(IBM Issues Fix) BIND 8 Negative Cache Poisoning May Cause Denial of Service Conditions
|
|
SecurityTracker Alert ID: 1008365
|
|
CVE Reference: CAN-2003-0914
(Links to External Site)
|
Date: Dec 3 2003
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 8.4.2 and prior versions
|
Description: A vulnerability was reported in BIND 8. A remote user can introduce invalid DNS records to cause denial of service conditions.
It is reported that a remote user can conduct a cache poisoning attack by causing the target server to retain invalid negative responses.
A temporary denial of service may occur until the invalid record expires from the cache.
No further details were provided.
|
Impact: A remote user can cause denial of service conditions.
|
Solution: IBM has released the following fixes:
APAR number for AIX 4.3.3: IY49899 (available 02/25/2004)
APAR number for AIX 5.1.0: IY49881
(available)
Efixes for AIX 4.3.3 and 5.1.0 are available at:
ftp://aix.software.ibm.com/aix/efixes/security/dns_poison_efix.tar.Z
See
the Source Message or the vendor's advisory for instructions on installing the efix:
http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2003.1524.1
|
Vendor URL: isc.org/products/BIND/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: UNIX (AIX)
|
Underlying OS Comments: IBM AIX 4.3.3, 5.1.0 and 5.2.0
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 03 Dec 2003 15:33:00 -0500
Subject: http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2003.1524.1
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Mon Dec 1 12:28:51 CST 2003
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: BIND8 Negative Cache Poison Attack
PLATFORMS: IBM AIX 4.3.3, 5.1.0 and 5.2.0
SOLUTION: Apply the APARs described below.
THREAT: A remote attacker can poison the DNS cache.
CERT CA Number: None.
CERT VU Number: VU#734644
CVE Candidates: CAN-2003-0914
===========================================================================
DETAILED INFORMATION
I. Description
===============
IP addresses are translated into hostnames and vice-versa via Domain
Name Service (DNS). The most widely used implementation of DNS is
Berkeley Internet Name Domain (BIND). On AIX, BIND/DNS runs as the
"named" process.
A vulnerability has been found where it is possible to poison the
DNS cache by returning invalid negative answers to requests. This
can cause records to appear not to exist possibly causing a denial
of service condition for the owner of a given record.
Note that this only applies to version 8 of BIND which on AIX would
be the named8 daemon.
To determine if you are running BIND, as a root user enter:
lssrc -s named
If the subsystem status is "active", BIND is running.
To determine your BIND version, as a root user enter:
ls -l /usr/sbin/named
/usr/sbin/named is a soft link to the actual deamon. If it is linked
to named8, you are running version 8 and your system is vulnerable.
For more information please see
http://www.kb.cert.org/vuls/id/734644
II. Impact
===========
A remote attacker can cause arbitrary records to appear not to
exist in the DNS cache. This can cause a DoS condition for the
owner of a given record.
III. Solutions
===============
A. Official fix
IBM provides the following fixes:
APAR number for AIX 4.3.3: IY49899 (available 02/25/2004)
APAR number for AIX 5.1.0: IY49881 (available)
APAR number for AIX 5.2.0: IY49883 (available 12/24/2003)
NOTE: Fix will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3 at the latest maintenance level,
or to 5.1.0.
B. E-Fix
Efixes are available for AIX 4.3.3 and 5.1.0. The efixes can be downloaded
via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/dns_poison_efix.tar.Z
The efix is a compressed tarball containing the Advisory and two
emgr efix packages for 4.3.3 and 5.1.0.
Verify you have retrieved this efix intact:
- - -------------------------------------------
There are 2 fix-files in this package for the 4.3.3 and 5.2.0
releases. The checksums below were generated using the "sum" and
"md5" commands and are as follows:
Filename sum md5
=================================================================
bndpsn433.112003.epkg.Z 33709 328 9a2a5afee17229baab50f5b8cfba833c
bndpsn520.112003.epkg.Z 39513 344 f3e9ba995e430fb0e7f4abbc899738bd
These sums should match exactly; if they do not, double check the
command results and the download site address. If those are OK,
contact IBM AIX Security at security-alert@austin.ibm.com and describe
the discrepancy.
IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.
These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.
Efix Installation Instructions:
- - -------------------------------
You need to have the following filesets installed:
For AIX 4.3.3:
bos.net.tcp.server.4.3.3.88
For AIX 5.2.0:
bos.net.tcp.server.5.2.0.15
These packages use the new emgr facility to install and manage
efixes. More information about the efix manager can be found at
http://techsupport.services.ibm.com/server/aix.efixmgmt
This web page includes documentation and APARs for installation.
Efix Installation Instructions:
- - -------------------------------
To preview an epkg efix installation use:
emgr -e <package-name> -p
To install an epkg efix package use:
emgr -e <package-name> -X
The "X" option will expand any filesystems, if required.
IV. Obtaining Fixes
===================
AIX Version 4.3.3 and Version 5 APARs can be downloaded from the eServer
pSeries FixCentral web site:
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp
V. Acknowledements
====================
Thanks to ISC for finding this vulnerability ISC and
CERT for coordinating the release.
This document was written by Kent Stuiber.
VI. Contact Information
========================
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
If you would like to receive AIX Security Advisories via email, please
visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs.
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".
Please contact your local IBM AIX support center for any assistance.
eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (AIX)
iD8DBQE/zLDzcnMXzUg7txIRAmp5AJ9HoJqh1E5sYRSJhbw1+ACHJ3k78gCfdaoQ
LMoMDyw3jGoOa6N1bCrLJqA=
=Zscj
------END PGP SIGNATURE-----
|
|
