search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BIND version 8 generates cryptographically weak DNS query identifiers

Vulnerability Note VU#927905

Original Release Date: 2007-08-28 | Last Revised: 2007-08-28

Overview

ISC BIND version 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches.

Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). Version 8 of the BIND software uses a weak algorithm to generate DNS query identifiers. This condition allows an attacker to reliably guess the next query ID, thereby allowing for DNS cache poisoning attacks.

ISC states that this bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFY messages to slave name servers. Note that although this vulnerability is similar in nature and impact to VU#252735, it is a distinct issue.

Impact

A remote attacker with the ability to predict DNS query IDs and respond with arbitrary answers, could poison DNS caches.

Solution

Upgrade or apply a patch

Users should obtain a patch from their operating system vendor when available. Please see the Systems Affected section of this document for more information about specific vendors.

Users who compile their own versions of BIND 8 from the original ISC source code are encouraged to take the following actions described by ISC:

This issue is addressed in ISC BIND 8.4.7-P1, available as patch that  
can be applied to BIND 8.4.7.
The more definitive solution is to upgrade to BIND 9. BIND 8 is being  
declared "end of life" by ISC due to multiple architectural issues.  
See ISC's website at http://www.isc.org for more information and  
assistance.

Vendor Information

927905
 
Affected   Unknown   Unaffected

Internet Software Consortium

Notified:  August 21, 2007 Updated:  August 27, 2007

Status

  Vulnerable

Vendor Statement

This issue is addressed in ISC BIND 8.4.7-P1, available as patch that  
can be applied to BIND 8.4.7.
The more definitive solution is to upgrade to BIND 9. BIND 8 is being  
declared "end of life" by ISC due to multiple architectural issues.  
See ISC's website at http://www.isc.org for more information and  
assistance.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Additional information about the problem and the End-of-life status for BIND version 8 can be found at the following location:

BlueCat Networks, Inc.

Notified:  August 27, 2007 Updated:  August 28, 2007

Status

  Not Vulnerable

Vendor Statement

No product from BlueCat Networks Inc. is affected by vulnerability VU#927905.  Every product that we have issued has contained a version of BIND based on v9.  We have no software that runs v8.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Infoblox

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Not Vulnerable

Vendor Statement

We currently run BIND 9.3.4 and are not vulnerable to VU#927905.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Not Vulnerable

Vendor Statement

Mandriva does not ship BIND8 in any supported products and is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation

Notified:  August 27, 2007 Updated:  August 28, 2007

Status

  Not Vulnerable

Vendor Statement

Thank you for the heads up.  While we do use the BIND protocol, we have our own implementation so these implementation-specific vulnerabilities should not affect us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Check Point Software Technologies

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC Corporation

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

GNU glibc

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gnu ADNS

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Lucent Technologies

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Men & Mice

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Metasolv Software, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nortel Networks, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Shadowsupport

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  August 27, 2007 Updated:  August 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to the Internet Systems Consortium (ISC) for reporting this vulnerability. ISC, in turn, credits Amit Klein from Trusteer for reporting this issue to them.

This document was written by Chad Dougherty.

Other Information

CVE IDs: CVE-2007-2930
Severity Metric: 2.14
Date Public: 2007-08-27
Date First Published: 2007-08-28
Date Last Updated: 2007-08-28 21:04 UTC
Document Revision: 14

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.