Executive Summary

Title BIND version 8 generates cryptographically weak DNS query identifiers
Name VU#927905 First vendor Publication 2007-08-28
Vendor VU-CERT Last vendor Modification 2007-08-28
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#927905

BIND version 8 generates cryptographically weak DNS query identifiers


ISC BIND version 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches.

I. Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). Version 8 of the BIND software uses a weak algorithm to generate DNS query identifiers. This condition allows an attacker to reliably guess the next query ID, thereby allowing for DNS cache poisoning attacks.

ISC states that this bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFY messages to slave name servers. Note that although this vulnerability is similar in nature and impact to VU#252735, it is a distinct issue.

II. Impact

A remote attacker with the ability to predict DNS query IDs and respond with arbitrary answers, could poison DNS caches.

III. Solution

Upgrade or apply a patch

Users should obtain a patch from their operating system vendor when available. Please see the Systems Affected section of this document for more information about specific vendors.

Users who compile their own versions of BIND 8 from the original ISC source code are encouraged to take the following actions described by ISC:

    This issue is addressed in ISC BIND 8.4.7-P1, available as patch that  
    can be applied to BIND 8.4.7.
    The more definitive solution is to upgrade to BIND 9. BIND 8 is being  
    declared "end of life" by ISC due to multiple architectural issues.  
    See ISC's website at http://www.isc.org for more information and  

Systems Affected

VendorStatusDate Updated
Apple Computer, Inc.Unknown27-Aug-2007
BlueCat Networks, Inc.Not Vulnerable28-Aug-2007
Check Point Software TechnologiesUnknown27-Aug-2007
Conectiva Inc.Unknown27-Aug-2007
Cray Inc.Unknown27-Aug-2007
Debian GNU/LinuxUnknown27-Aug-2007
EMC CorporationUnknown27-Aug-2007
Engarde Secure LinuxUnknown27-Aug-2007
F5 Networks, Inc.Unknown27-Aug-2007
Fedora ProjectUnknown27-Aug-2007
FreeBSD, Inc.Unknown27-Aug-2007
Gentoo LinuxUnknown27-Aug-2007
Gnu ADNSUnknown27-Aug-2007
GNU glibcUnknown27-Aug-2007
Hewlett-Packard CompanyUnknown27-Aug-2007
IBM CorporationUnknown27-Aug-2007
IBM Corporation (zseries)Unknown27-Aug-2007
IBM eServerUnknown27-Aug-2007
Immunix Communications, Inc.Unknown27-Aug-2007
InfobloxNot Vulnerable27-Aug-2007
Ingrian Networks, Inc.Unknown27-Aug-2007
Internet Software ConsortiumVulnerable27-Aug-2007
Juniper Networks, Inc.Unknown27-Aug-2007
Lucent TechnologiesUnknown27-Aug-2007
Mandriva, Inc.Not Vulnerable27-Aug-2007
Men & MiceUnknown27-Aug-2007
Metasolv Software, Inc.Unknown27-Aug-2007
Microsoft CorporationNot Vulnerable28-Aug-2007
MontaVista Software, Inc.Unknown27-Aug-2007
NEC CorporationUnknown27-Aug-2007
Nortel Networks, Inc.Unknown27-Aug-2007
Novell, Inc.Unknown27-Aug-2007
Openwall GNU/*/LinuxUnknown27-Aug-2007
QNX, Software Systems, Inc.Unknown27-Aug-2007
Red Hat, Inc.Unknown27-Aug-2007
Silicon Graphics, Inc.Unknown27-Aug-2007
Slackware Linux Inc.Unknown27-Aug-2007
Sony CorporationUnknown27-Aug-2007
Sun Microsystems, Inc.Unknown27-Aug-2007
SUSE LinuxUnknown27-Aug-2007
The SCO GroupUnknown27-Aug-2007
Trustix Secure LinuxUnknown27-Aug-2007
Wind River Systems, Inc.Unknown27-Aug-2007




Thanks to the Internet Systems Consortium (ISC) for reporting this vulnerability. ISC, in turn, credits Amit Klein from Trusteer for reporting this issue to them.

This document was written by Chad Dougherty.

Other Information

Date Public08/27/2007
Date First Published08/28/2007 09:37:59 AM
Date Last Updated08/28/2007
CERT Advisory 
CVE NameCVE-2007-2930
Document Revision14

Original Source

Url : http://www.kb.cert.org/vuls/id/927905

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:2154
Oval ID: oval:org.mitre.oval:def:2154
Title: Security Vulnerability in BIND 8 May Allow Cache Poisoning Attack
Description: The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing queries such as NOTIFY messages when answering questions as a resolver, which allows remote attackers to poison DNS caches via unknown vectors. NOTE: this issue is different from CVE-2007-2926.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2930
Version: 1
Platform(s): Sun Solaris 8
Sun Solaris 9
Definition Synopsis:

CPE : Common Platform Enumeration

Application 50

OpenVAS Exploits

Date Description
2009-05-05 Name : HP-UX Update for BIND 8 HPSBUX02289
File : nvt/gb_hp_ux_HPSBUX02289.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
36796 ISC BIND Outgoing Query Predictable DNS Query ID

Nessus® Vulnerability Scanner

Date Description
2007-12-04 Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHNE_36185.nasl - Type : ACT_GATHER_INFO
2007-10-17 Name : The remote host is missing Sun Security Patch number 114265-23
File : solaris9_x86_114265.nasl - Type : ACT_GATHER_INFO
2007-09-25 Name : The remote host is missing Sun Security Patch number 112837-24
File : solaris9_112837.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 109326-24
File : solaris8_109326.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 109327-24
File : solaris8_x86_109327.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
Date Informations
2016-04-26 18:28:25
  • Multiple Updates
2013-05-11 12:26:46
  • Multiple Updates