ISC BIND query ID cache poisoning

isc-bind-queryid-spoofing (35575)

Medium Risk

Description:

ISC BIND could allow a remote attacker to poison the DNS cache, caused by a vulnerability in the DNS query ID generation code where predictable query IDs in only outgoing queries are generated. A remote attacker could exploit this vulnerability to guess the next query ID and perform DNS Cache Poisoning.

Platforms Affected:

• Apple, Mac OS X 10.4
• Apple, Mac OS X 10.4.1
• Apple, Mac OS X 10.4.10
• Apple, Mac OS X 10.4.2
• Apple, Mac OS X 10.4.3
• Apple, Mac OS X 10.4.4
• Apple, Mac OS X 10.4.5
• Apple, Mac OS X 10.4.6
• Apple, Mac OS X 10.4.7
• Apple, Mac OS X 10.4.8
• Apple, Mac OS X 10.4.9
• Apple, Mac OS X Server 10.4
• Apple, Mac OS X Server 10.4.1
• Apple, Mac OS X Server 10.4.10
• Apple, Mac OS X Server 10.4.2
• Apple, Mac OS X Server 10.4.3
• Apple, Mac OS X Server 10.4.4
• Apple, Mac OS X Server 10.4.5
• Apple, Mac OS X Server 10.4.6
• Apple, Mac OS X Server 10.4.7
• Apple, Mac OS X Server 10.4.8
• Apple, Mac OS X Server 10.4.9
• Avaya, Application Enablement Services 3.1.3
• Avaya, Application Enablement Services 4.0.1
• Avaya, Communication Manager 2.0
• Avaya, Communication Manager 2.0.1
• Avaya, Communication Manager 2.1
• Avaya, Communication Manager 2.1.1
• Avaya, Communication Manager 2.2
• Avaya, Communication Manager 2.2.1
• Avaya, Communication Manager 2.2.2
• Avaya, Communication Manager 3.0
• Avaya, Communication Manager 3.0.1
• Avaya, Communication Manager 3.1
• Avaya, Communication Manager 3.1.1
• Avaya, Communication Manager 3.1.2
• Avaya, Communication Manager 3.1.3
• Avaya, Communication Manager 3.1.4
• Avaya, Communication Manager 4.0
• Avaya, Communication Manager 4.0.1
• Avaya, Communication Manager 4.0.3
• Avaya, Communication Manager 5.0
• Avaya, Communication Manager 5.1
• Avaya, Converged Communications Server
• Avaya, Expanded Meet-Me Conferencing 1.017
• Avaya, Expanded Meet-Me Conferencing 1.021
• Avaya, Intuity Audix LX
• Avaya, Message Networking
• Avaya, Message Storage Server
• Avaya, SIP Enablement Services
• Canonical, Ubuntu 6.06 LTS
• Canonical, Ubuntu 6.10
• Canonical, Ubuntu 7.04
• Compaq, Tru64 5.1B-3
• Compaq, Tru64 5.1B-4
• Compaq, Tru64 6.6
• Debian, Debian Linux 3.1
• Debian, Debian Linux 4.0
• FreeBSD, FreeBSD 5.3
• FreeBSD, FreeBSD 5.4
• FreeBSD, FreeBSD 5.5
• FreeBSD, FreeBSD 6.0
• FreeBSD, FreeBSD 6.1
• FreeBSD, FreeBSD 6.2
• Gentoo, Linux
• HP, HP-UX B.11.11
• HP, HP-UX B.11.23
• HP, HP-UX B.11.31
• HP, TCP IP Services OpenVMS Alpha 5.4
• HP, TCP IP Services OpenVMS Alpha 5.5
• HP, TCP IP Services OpenVMS Alpha 5.6
• HP, TCP IP Services OpenVMS I64 5.5
• HP, TCP IP Services OpenVMS I64 5.6
• IBM, AIX 5.2
• IBM, AIX 5.3
• ISC, BIND 9.0
• ISC, BIND 9.1
• ISC, BIND 9.2.0
• ISC, BIND 9.2.1
• ISC, BIND 9.2.2
• ISC, BIND 9.2.3
• ISC, BIND 9.2.4
• ISC, BIND 9.2.5
• ISC, BIND 9.2.6
• ISC, BIND 9.2.7
• ISC, BIND 9.2.8
• ISC, BIND 9.3.0
• ISC, BIND 9.3.1
• ISC, BIND 9.3.2
• ISC, BIND 9.3.3
• ISC, BIND 9.3.4
• ISC, BIND 9.4.0
• ISC, BIND 9.4.1
• ISC, BIND 9.5.0a1
• ISC, BIND 9.5.0a2
• ISC, BIND 9.5.0a3
• ISC, BIND 9.5.0a4
• ISC, BIND 9.5.0a5
• MandrakeSoft, Mandrake Linux 2007
• MandrakeSoft, Mandrake Linux 2007 X86_64
• MandrakeSoft, Mandrake Linux 2007.1
• MandrakeSoft, Mandrake Linux 2007.1 X86_64
• MandrakeSoft, Mandrake Linux 2008.0 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 3.0
• MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 4.0
• MandrakeSoft, Mandrake Multi Network Firewall 2.0
• Novell, Linux Desktop 9
• Novell, Linux POS 9
• Novell, Open Enterprise Server
• Novell, Open Enterprise Server
• Novell, OpenSUSE 10.2
• Novell, SLE SDK 10 SP1
• Novell, SUSE Linux Enterprise Desktop 10 SP1
• Novell, SUSE Linux Enterprise Server 10
• Novell, SUSE Linux Enterprise Server 10 SP1
• Novell, UnitedLinux 1.0
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 4 AS
• RedHat, Enterprise Linux 4 WS
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Enterprise Linux 5 Client Workstation
• RedHat, Enterprise Linux 5
• RedHat, Enterprise Linux 5 Client
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Sun, Solaris 10 SPARC
• Sun, Solaris 10 x86
• SuSE, SLE SDK 10
• SuSE, SuSE Linux 10.0
• SuSE, SuSE Linux 10.1
• SuSE, SuSE Linux Enterprise Server 8.0
• SuSE, SuSE Linux OpenExchange Server 4
• SuSE, SuSE Linux Retail Solution 8
• SuSE, SuSE Linux School Server
• SuSE, SuSE Linux Standard Server 8
• SuSE, SuSE SLES 9
• Turbolinux, Turbolinux 10 Server
• Turbolinux, Turbolinux 10 Server x64 Ed
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
• Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed
• Turbolinux, Turbolinux Appliance Server 2.0

Remedy:

Upgrade to the latest version of BIND (9.2.8-P1 or later, 9.3.4-P1 or later, 9.4.1-P1 or later, or 9.5.0a6), available from the Internet Software Consortium (ISC) Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

• Apple Web site, About the security content of Mac OS X 10.4.11 and Security Update 2007-008 at http://docs.info.apple.com/article.html?artnum=307041.
• BugTraq Mailing List, Fri Aug 31 2007 - 09:34:17 CDT , HPSBTU02256 SSRT071449 : HP Tru64 UNIX or HP Tru64 Internet Express running BIND, Remote DNS Cache Poisoning at http://archives.neohapsis.com/archives/bugtraq/2007-08/0486.html. (not posted to HP site yet)
• BugTraq Mailing List, Tue Jul 24 2007 - 02:33:51 CDT, "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer) at http://archives.neohapsis.com/archives/bugtraq/2007-07/0265.html.
• FreeBSD-SA-07:07.bind , Predictable query ids in named(8) at http://security.freebsd.org/advisories/FreeBSD-SA-07:07.bind.asc.
• HPSBOV02261 SSRT071449, HP OpenVMS running BIND, Remote DNS Cache Poisoning at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01174368&jumpid=reg_R1002_USEN.
• HPSBTU02256 SSRT071449, BIND Remote Denial of Service, Unauthorized Disclosure of Information, and Unauthorized Modification at http://www8.itrc.hp.com/service/cki/docDisplay.do?docId=c01154600.
• HPSBUX02251 SSRT071449 rev.1, HP-UX Running BIND, Remote DNS Cache Poisoning at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01123426.
• HPSBUX02251 SSRT071449 rev.3, HP-UX Running BIND, Remote DNS Cache Poisoning at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01123426&jumpid=reg_R1002_USEN.
• IBM APAR IZ02218, POTENTIAL SECURITY ISSUE at http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02218.
• IBM APAR IZ02219, POTENTIAL SECURITY ISSUE at http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02219.
• Internet Software Consortium (ISC) Web site, BIND (Berkeley Internet Name Domain) page at http://www.isc.org/products/BIND/.
• milw0rm.com [2007-08-07], BIND 9 DNS Cache Poisoning Exploit (v0.3beta) at http://milw0rm.com/exploits/4266.
• NetBSD-SA2007-007, BIND cryptographically weak query IDs at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2007-007.txt.asc.
• Nortel Response to ISC:DNS, BIND 9 Vulnerabilities in Default ACL and Weak Query IDs at http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=623903#PRODUCTS.
• Sun Alert ID: 103018, Security Vulnerability in Solaris 10 BIND: Susceptible to Cache Poisoning Attack at http://sunsolve.sun.com:80/search/document.do?assetkey=1-26-103018-1.
• ASA-2007-332: Security Vulnerability in Solaris 10 BIND: Susceptible to Cache Poisoning Attack (Sun 103018)
• ASA-2007-344: HP-UX Running BIND Remote DNS Cache Poisoning (HPSBUX02251)
• ASA-2007-389: bind security update (RHSA-2007-0740)
• BID-25037: ISC BIND 9 Remote Cache Poisoning Vulnerability
• BID-26444: Apple Mac OS X v10.4.11 2007-008 Multiple Security Vulnerabilities
• CVE-2007-2926: ISC BIND 9 through 9.5.0a5 uses a weak random number generator during generation of DNS query ids when answering resolver questions or sending NOTIFY messages to slave name servers, which makes it easier for remote attackers to guess the next query id and perform DNS cache poisoning.
• DSA-1341: bind9 -- design error
• FrSIRT/ADV-2007-2627: ISC BIND DNS Query ID Generation Weakness Cache Poisoning Vulnerability
• FrSIRT/ADV-2007-2662: Sun Solaris BIND DNS Query ID Generation Weakness Cache Poisoning Issue
• FrSIRT/ADV-2007-2782: HP-UX Security Update Fixes Bind Query ID Generation DNS Cache Poisoning
• FrSIRT/ADV-2007-2914: Nortel Products Bind Cache Poisoning and Security Bypass Vulnerabilities
• FrSIRT/ADV-2007-2932: IBM AIX Security Update Fixes Bind Query ID Generation DNS Cache Poisoning
• FrSIRT/ADV-2007-3242: HP TCP/IP Services for OpenVMS Bind Query ID Generation Cache Poisoning
• FrSIRT/ADV-2007-3868: Apple Mac OS X Command Execution and Denial of Service Vulnerabilities
• GLSA-200708-13: BIND: Weak random number generation
• MDKSA-2007:149: Updated BIND9 packages fix vulnerabilities
• OpenPKG-SA-2007.022: bind
• RHSA-2007-0740: Moderate: bind security update
• SA26152: BIND Predictable DNS Query IDs Vulnerability
• SA26160: Sun Solaris BIND Predictable DNS Query IDs Vulnerability
• SA26515: Nortel Products BIND Predictable DNS Query IDs Vulnerability
• SA26531: IBM AIX BIND Predictable DNS Query IDs Vulnerability
• SA26605: HP Tru64 UNIX BIND Predictable DNS Query IDs Vulnerability
• SA26847: Avaya Products BIND Predictable DNS Query IDs Vulnerability
• SA26925: HP TCP/IP Services for OpenVMS BIND Vulnerability
• SA27643: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
• SECTRACK ID: 1018442: BIND Generates Predictable Query IDs That May Facilitate Cache Poisoning Attacks
• SUSE-SA:2007:047: bind DNS cache poisoning problem

Reported:

Jul 24, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page