search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ISC BIND does not correctly set default access controls

Vulnerability Note VU#187297

Original Release Date: 2007-07-27 | Last Revised: 2008-06-04

Overview

ISC (Internet Systems Consortiuim) BIND fails to properly set default access control lists. This may allow unauthorized users to make recursive querries and querry the cache.

Description

From the ISC BIND security page:

The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents.

Note that the BIND advisory lists BIND 9.4.0, 9.4.1, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, and 9.5.0a5 as the versions affected.

Impact

A remote, unauthenticated attacker may be able to cause a vulnerable DNS server perform recursion. This could be used to perform denial-of-service attacks. An attacker may also be able to querry the cache.

Solution

Upgrade or Patch
This issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Users who obtain BIND from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.


Workarounds for administrators of non-publicly accessisble recursive DNS servers

    • Using firewall rules, limit access to the DNS server to authorized networks.
Workarounds for administrators of publicly accessisble recursive DNS servers
    • Rate limiting the number of external recursion requests may mitigate potential abuse of the DNS server.

Vendor Information

187297
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  July 27, 2007 Updated:  July 30, 2007

Status

  Vulnerable

Vendor Statement

The Debian project has fixed this vulnerability in its stable distribution Debian GNU/Linux 4.0 in version 9.3.4-2etch1 of bind9 and in its old stable distribution Debian GNU/Linux 3.1 in version 9.2.4-1sarge3 of bind9 via Debian Security Advisory 1341 as in

<http://www.debian.org/security/2007/dsa-1341>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Internet Software Consortium

Updated:  July 27, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://www.isc.org/sw/bind/bind-security.php for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  July 27, 2007 Updated:  July 30, 2007

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi

Notified:  July 27, 2007 Updated:  July 30, 2007

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  July 27, 2007 Updated:  August 08, 2007

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc.

Notified:  July 27, 2007 Updated:  July 28, 2007

Status

  Not Vulnerable

Vendor Statement

These issues did not affect the versions of Bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  July 27, 2007 Updated:  August 02, 2007

Status

  Not Vulnerable

Vendor Statement

SUSE is not affected by VU#187297 (CVE-2007-2925). We are not shipping bind 9.4 or later at this time.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  July 27, 2007 Updated:  August 03, 2007

Status

  Not Vulnerable

Vendor Statement

Sun is not impacted by CERT VU#187297 since we don't ship any versions of BIND which are impacted.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  July 27, 2007 Updated:  July 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to ISC for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2007-2925
Severity Metric: 16.98
Date Public: 2007-07-24
Date First Published: 2007-07-27
Date Last Updated: 2008-06-04 21:39 UTC
Document Revision: 25

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.