Debian DSA-1603-1 : bind9 - DNS cache poisoning

NASLDB: Debian DSA-1603-1 : bind9 - DNS cache poisoning

General

ID: 33450
Name: Debian DSA-1603-1 : bind9 – DNS cache poisoning

Summary: Checks dpkg output for the updated package

Credits: –

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS Temporal Vector: –

Port: 0
Family: Debian Local Security Checks
Type: Local

Description

Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.

This update changes Debian’s BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.

Note that this security update changes BIND network behavior in a
fundamental way, and the following steps are recommended to ensure a
smooth upgrade.

1. Make sure that your network configuration is compatible with source
port randomization. If you guard your resolver with a stateless packet
filter, you may need to make sure that no non-DNS services listen on
the 1024—65535 UDP port range and open it at the packet filter. For
instance, packet filters based on etch’s Linux 2.6.18 kernel only
support stateless filtering of IPv6 packets, and therefore pose this
additional difficulty. (If you use IPv4 with iptables and ESTABLISHED
rules, networking changes are likely not required.)

2. Install the BIND 9 upgrade, using ‘apt-get update’ followed by
‘apt-get install bind9’. Verify that the named process has been
restarted and answers recursive queries. (If all queries result in
timeouts, this indicates that networking changes are necessary; see
the first step.)

3. Verify that source port randomization is active. Check that the
/var/log/daemon.log file does not contain messages of the following
form

named⁶¹⁰⁶: /etc/bind/named.conf.options:28: using specific
query-source port suppresses port randomization and can be insecure.

right after the ‘listening on IPv6 interface’ and ‘listening on IPv4
interface’ messages logged by BIND upon startup. If these messages are
present, you should remove the indicated lines from the configuration,
or replace the port numbers contained within them with ‘*’ sign (e.g.,
replace ‘port 53’ with ‘port *’).

For additional certainty, use tcpdump or some other network monitoring
tool to check for varying UDP source ports. If there is a NAT device
in front of your resolver, make sure that it does not defeat the
effect of source port randomization.

4. If you cannot activate source port randomization, consider
configuring BIND 9 to forward queries to a resolver which can,
possibly over a VPN such as OpenVPN to create the necessary trusted
network link. (Use BIND’s forward-only mode in this case.)

Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
Unbound) already employ source port randomization, and no updated
packages are needed. BIND 9.5 up to and including version
1:9.5.0.dfsg-4 only implements a weak form of source port
randomization and needs to be updated as well. For information on BIND
8, see DSA-1604-1, and for the status of the libc stub resolver, see
DSA-1605-1.

The updated bind9 packages contain changes originally scheduled for
the next stable point release, including the changed IP address of
L.ROOT-SERVERS.NET (Debian bug # 449148).

Exploiting

Exploit Available: True
Exploitability Ease: Exploits are available

Sources

CVE: CVE-2008-1447
OSVDB: –
Bugtraq: –
scipID: –

Timeline

Vulnerability Disclosure: –
Patch Release: 2008/07/08
Plugin Release: 2008/07/10

Plugin

Version: 1.16
Filename: debian_DSA-1603.nasl
Filesize: 7249 bytes
MD5 Hash: 151a4091aed585edd7f8fe6240aa9035

Identification: Host/local_checks_enabled
Require Keys: Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l
Dependencies: "ssh_get_info.nasl"

Letzte Plugins

Letzte Plugins

scip AG