adns Not Affected

Notified:  October 29, 2002 Updated: November 15, 2002

Status

Not Affected

Vendor Statement

adns is not vulnerable. It is a stub resolver library, not a full-service resolver, and does not forward queries. If the communication between adns and nameserver can be faked up by the attacker, there can be situations where a similar attack might be made to work. These kind of problems are why the adns documentation tells you that you need to make sure that only packets really from your nameserver can arrive at adns with the nameserver's source address and port.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apple Computer Inc. Affected

Notified:  October 29, 2002 Updated: December 03, 2002

Status

Affected

Vendor Statement

Affected Systems: Mac OS X and Mac OS X Server. This is fixed in Security Update 2002-11-21.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Security Update 2002-11-21 is now available. It contains BIND version 8.3.4 to address multiple potential vulnerabilities. CVE IDs: CAN-2002-1219, CAN-2002-1220, CAN-2002-1221, CAN-2002-0029 Description: Several of these vulnerabilities may allow remote attackers to execute arbitrary code with elevated privileges. The other vulnerabilities could allow remote attackers to disrupt the normal operation of DNS name service running on servers. Further information is available at: http://www.cert.org/advisories/CA-2002-31.html http://www.kb.cert.org/vuls/id/457875 Affected systems: Systems that have enabled BIND and are using BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3. Mitigating Factors: BIND is not enabled by default on Mac OS X or Mac OS X Server System requirements: Mac OS X 10.2.2 If BIND is enabled on Mac OS X systems prior to 10.2.2, the recommendation is to either upgrade to Mac OS X 10.2 Jaguar then apply this Security Update, or to update BIND to version 8.3.4 from the ISC site at: http://www.isc.org/products/BIND/bind8.html Security Update 2002-11-21 may be obtained from: * Software Update pane in System Preferences (for 10.2.2 or later) * Apple's Software Downloads web site: http://www.info.apple.com/kbnum/n120169 To help verify the integrity of Security Update 2002-11-21 from the Software Downloads web site, the download file is titled: SecurityUpd2002-11-21.dmg Its SHA-1 digest is: 9137fc5c1b8922475939ec93ab638494ff6e69be Information will also be posted to the Apple Support website: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPd62ayFlYNdE6F9oAQH3DQf+PJNRB5NlLZim8i7hr0ef/obrjGrQ/PNL mpQ0bdgB7huFpUYw52YJcjIIFeI6XSgyP/QEEFfApy98y5CuEDXnC+raMniokD6D L4A25nhRByyxOC5lziKjQKLDWIEktQGXSHYr9cq7oIuo66gAxdQbZrT/brubu9sI p/4g7sO1CuD5P/31RZUdHizG5lbN8dRGNgeh59FYQhpdYMbflrSolFL0FyxVc6aQ UwYbdnlt+wPiDqqWGL+YKv7GXV/XBk29mty6sLHqExx2bL8CH8ttUpZcFa8H+8VM yBXHJ0pnsCPrX+Q32o93ibm3HASXG+JcOrIC1kzvqlldSUvni1w6Kw== =/AHs -----END PGP SIGNATURE-----

BlueCat Networks Unknown

Notified:  October 29, 2002 Updated: November 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

BSDi Unknown

Notified:  October 29, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Check Point Not Affected

Notified:  October 29, 2002 Updated: November 04, 2002

Status

Not Affected

Vendor Statement

Check Point products are Not Vulnerable (we don't employ any caching DNS code).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Conectiva Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cray Inc. Unknown

Notified:  October 29, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Data General Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Affected

Notified:  October 29, 2002 Updated: July 24, 2003

Status

Affected

Vendor Statement

Debian can't say anything about the vulnerability itself, except that since ISC refers to using tools from bind9, our bind8 packages are probably vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Engarde Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Affected

Notified:  October 29, 2002 Updated: December 03, 2002

Status

Affected

Vendor Statement

Fujitsu's UXP/V o.s. is vulnerable. The relevant fix (PUF) will be announced at a later date.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

GNU glibc Not Affected

Notified:  October 29, 2002 Updated: November 18, 2002

Status

Not Affected

Vendor Statement

The GNU C library does not contain a name server; it has only a stub resolver.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett-Packard Company Unknown

Notified:  October 29, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Unknown

Notified:  October 29, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

InfoBlox Affected

Notified:  October 29, 2002 Updated: October 18, 2004

Status

Affected

Vendor Statement

The Infoblox DNS One product is vulnerable when deployed in hostile territory with recursion enabled, for example, as a public Internet name server. See http://www.infoblox.com/solutions/whitepapers_external.cfm for details on how to configure the DNS One appliance to avoid this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

ISC Affected

Updated:  November 18, 2002

Status

Affected

Vendor Statement

The correct fix is "deploy dnssec".

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lucent Technologies Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MandrakeSoft Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Men&Mice Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MetaSolv Software Inc. Affected

Notified:  October 29, 2002 Updated: November 18, 2002

Status

Affected

Vendor Statement

MetaSolv Response REF:Vulnerability Note #457875 The BIND code embedded in the DNS Server (Based on ISC BIND 8.2.3) on both MetaSolv Policy Services 4.1 and 4.2 (base) are open to Vulnerability Note #457875. This also applies to the BIND 8.2.6 Base in Policy services 4.2 Service Pack 1 efix 1. This issue is being tracked by MetaSolv under Case #28233. The customer base will be advised as to the potential vulnerability, and when ISC publishes sanctioned libraries these will be applied and published as an efix on Policy Services 4.2 Service Pack 1. MetaSolv Policy Services 5.0 is based on BIND 9.2.2 rc-1 and does not demonstrate the same predilection to the vulnerability as outlined in the note.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Corporation Affected

Notified:  October 29, 2002 Updated: November 19, 2002

Status

Affected

Vendor Statement

The Microsoft DNS Server implementation closely follows the DNS standard. DNS is an insecure protocol and until such time as the protocol describes a method for securing queries, a determined attacker could poison the cache of a DNS Server. A number of precautions in the Microsoft DNS server make this style of attack more difficult, but not impossible. Microsoft is considering additional improvements to its DNS implementation in future versions of the Microsoft DNS sever to reduce the effectiveness of attacks like this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MontaVista Software Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Corporation Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Affected

Notified:  October 29, 2002 Updated: November 21, 2002

Status

Affected

Vendor Statement

NetBSD is shipped with ISC BIND nameserver (BIND8). See ISC's statement for more details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Network Appliance Not Affected

Updated:  November 19, 2002

Status

Not Affected

Vendor Statement

NetApp products are not vulnerable to this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nixu Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nortel Networks Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Unknown

Notified:  October 29, 2002 Updated: November 18, 2002

Status

Unknown

Vendor Statement

OpenBSD uses non-repeating psuedo-random transaction IDs in all aspects of DNS. I am not sure about the other parts yet. But this is in a highly hacked BIND4.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Openwall GNU/*/Linux Affected

Notified:  October 29, 2002 Updated: December 04, 2002

Status

Affected

Vendor Statement

One of the features added with BIND 4.9.x-OW patches has always been the addition of unpredictable query IDs, thus making BIND 4 with these patches applied more resistant against the described attacks. The randomization of source port numbers is, however, currently left up to the operating system kernel (and thus doesn't occur on most systems). Future versions of the patches might add this functionality. Similarly, the glibc resolver code on Openwall GNU/*/Linux (Owl) has been modified to use unpredictable query IDs (including in the very first version of Owl available to the public), but doesn't explicitly randomize source port numbers.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat Inc. Unknown

Notified:  October 29, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sequent Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Unknown

Notified:  October 29, 2002 Updated: December 05, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- SGI Security Advisory Title : BIND Name Server DNS Spoofing Vulnerability Number : 20021203-01-A Date : December 5, 2002 Reference: CERT Vulnerability Note VU#457875 Reference: SGI BUG 874059 - --- Issue Specifics --- SGI acknowledges the BIND name server vulnerability reported by Vagner Sacramento in CERT VU# 457875 (http://www.kb.cert.org/vuls/id/457875 and http://www.rnp.br/cais/alertas/2002/cais-ALR-19112002a.html) and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported Linux and IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list. - --- Acknowledgments ---- SGI wishes to thank Vagner Sacramento, CERT, and the users of the Internet Community at large for their assistance in this matter. - --- Links ---- SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/patches/ SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/irix/ and ftp://patches.sgi.com/ SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/ SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/ SGI patches and RPMs for Linux can be found at: http://support.sgi.com/linux/ or http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/ SGI patches for Windows NT or 2000 can be found at: http://support.sgi.com/nt/ IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/ IRIX 6.5 Maintenance Release Streams can be found at: http://support.sgi.com/colls/patches/tools/relstream/index.html IRIX 6.5 Software Update CDs can be obtained from: http://support.sgi.com/irix/swupdates/ The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ For security and patch management reasons, ftp.sgi.com (mirrors patches.sgi.com security FTP repository) lags behind and does not do a real-time update. - --- SGI Security Information/Contacts --- If there are questions about this document, email can be sent to security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to security-info@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ SGI provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/support/security/ . ------oOo------ If there are general security questions on SGI systems, email can be sent to security-info@sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPe+EALQ4cFApAP75AQEaSQP+OG8GYq1CVDuI+n5Nshn1YOMyiZyLmtId QX9hg1H/kooI5jq0MQdx75iU/9yqRhrtRStrAbjh1IU/Phc5gkXKB9SWBOVHBP1k IaURN2ok6SPCr6yu+/O/bWBlD9c0GHcws70aMrp3NdggaMEOS4Zs4dnJblvTmN7m +DtKIuifJJQ= =AKR/ -----END PGP SIGNATURE-----

ShadowSupport Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Corporation Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems Inc. Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SuSE Inc. Unknown

Notified:  October 29, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO Linux) Unknown

Notified:  October 29, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO UnixWare) Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Threshold Networks Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisys Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Wind River Systems Inc. Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Wirex Unknown

Notified:  October 29, 2002 Updated: October 29, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Xerox Corporation Not Affected

Updated:  May 30, 2003

Status

Not Affected

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 44 vendors View less vendors