Subject: NetBSD Security Advisory 2007-007: BIND cryptographically weak query IDs
To: None <netbsd-announce@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: netbsd-announce
Date: 09/13/2007 22:56:46
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2007-007
=================================
Topic: BIND cryptographically weak query IDs
Version: NetBSD-current: source prior to July 24, 2007
NetBSD 4.0_BETA2: affected
NetBSD 3.1: affected
NetBSD 3.0.*: affected
NetBSD 3.0: affected
NetBSD 2.1: affected
NetBSD 2.0.*: affected
NetBSD 2.0: affected
Severity: Remote DNS cache poisoning
Fixed: NetBSD-current: July 24, 2007
NetBSD-4 branch: July 31, 2007
(4.0 will include the fix)
NetBSD-3-1 branch: August 14, 2007
(3.1.1 will include the fix)
NetBSD-3-0 branch: August 14, 2007
(3.0.3 will include the fix)
NetBSD-3 branch: August 14, 2007
NetBSD-2-1 branch: September 13, 2007
NetBSD-2-0 branch: September 13, 2007
NetBSD-2 branch: September 13, 2007
pkgsrc: bind-9.4.1pl1 corrects the issue
bind-8.4.7pl1 corrects the issue
Abstract
========
Due to the use of cryptographically weak query IDs an attacker can predict
query IDs and poison the cache by injecting their own responses.
This vulnerability has been assigned CVE references CVE-2007-2926 for BIND 9.x
and CVE-2007-2930 for BIND 8.x.
Technical Details
=================
- From www.isc.org:
BIND 9.x:
"The DNS query id generation is vulnerable to cryptographic analysis which
provides a 1 in 8 chance of guessing the next query id for 50% of the query
ids. This can be used to perform cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers."
BIND 8.x:
"This bug only affects outgoing queries, generated by BIND 8 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers."
Solutions and Workarounds
=========================
It is recommended that NetBSD users of vulnerable versions update
their binaries.
The following instructions describe how to upgrade your bind
binaries by updating your source tree and rebuilding and
installing a new version of bind.
* NetBSD-current:
Systems running NetBSD-current dated from before 2007-07-24
should be upgraded to NetBSD-current dated 2007-07-25 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/bind
To update from CVS, re-build, and re-install bind:
# cd src
# cvs update -d -P dist/bind
# cd usr.sbin/bind
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 3.*:
Systems running NetBSD 3.* sources dated from before
2007-08-14 should be upgraded from NetBSD 3.* sources dated
2007-08-15 or later.
The following files need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
dist/bind/bin/named/client.c
dist/bind/lib/dns/dispatch.c
dist/bind/lib/dns/include/dns/dispatch.h
To update from CVS, re-build, and re-install bind:
# cd src
# cvs update -r <branch_name> dist/bind/bin/named/client.c
# cvs update -r <branch_name> dist/bind/lib/dns/dispatch.c
# cvs update -r <branch_name> \
dist/bind/lib/dns/include/dns/dispatch.h
# cd usr.sbin/bind
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.*:
Systems running NetBSD 2.* sources dated from before
2007-09-12 should be upgraded from NetBSD 3.* sources dated
2007-09-13 or later.
The following files need to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 branches:
dist/bind/bin/named/ns_forw.c
dist/bind/bin/named/ns_func.h
dist/bind/bin/named/ns_main.c
dist/bind/bin/named/ns_resp.c
To update from CVS, re-build, and re-install bind:
# cd src
# cvs update -r <branch_name> dist/bind/bin/named/ns_forw.c
# cvs update -r <branch_name> dist/bind/bin/named/ns_func.c
# cvs update -r <branch_name> dist/bind/bin/named/ns_main.c
# cvs update -r <branch_name> dist/bind/bin/named/ns_resp.c
# cd usr.sbin/bind
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Amit Klein for discovering and reporting this problem.
Revision History
================
2007-09-13 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-007.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2007, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2007-007.txt,v 1.1 2007/09/12 21:45:39 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)
iQCVAwUBRumhsT5Ru2/4N2IFAQLQiwP/aLkPFQuSa56XdfbgYEdtWYmMAOMBvvYf
+U5hSdDK3K/02jQCkcUeHKVDOPEb3Ls21H/mMwk1AgVvI6+YW0ycPLGIMpXxgY15
Zn5WlqQtTtHkvdFHB9d0kGYVSuUxSRq0LCBEfcvk3aOQi57wuwO77O5yT+2yZJwl
ZREyrWwp7Dc=
=Oije
-----END PGP SIGNATURE-----