4.3 - VU#927905

Executive Summary

Summary
Title	BIND version 8 generates cryptographically weak DNS query identifiers

Informations
Name	VU#927905	First vendor Publication	2007-08-28
Vendor	VU-CERT	Last vendor Modification	2007-08-28
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#927905

BIND version 8 generates cryptographically weak DNS query identifiers

Overview

ISC BIND version 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches.

I. Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). Version 8 of the BIND software uses a weak algorithm to generate DNS query identifiers. This condition allows an attacker to reliably guess the next query ID, thereby allowing for DNS cache poisoning attacks.

ISC states that this bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFY messages to slave name servers. Note that although this vulnerability is similar in nature and impact to VU#252735, it is a distinct issue.

II. Impact

A remote attacker with the ability to predict DNS query IDs and respond with arbitrary answers, could poison DNS caches.

III. Solution

Upgrade or apply a patch

Users should obtain a patch from their operating system vendor when available. Please see the Systems Affected section of this document for more information about specific vendors.

Users who compile their own versions of BIND 8 from the original ISC source code are encouraged to take the following actions described by ISC:

This issue is addressed in ISC BIND 8.4.7-P1, available as patch that

can be applied to BIND 8.4.7.

The more definitive solution is to upgrade to BIND 9. BIND 8 is being

declared "end of life" by ISC due to multiple architectural issues.

See ISC's website at

http://www.isc.org

for more information and

assistance.

Systems Affected

Vendor	Status	Date Updated
Apple Computer, Inc.	Unknown	27-Aug-2007
BlueCat Networks, Inc.	Not Vulnerable	28-Aug-2007
Check Point Software Technologies	Unknown	27-Aug-2007
Conectiva Inc.	Unknown	27-Aug-2007
Cray Inc.	Unknown	27-Aug-2007
Debian GNU/Linux	Unknown	27-Aug-2007
EMC Corporation	Unknown	27-Aug-2007
Engarde Secure Linux	Unknown	27-Aug-2007
F5 Networks, Inc.	Unknown	27-Aug-2007
Fedora Project	Unknown	27-Aug-2007
FreeBSD, Inc.	Unknown	27-Aug-2007
Fujitsu	Unknown	27-Aug-2007
Gentoo Linux	Unknown	27-Aug-2007
Gnu ADNS	Unknown	27-Aug-2007
GNU glibc	Unknown	27-Aug-2007
Hewlett-Packard Company	Unknown	27-Aug-2007
Hitachi	Unknown	27-Aug-2007
IBM Corporation	Unknown	27-Aug-2007
IBM Corporation (zseries)	Unknown	27-Aug-2007
IBM eServer	Unknown	27-Aug-2007
Immunix Communications, Inc.	Unknown	27-Aug-2007
Infoblox	Not Vulnerable	27-Aug-2007
Ingrian Networks, Inc.	Unknown	27-Aug-2007
Internet Software Consortium	Vulnerable	27-Aug-2007
Juniper Networks, Inc.	Unknown	27-Aug-2007
Lucent Technologies	Unknown	27-Aug-2007
Mandriva, Inc.	Not Vulnerable	27-Aug-2007
Men & Mice	Unknown	27-Aug-2007
Metasolv Software, Inc.	Unknown	27-Aug-2007
Microsoft Corporation	Not Vulnerable	28-Aug-2007
MontaVista Software, Inc.	Unknown	27-Aug-2007
NEC Corporation	Unknown	27-Aug-2007
NetBSD	Unknown	27-Aug-2007
Nortel Networks, Inc.	Unknown	27-Aug-2007
Novell, Inc.	Unknown	27-Aug-2007
OpenBSD	Unknown	27-Aug-2007
Openwall GNU/*/Linux	Unknown	27-Aug-2007
QNX, Software Systems, Inc.	Unknown	27-Aug-2007
Red Hat, Inc.	Unknown	27-Aug-2007
Shadowsupport	Unknown	27-Aug-2007
Silicon Graphics, Inc.	Unknown	27-Aug-2007
Slackware Linux Inc.	Unknown	27-Aug-2007
Sony Corporation	Unknown	27-Aug-2007
Sun Microsystems, Inc.	Unknown	27-Aug-2007
SUSE Linux	Unknown	27-Aug-2007
The SCO Group	Unknown	27-Aug-2007
Trustix Secure Linux	Unknown	27-Aug-2007
Turbolinux	Unknown	27-Aug-2007
Ubuntu	Unknown	27-Aug-2007
Unisys	Unknown	27-Aug-2007
Wind River Systems, Inc.	Unknown	27-Aug-2007

References

http://www.isc.org/index.pl?/sw/bind/bind8-eol.php
http://www.trusteer.com/docs/bind8dns.html
http://secunia.com/advisories/26629/

Credit

Thanks to the Internet Systems Consortium (ISC) for reporting this vulnerability. ISC, in turn, credits Amit Klein from Trusteer for reporting this issue to them.

This document was written by Chad Dougherty.

Other Information

Date Public	08/27/2007
Date First Published	08/28/2007 09:37:59 AM
Date Last Updated	08/28/2007
CERT Advisory
CVE Name	CVE-2007-2930
Metric	2.14
Document Revision	14

Original Source

Url : http://www.kb.cert.org/vuls/id/927905

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:2154

Oval ID:	oval:org.mitre.oval:def:2154
Title:	Security Vulnerability in BIND 8 May Allow Cache Poisoning Attack
Description:	The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing queries such as NOTIFY messages when answering questions as a resolver, which allows remote attackers to poison DNS caches via unknown vectors. NOTE: this issue is different from CVE-2007-2926.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-2930	Version:	1
Platform(s):	Sun Solaris 8 Sun Solaris 9	Product(s):
Definition Synopsis:
Software Section Solaris 8 (SPARC) meets Sun Alert 103063 Solaris 8 (SPARC) is installed AND NOT Patch 109326-20 or later installed OR Solaris 8 (x86) meets Sun Alert 103063 Solaris 8 (x86) is installed AND NOT Patch 109327-20 or later installed OR Solaris 9 (SPARC) meets Sun Alert 103063 Solaris 9 (SPARC) is installed AND NOT Patch 112837-14 or later installed OR Solaris 9 (x86) meets Sun Alert 103063 Solaris 9 (x86) is installed AND NOT Patch 114265-13 or later installed AND in.named running

CPE : Common Platform Enumeration

Type	Description	Count
Application	Isc Bind cpe:2.3:a:isc:bind:8.4.7::::-::: cpe:2.3:a:isc:bind:8.4.5::::-::: cpe:2.3:a:isc:bind:8.4.4::::-::: cpe:2.3:a:isc:bind:8.4.1::::-::: cpe:2.3:a:isc:bind:8.4::::-::: cpe:2.3:a:isc:bind:8.3.6::::-::: cpe:2.3:a:isc:bind:8.3.5::::-::: cpe:2.3:a:isc:bind:8.3.4::::-::: cpe:2.3:a:isc:bind:8.3.3::::-::: cpe:2.3:a:isc:bind:8.3.2::::-::: cpe:2.3:a:isc:bind:8.3.1::::-::: cpe:2.3:a:isc:bind:8.3.0::::-::: cpe:2.3:a:isc:bind:8.2.7::::-::: cpe:2.3:a:isc:bind:8.2.6::::-::: cpe:2.3:a:isc:bind:8.2.5::::-::: cpe:2.3:a:isc:bind:8.2.4::::-::: cpe:2.3:a:isc:bind:8.2.3:t9b:::-:::* cpe:2.3:a:isc:bind:8.2.3:t1a:::-:::* cpe:2.3:a:isc:bind:8.2.3::::-::: cpe:2.3:a:isc:bind:8.2.2:p4:::-:::* cpe:2.3:a:isc:bind:8.2.2:p1:::-:::* cpe:2.3:a:isc:bind:8.2.2:p7:::-:::* cpe:2.3:a:isc:bind:8.2.2:p6:::-:::* cpe:2.3:a:isc:bind:8.2.2:-:::-:::* cpe:2.3:a:isc:bind:8.2.2:p2:::-:::* cpe:2.3:a:isc:bind:8.2.2:p3:::-:::* cpe:2.3:a:isc:bind:8.2.2:p5:::-:::* cpe:2.3:a:isc:bind:8.2.1::::-::: cpe:2.3:a:isc:bind:8.2:-:::-:::* cpe:2.3:a:isc:bind:8.2:p1:::-:::* cpe:2.3:a:isc:bind:8.1.2::::-::: cpe:2.3:a:isc:bind:8.1.1::::-::: cpe:2.3:a:isc:bind:8.1::::-::: cpe:2.3:a:isc:bind:8::::-::: cpe:2.3:a:isc:bind:4.9.9::::-::: cpe:2.3:a:isc:bind:4.9.8::::-::: cpe:2.3:a:isc:bind:4.9.7::::-::: cpe:2.3:a:isc:bind:4.9.6::::-::: cpe:2.3:a:isc:bind:4.9.5:p1:::-:::* cpe:2.3:a:isc:bind:4.9.5::::-::: cpe:2.3:a:isc:bind:4.9.4::::-::: cpe:2.3:a:isc:bind:4.9.3::::-::: cpe:2.3:a:isc:bind:4.9.2::::-::: cpe:2.3:a:isc:bind:4.9.10::::-::: cpe:2.3:a:isc:bind:4.9::::-::: cpe:2.3:a:isc:bind:4::::-::: cpe:2.3:a:isc:bind:::::::: cpe:2.3:a:isc:bind:::::-:::* cpe:2.3:a:isc:bind:::::supported_preview:::* cpe:2.3:a:isc:bind:-::::-:::	50

OpenVAS Exploits

Date	Description
2009-05-05	Name : HP-UX Update for BIND 8 HPSBUX02289 File : nvt/gb_hp_ux_HPSBUX02289.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
36796	ISC BIND Outgoing Query Predictable DNS Query ID

Nessus® Vulnerability Scanner

Date	Description
2007-12-04	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHNE_36185.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote host is missing Sun Security Patch number 114265-23 File : solaris9_x86_114265.nasl - Type : ACT_GATHER_INFO
2007-09-25	Name : The remote host is missing Sun Security Patch number 112837-24 File : solaris9_112837.nasl - Type : ACT_GATHER_INFO
2004-07-12	Name : The remote host is missing Sun Security Patch number 109326-24 File : solaris8_109326.nasl - Type : ACT_GATHER_INFO
2004-07-12	Name : The remote host is missing Sun Security Patch number 109327-24 File : solaris8_x86_109327.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2016-04-26 18:28:25	Multiple Updates
2013-05-11 12:26:46	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	1
CPE ID(s)	50
osvdb(s)	1
Openvas Exploit(s)	1
Nessus® Exploit(s)	5

	Related
5	VU#800113
5	TA08-190B
4.3	VU#252735
4.3	SUN-103063
4.3	CVE-2007-2930
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)