • PowerDNS, PowerDNS 2.9.12
  • PowerDNS, PowerDNS 2.9.13
  • PowerDNS, PowerDNS 2.9.14
  • PowerDNS, PowerDNS 2.9.15
  • PowerDNS, PowerDNS 2.9.16
  • PowerDNS, PowerDNS 2.9.2
  • PowerDNS, PowerDNS 2.9.3A
  • PowerDNS, PowerDNS 2.9.4
  • PowerDNS, PowerDNS 2.9.5
  • PowerDNS, PowerDNS 2.9.6
  • PowerDNS, PowerDNS 2.9.7
  • PowerDNS, PowerDNS 2.9.8

Remedy:

Upgrade to the latest fixed version, as listed in Cisco Security Advisory 2005 May 24 1200 UTC (GMT). See References.

Consequences:

Denial of Service

References:

  • Cisco Security Notice 2005 May 24 1200 UTC (GMT), Crafted DNS Packet Can Cause Denial Of Service at http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml.
  • NISCC Vulnerability Advisory 589088/NISCC/DNS, Vulnerability Issue in Implementations of the DNS Protocol at http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html.
  • BID-13729: Multiple Vendor DNS Message Decompression Remote Denial of Service Vulnerability
  • CVE-2005-0036: The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.
  • CVE-2005-0037: The DNS implementation of DNRD before 2.10 allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.
  • CVE-2005-0038: The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.
  • CVE-2005-4794: Cisco IP Phones 7902/7905/7912, ATA 186/188, Unity Express, ACNS, and Subscriber Edge Services Manager (SESM) allows remote attackers to cause a denial of service (crash or instability) via a compressed DNS packet with a label length byte with an incorrect offset.
  • OSVDB ID: 19003: Multiple Vendor Unspecified Compressed DNS Message DoS (1)
  • OSVDB ID: 25291: Multiple Vendor Crafted Compressed DNS Packet DoS
  • SA15472: Cisco Various Products Compressed DNS Messages Denial of Service
  • SECTRACK ID: 1014043: Cisco IP Phones Can Be Crashed With Specially Crafted Compressed DNS Data
  • SECTRACK ID: 1014044: Cisco ATA Can Be Crashed With Specially Crafted Compressed DNS Data
  • SECTRACK ID: 1014045: Cisco Unity Express Can Be Crashed With Specially Crafted Compressed DNS Data
  • SECTRACK ID: 1014046: Cisco ACNS Can Be Crashed With Specially Crafted Compressed DNS Data
  • SECTRACK ID: 1015975: Cisco Subscriber Edge Services Manager Can Be Crashed With Specially Crafted Compressed DNS Data

Reported:

May 24, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page