Overview
ISC BIND version 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches.
Description
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). Version 8 of the BIND software uses a weak algorithm to generate DNS query identifiers. This condition allows an attacker to reliably guess the next query ID, thereby allowing for DNS cache poisoning attacks. ISC states that this bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFY messages to slave name servers. Note that although this vulnerability is similar in nature and impact to VU#252735, it is a distinct issue. |
Impact
A remote attacker with the ability to predict DNS query IDs and respond with arbitrary answers, could poison DNS caches. |
Solution
Upgrade or apply a patch |
Vendor Information
Internet Software Consortium Affected
Notified: August 21, 2007 Updated: August 27, 2007
Status
Affected
Vendor Statement
This issue is addressed in ISC BIND 8.4.7-P1, available as patch that
can be applied to BIND 8.4.7.
The more definitive solution is to upgrade to BIND 9. BIND 8 is being
declared "end of life" by ISC due to multiple architectural issues.
See ISC's website at http://www.isc.org for more information and
assistance.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Additional information about the problem and the End-of-life status for BIND version 8 can be found at the following location:
<http://www.isc.org/sw/bind/bind8-eol.php>
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BlueCat Networks, Inc. Not Affected
Notified: August 27, 2007 Updated: August 28, 2007
Status
Not Affected
Vendor Statement
No product from BlueCat Networks Inc. is affected by vulnerability VU#927905. Every product that we have issued has contained a version of BIND based on v9. We have no software that runs v8.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Infoblox Not Affected
Notified: August 27, 2007 Updated: August 27, 2007
Status
Not Affected
Vendor Statement
We currently run BIND 9.3.4 and are not vulnerable to VU#927905.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mandriva, Inc. Not Affected
Notified: August 27, 2007 Updated: August 27, 2007
Status
Not Affected
Vendor Statement
Mandriva does not ship BIND8 in any supported products and is not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation Not Affected
Notified: August 27, 2007 Updated: August 28, 2007
Status
Not Affected
Vendor Statement
Thank you for the heads up. While we do use the BIND protocol, we have our own implementation so these implementation-specific vulnerabilities should not affect us.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Computer, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Check Point Software Technologies Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Cray Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Debian GNU/Linux Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
EMC Corporation Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
F5 Networks, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fedora Project Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fujitsu Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
GNU glibc Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Gentoo Linux Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Gnu ADNS Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hitachi Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM eServer Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Immunix Communications, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Juniper Networks, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Lucent Technologies Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Men & Mice Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Metasolv Software, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NEC Corporation Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NetBSD Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Nortel Networks, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OpenBSD Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Openwall GNU/*/Linux Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
QNX, Software Systems, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Red Hat, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
SUSE Linux Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Shadowsupport Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Slackware Linux Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sony Corporation Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sun Microsystems, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Trustix Secure Linux Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Turbolinux Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ubuntu Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Unisys Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: August 27, 2007 Updated: August 27, 2007
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to the Internet Systems Consortium (ISC) for reporting this vulnerability. ISC, in turn, credits Amit Klein from Trusteer for reporting this issue to them.
This document was written by Chad Dougherty.
Other Information
| CVE IDs: | CVE-2007-2930 |
| Severity Metric: | 2.14 |
| Date Public: | 2007-08-27 |
| Date First Published: | 2007-08-28 |
| Date Last Updated: | 2007-08-28 21:04 UTC |
| Document Revision: | 15 |