Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(IBM Issues Fix) BIND DNS Query Port Entropy Weakness Lets Remote Users Spoof the System
|
|
SecurityTracker Alert ID: 1020619 |
|
SecurityTracker URL: http://securitytracker.com/id/1020619
|
|
CVE Reference:
CVE-2008-1447
(Links to External Site)
|
Date: Aug 4 2008
|
Impact:
Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 9.x
|
Description:
A vulnerability was reported in BIND. A remote user can spoof the system.
The domain name system (DNS) service does not use sufficiently random UDP sockets to process queries. A remote user can send specially crafted DNS queries and responses to the target service to spoof responses and insert records into the DNS cache. This may cause traffic to be redirected to arbitrary IP addresses specified by the remote user.
The vendor indicates that the vulnerability exists in the DNS protocol itself, rather than in any particular vendor's implementation.
Systems using BIND as a caching resolver are affected.
Some demonstration exploit code is available at:
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
Dan Kaminsky of IOActive reported this vulnerability.
|
Impact:
A remote user can spoof the DNS service, causing traffic to be redirected to arbitrary hosts.
|
Solution:
IBM has issued the following APARs.
5.2.0: IZ26667, to be available on 8/27/2008
5.3.0: IZ26668, to be available on 8/20/2008
5.3.7: IZ26669, to be available on 8/20/2008
5.3.8: IZ26670, to be available on 8/20/2008
6.1.0: IZ26671, to be available on 8/20/2008
6.1.1: IZ26672, to be available on 8/20/2008
The IBM advisories are available at:
http://www.ibm.com/support/docview.wss?uid=isg1IZ26667
http://www.ibm.com/support/docview.wss?uid=isg1IZ26668
http://www.ibm.com/support/docview.wss?uid=isg1IZ26669
http://www.ibm.com/support/docview.wss?uid=isg1IZ26670
http://www.ibm.com/support/docview.wss?uid=isg1IZ26671
http://www.ibm.com/support/docview.wss?uid=isg1IZ26672
|
Vendor URL: www.isc.org/index.pl?/sw/bind/index.php (Links to External Site)
|
Cause:
Randomization error
|
Underlying OS:
UNIX (AIX)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sun, 3 Aug 2008 22:15:40 -0400
Subject: IBM AIX
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Fri Aug 1 08:07:10 CDT 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX named DNS Cache Poisoning Vulnerability
PLATFORMS: AIX 5.2, 5.3, 6.1
SOLUTION: Apply the fix or workaround as described below.
THREAT: A remote attacker may inject arbitrary DNS entries
into AIX DNS servers running BIND.
CERT VU Number: VU#800113
CVE Number: CVE-2008-1447
Reboot required? NO
Workarounds? NO
Protected by FPM? NO
Protected by SED? NO
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
AIX 'named' is an implementation of BIND (Berkeley Internet Name Domain)
providing server functionality for the Domain Name System (DNS) Protocol.
AIX currently ships and supports three versions of BIND: 4, 8, and 9.
II. DESCRIPTION
DNS cache poisoning vulnerabilities exist in the AIX implementation of
BIND. A remote attacker may inject arbitrary hostnames and/or domain
entries into AIX DNS servers and poisoning its cache by spoofing
responses from authoritative name servers.
The following commands are vulnerable:
/usr/sbin/named4
/usr/sbin/named8
/usr/sbin/named9
III. IMPACT
The successful exploitation of this vulnerability allows a remote
attacker to inject and poison the DNS cache of a resolver allowing for
open-ended malicious activity such as phishing, man-in-the-middle
attacks, scams, XSS, or worse.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L bos.net.tcp.server
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
---------------------------------------------------
bos.net.tcp.server 5.2.0.0 5.2.0.109
bos.net.tcp.server 5.3.0.50 5.3.0.53
bos.net.tcp.server 5.3.0.60 5.3.0.68
bos.net.tcp.server 5.3.7.0 5.3.7.4
bos.net.tcp.server 5.3.8.0 5.3.8.2
bos.net.tcp.server 6.1.0.0 6.1.0.4
bos.net.tcp.server 6.1.1.0 6.1.1.1
V. SOLUTIONS
A. APARS
IBM has assigned the following APARs to this problem:
AIX Level APAR number Availability
----------------------------------------------------
5.2.0 IZ26667 8/27/2008
5.3.0 IZ26668 8/20/2008
5.3.7 IZ26669 8/20/2008
5.3.8 IZ26670 8/20/2008
6.1.0 IZ26671 8/20/2008
6.1.1 IZ26672 8/20/2008
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ26667
http://www.ibm.com/support/docview.wss?uid=isg1IZ26668
http://www.ibm.com/support/docview.wss?uid=isg1IZ26669
http://www.ibm.com/support/docview.wss?uid=isg1IZ26670
http://www.ibm.com/support/docview.wss?uid=isg1IZ26671
http://www.ibm.com/support/docview.wss?uid=isg1IZ26672
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are now available for BIND versions 8 and 9. The fixes
can be downloaded from:
http://aix.software.ibm.com/aix/efixes/security/bind_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/bind_fix.tar
The links above are to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Level Fix
----------------------------------------------------
5.2.0 TL10 IZ26667_10.080731.epkg.Z
5.3.0 TL5 IZ26668_05.080731.epkg.Z
5.3.0 TL6 IZ26668_06.080731.epkg.Z
5.3.7 IZ26669_07.080731.epkg.Z
5.3.8 IZ26670_08.080731.epkg.Z
6.1.0 IZ26671_00.080731.epkg.Z
6.1.1 IZ26672_01.080731.epkg.Z
To extract the fixes from the tar file:
tar xvf bind_fix.tar
cd bind_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
----------------------------------------------
19872 3642 IZ26667_10.080731.epkg.Z
55348 3566 IZ26668_05.080731.epkg.Z
58688 3566 IZ26668_06.080731.epkg.Z
28900 3566 IZ26669_07.080731.epkg.Z
40470 3566 IZ26670_08.080731.epkg.Z
38940 4006 IZ26671_00.080731.epkg.Z
03149 4012 IZ26672_01.080731.epkg.Z
cksum filename
---------------------------------------------------
1515334612 3729161 IZ26667_10.080731.epkg.Z
1522413125 3651121 IZ26668_05.080731.epkg.Z
2997188802 3651191 IZ26668_06.080731.epkg.Z
2390465287 3651247 IZ26669_07.080731.epkg.Z
2146979086 3651223 IZ26670_08.080731.epkg.Z
3489619629 4101449 IZ26671_00.080731.epkg.Z
1414163577 4107632 IZ26672_01.080731.epkg.Z
csum -h MD5 (md5sum) filename
--------------------------------------------------------------------
6ce27513483a322b07833d0938ebefb4 IZ26667_10.080731.epkg.Z
bfe83801fbca1a59f6272a9ebc783958 IZ26668_05.080731.epkg.Z
5f5902ba50364dd0462c49d02523035e IZ26668_06.080731.epkg.Z
1465e8233a7ac32c8e3cfa71b0c22bbb IZ26669_07.080731.epkg.Z
09a5ef9c185d309829e52798c2e4d077 IZ26670_08.080731.epkg.Z
27521f7bcd7a3632488b655d15aba126 IZ26671_00.080731.epkg.Z
a8b31d8dccdf3ca8942b0714278bfa22 IZ26672_01.080731.epkg.Z
csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
880ca1998f149a1f5a8a664af930c77fd2f98063 IZ26667_10.080731.epkg.Z
20058baa6f94d4e74163a8852c8de2c8718acf65 IZ26668_05.080731.epkg.Z
dae3f18e999d18650c1dda0b755a7614749c23a0 IZ26668_06.080731.epkg.Z
7e24656c522eb03a9edfdccf439dd2502586afe6 IZ26669_07.080731.epkg.Z
4677fb0b9925fdad1647c374bc8d60115d8ccb29 IZ26670_08.080731.epkg.Z
53cb3788468553d18c54bb9631c5bca3cbdec973 IZ26671_00.080731.epkg.Z
418d1ae29ccb96142c58b1ef750f7b181f0b0560 IZ26672_01.080731.epkg.Z
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security and describe the
discrepancy at the following address:
security-alert@austin.ibm.com
C. INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; thus, IBM does not warrant the fully
correct functionality of an interim fix.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
VI. WORKAROUNDS
There are no workarounds available other than disabling the
server.
VII. OBTAINING FIXES
AIX security related fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xADA6EB4D
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
Dan Kaminsky is credited for identifying this common flaw in DNS
implementations. I)ruid and hdm released code that was useful
in hardening the AIX implementation. Andy Hazlewood in AIX
Security developed the BINDv8 fix.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFIkxRfP9Qud62m600RAq7/AJ9rXXWrvsxl/Aa8edZ/02+G8SvqQgCfVmZ+
5At4zXeMeVqKscCuL1tf8kk=
=XWWA
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
