Vulnerability Note VU#734644

ISC BIND 8 vulnerable to cache poisoning via negative responses

Overview

The BIND 8 name server contains a cache poisoning vulnerability that allows attackers to conduct denial-of-service attacks on specific target domains.

I. Description

Several versions of the BIND 8 name server are vulnerable to cache poisoning via negative responses. To exploit this vulnerability, an attacker must configure a name server to return authoritative negative responses for a given target domain. Then, the attacker must convince a victim user to query the attacker's maliciously configured name server. When the attacker's name server receives the query, it will reply with an authoritative negative response containing a large TTL (time-to-live) value. If the victim's site runs a vulnerable version of BIND 8, it will cache the negative response and render the target domain unreachable until the TTL expires.

II. Impact

Attackers may conduct denial-of-service attacks on specific target domains by enticing users to query a malicious name server.

III. Solution

Upgrade BIND

The ISC has prepared BIND 8.3.7 and BIND 8.4.3 to address this vulnerability. Name servers running BIND 4 are not affected. To obtain the latest versions of BIND, please visit

http://www.isc.org/products/BIND/

Apply a patch or updated version from your vendor

Many operating system vendors include BIND with their products and will be preparing new versions to address this vulnerability. For a list of vendors that the CERT/CC has received information from regarding this vulnerability, please see the Systems Affected section of this document.

Systems Affected

Vendor	Status	Date Notified
adns	Not Vulnerable	20-Nov-2003
Apple Computer Inc.	Vulnerable	11-Dec-2003
BlueCat Networks	Unknown	21-Oct-2003
BSDI	Unknown	21-Oct-2003
Check Point	Not Vulnerable	27-Oct-2003
Conectiva	Unknown	21-Oct-2003
Cray Inc.	Not Vulnerable	17-Nov-2003
Debian	Unknown	21-Oct-2003
EMC Corporation	Unknown	17-Nov-2003
FreeBSD	Vulnerable	1-Dec-2003
Fujitsu	Unknown	17-Nov-2003
Guardian Digital Inc.	Vulnerable	2-Dec-2003
Hewlett-Packard Company	Vulnerable	3-Dec-2003
Hitachi	Not Vulnerable	25-Nov-2003
IBM	Vulnerable	3-Dec-2003
IBM eServer	Unknown	17-Nov-2003
Immunix	Vulnerable	1-Dec-2003
Ingrian Networks	Unknown	17-Nov-2003
Internet Software Consortium	Vulnerable	1-Dec-2003
Juniper Networks	Not Vulnerable	3-Dec-2003
Lucent Technologies	Unknown	17-Nov-2003
MandrakeSoft	Not Vulnerable	17-Nov-2003
Men&Mice	Unknown	17-Nov-2003
MetaSolv Software Inc.	Unknown	21-Oct-2003
MontaVista Software	Unknown	21-Oct-2003
NEC Corporation	Unknown	21-Oct-2003
NetBSD	Vulnerable	17-Nov-2003
Nixu	Vulnerable	20-Nov-2003
Nokia	Unknown	21-Oct-2003
Nominum	Not Vulnerable	17-Nov-2003
Nortel Networks	Unknown	17-Nov-2003
Novell	Unknown	17-Nov-2003
Openwall GNU/*/Linux	Unknown	21-Oct-2003
Red Hat Inc.	Not Vulnerable	17-Nov-2003
Sequent	Unknown	21-Oct-2003
SGI	Not Vulnerable	17-Nov-2003
Sony Corporation	Unknown	17-Nov-2003
Sun Microsystems Inc.	Vulnerable	1-Dec-2003
SuSE Inc.	Vulnerable	1-Dec-2003
The SCO Group (SCO Linux)	Unknown	21-Oct-2003
The SCO Group (SCO UnixWare)	Vulnerable	3-Dec-2003
Trustix Secure Linux	Vulnerable	1-Dec-2003
Unisys	Unknown	21-Oct-2003
Wind River Systems Inc.	Unknown	17-Nov-2003
Wirex	Unknown	17-Nov-2003

References

http://www.isc.org/products/BIND/bind8.html
http://marc.theaimsgroup.com/?l=bind-announce&m=106988846219834&w=2
http://marc.theaimsgroup.com/?l=bind-announce&m=106988846919846&w=2
http://secunia.com/advisories/10300/

Credit

The CERT/CC thanks the Internet Software Consortium for bringing this vulnerability to our attention.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public:	2003-11-26
Date First Published:	2003-12-01
Date Last Updated:	2004-01-04
CERT Advisory:
CVE-ID(s):	CAN-2003-0914
NVD-ID(s):	CAN-2003-0914
US-CERT Technical Alerts:
Metric:	1.50
Document Revision:	40

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader