Executive Summary
Summary | |
---|---|
Title | bind security update |
Informations | |||
---|---|---|---|
Name | RHSA-2009:0020 | First vendor Publication | 2009-01-08 |
Vendor | RedHat | Last vendor Modification | 2009-01-08 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated Bind packages to correct a security issue are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. (CVE-2009-0025) For users of Red Hat Enterprise Linux 3 this update also addresses a bug which can cause BIND to occasionally exit with an assertion failure. All BIND users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. After installing the update, BIND daemon will be restarted automatically. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 461047 - named dies due to assertion failure 478984 - CVE-2009-0025 bind: DSA_do_verify() returns check issue |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2009-0020.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-287 | Improper Authentication |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10879 | |||
Oval ID: | oval:org.mitre.oval:def:10879 | ||
Title: | BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | ||
Description: | BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0025 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13365 | |||
Oval ID: | oval:org.mitre.oval:def:13365 | ||
Title: | DSA-1703-1 bind9 -- interpretation conflict | ||
Description: | It was discovered that BIND, an implementation of the DNS protocol suite, does not properly check the result of an OpenSSL function which is used to verify DSA cryptographic signatures. As a result, incorrect DNS resource records in zones protected by DNSSEC could be accepted as genuine. For the stable distribution, this problem has been fixed in version 1:9.3.4-2etch4. For the unstable distribution and the testing distribution, this problem will be fixed soon. We recommend that you upgrade your BIND packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1703-1 CVE-2009-0025 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | bind9 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21048 | |||
Oval ID: | oval:org.mitre.oval:def:21048 | ||
Title: | Multiple vulnerabilities in AIX BIND | ||
Description: | BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0025 | Version: | 6 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22671 | |||
Oval ID: | oval:org.mitre.oval:def:22671 | ||
Title: | ELSA-2009:0020: bind security update (Moderate) | ||
Description: | BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:0020-01 CVE-2009-0025 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28987 | |||
Oval ID: | oval:org.mitre.oval:def:28987 | ||
Title: | RHSA-2009:0020 -- bind security update (Moderate) | ||
Description: | Updated Bind packages to correct a security issue are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. (CVE-2009-0025) | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:0020 CESA-2009:0020-CentOS 5 CESA-2009:0020-CentOS 2 CESA-2009:0020-CentOS 3 CVE-2009-0025 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 5 CentOS Linux 2 CentOS Linux 3 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:5569 | |||
Oval ID: | oval:org.mitre.oval:def:5569 | ||
Title: | Avaya Solaris BIND "EVP_VerifyFinal()" Signature Spoofing Vulnerability | ||
Description: | BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0025 | Version: | 1 |
Platform(s): | VMWare ESX Server 3 VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7929 | |||
Oval ID: | oval:org.mitre.oval:def:7929 | ||
Title: | DSA-1703 bind9 -- interpretation conflict | ||
Description: | It was discovered that BIND, an implementation of the DNS protocol suite, does not properly check the result of an OpenSSL function, which is used to verify DSA cryptographic signatures. As a result, incorrect DNS resource records in zones protected by DNSSEC could be accepted as genuine. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1703 CVE-2009-0025 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | bind9 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for bind CESA-2009:0020-01 centos2 i386 File : nvt/gb_CESA-2009_0020-01_bind_centos2_i386.nasl |
2011-08-09 | Name : CentOS Update for bind CESA-2009:0020 centos3 i386 File : nvt/gb_CESA-2009_0020_bind_centos3_i386.nasl |
2011-08-09 | Name : CentOS Update for bind CESA-2009:0020 centos4 i386 File : nvt/gb_CESA-2009_0020_bind_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for bind CESA-2009:0020 centos5 i386 File : nvt/gb_CESA-2009_0020_bind_centos5_i386.nasl |
2010-05-12 | Name : Mac OS X 10.5.7 Update / Mac OS X Security Update 2009-002 File : nvt/macosx_upd_10_5_7_secupd_2009-002.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-13 | Name : SLES10: Security update for bind File : nvt/sles10_bind.nasl |
2009-10-10 | Name : SLES9: Security update for bind File : nvt/sles9p5041320.nasl |
2009-06-05 | Name : Ubuntu USN-707-1 (cupsys) File : nvt/ubuntu_707_1.nasl |
2009-03-13 | Name : Gentoo Security Advisory GLSA 200903-14 (bind) File : nvt/glsa_200903_14.nasl |
2009-02-18 | Name : Mandrake Security Advisory MDVSA-2009:037 (bind) File : nvt/mdksa_2009_037.nasl |
2009-02-10 | Name : CentOS Security Advisory CESA-2009:0020-01 (bind) File : nvt/ovcesa2009_0020_01.nasl |
2009-01-26 | Name : SuSE Security Advisory SUSE-SA:2009:005 (bind) File : nvt/suse_sa_2009_005.nasl |
2009-01-20 | Name : FreeBSD Security Advisory (FreeBSD-SA-09:04.bind.asc) File : nvt/freebsdsa_bind6.nasl |
2009-01-20 | Name : Fedora Core 10 FEDORA-2009-0451 (bind) File : nvt/fcore_2009_0451.nasl |
2009-01-20 | Name : Fedora Core 9 FEDORA-2009-0350 (bind) File : nvt/fcore_2009_0350.nasl |
2009-01-15 | Name : OpenSSL DSA_verify() Security Bypass Vulnerability in BIND File : nvt/gb_bind_sec_bypass_vuln.nasl |
2009-01-13 | Name : RedHat Security Advisory RHSA-2009:0020 File : nvt/RHSA_2009_0020.nasl |
2009-01-13 | Name : Mandrake Security Advisory MDVSA-2009:002 (bind) File : nvt/mdksa_2009_002.nasl |
2009-01-13 | Name : CentOS Security Advisory CESA-2009:0020 (bind) File : nvt/ovcesa2009_0020.nasl |
2009-01-13 | Name : Ubuntu USN-706-1 (bind9) File : nvt/ubuntu_706_1.nasl |
2009-01-13 | Name : Debian Security Advisory DSA 1703-1 (bind9) File : nvt/deb_1703_1.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2009-014-02 bind File : nvt/esoft_slk_ssa_2009_014_02.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
51368 | OpenSSL DSA_verify Function SSL/TLS Signature Validation Weakness |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-04-21 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2017-0066.nasl - Type : ACT_GATHER_INFO |
2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0004_remote.nasl - Type : ACT_GATHER_INFO |
2014-10-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL9754.nasl - Type : ACT_GATHER_INFO |
2014-10-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL11503.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0020.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV09491.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV11744.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV09978.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV10049.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV11742.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV11743.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090108_bind_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2011-05-28 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2009-014-02.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_bind-5905.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12328.nasl - Type : ACT_GATHER_INFO |
2009-07-27 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2009-0004.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_bind-090126.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_bind-090112.nasl - Type : ACT_GATHER_INFO |
2009-05-13 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2009-002.nasl - Type : ACT_GATHER_INFO |
2009-05-13 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_5_7.nasl - Type : ACT_GATHER_INFO |
2009-05-12 | Name : The remote name server is affected by a signature validation weakness. File : bind_sig_return_checks.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-0451.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-037.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-002.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-706-1.nasl - Type : ACT_GATHER_INFO |
2009-03-10 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200903-14.nasl - Type : ACT_GATHER_INFO |
2009-02-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0020.nasl - Type : ACT_GATHER_INFO |
2009-01-22 | Name : The remote openSUSE host is missing a security update. File : suse_bind-5915.nasl - Type : ACT_GATHER_INFO |
2009-01-16 | Name : The remote Fedora host is missing a security update. File : fedora_2009-0350.nasl - Type : ACT_GATHER_INFO |
2009-01-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1703.nasl - Type : ACT_GATHER_INFO |
2009-01-09 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0020.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote host is missing Sun Security Patch number 114265-23 File : solaris9_x86_114265.nasl - Type : ACT_GATHER_INFO |
2007-09-25 | Name : The remote host is missing Sun Security Patch number 112837-24 File : solaris9_112837.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-04-05 00:27:36 |
|
2014-02-17 11:52:12 |
|