Openwall GNU/*/Linux Information for VU#955777

Multiple vulnerabilities in DNS implementations



Vendor Statement

Openwall GNU/*/Linux (Owl) 2.0 contains BIND 9 and a DNS resolver as a part of the GNU C Library (glibc), both with our modifications. Owl 1.1 and earlier releases did not include BIND.

Although there's limited information on these vulnerabilities available, we believe that the BIND 9 package in Owl is affected to the same (very limited) extent that is documented in the statement from the ISC found in the PDF version of the NISCC Vulnerability Advisory 144154/NISCC/DNS and that the DNS resolver in glibc is not affected at all.

Assuming that the ISC's description of the issue is correct, we agree with the ISC's assessment of this issue as minor enough to not require updates for current and past releases. Instead, a fix is expected to be included in a future release of BIND - and we are going to similarly include that in a future release of Owl.

The ISC's description of the issue implies that for the attack to work the DNS server must be configured to use TSIG-based authentication of transactions and the attacker must in fact authenticate successfully. Thus, it appears that the attack may only be carried out via a related previously compromised DNS server and only if both servers are configured to use TSIG-based authentication. The impact of a successful attack is limited to denial of the DNS service.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.