Vulnerabilities > CVE-2008-1447 - Insufficient Entropy vulnerability in ISC Bind 4/8/9.2.9

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
high complexity
isc
CWE-331
nessus
exploit available
metasploit

Summary

The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Exploit-Db

  • descriptionBIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (meta). CVE-2008-1447,CVE-2008-4194. Remote exploits for multiple platform
    fileexploits/multiple/remote/6122.rb
    idEDB-ID:6122
    last seen2016-02-01
    modified2008-07-23
    platformmultiple
    port
    published2008-07-23
    reporterI)ruid
    sourcehttps://www.exploit-db.com/download/6122/
    titleBIND 9.4.1-9.4.2 - Remote DNS Cache Poisoning Flaw Exploit meta
    typeremote
  • descriptionBIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py). CVE-2008-1447,CVE-2008-4194. Remote exploits for multiple platform
    fileexploits/multiple/remote/6123.py
    idEDB-ID:6123
    last seen2016-02-01
    modified2008-07-24
    platformmultiple
    port
    published2008-07-24
    reporterJulien Desfossez
    sourcehttps://www.exploit-db.com/download/6123/
    titleBIND 9.x - Remote DNS Cache Poisoning Flaw Exploit py
    typeremote
  • descriptionBIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c). CVE-2008-1447,CVE-2008-4194. Remote exploits for multiple platform
    fileexploits/multiple/remote/6130.c
    idEDB-ID:6130
    last seen2016-01-31
    modified2008-07-25
    platformmultiple
    port
    published2008-07-25
    reporterMarc Bevand
    sourcehttps://www.exploit-db.com/download/6130/
    titleBIND 9.x - Remote DNS Cache Poisoning Flaw Exploit c
    typeremote

Metasploit

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200812-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200812-17 (Ruby: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in the Ruby interpreter and its standard libraries. Drew Yao of Apple Product Security discovered the following flaws: Arbitrary code execution or Denial of Service (memory corruption) in the rb_str_buf_append() function (CVE-2008-2662). Arbitrary code execution or Denial of Service (memory corruption) in the rb_ary_stor() function (CVE-2008-2663). Memory corruption via alloca in the rb_str_format() function (CVE-2008-2664). Memory corruption (
    last seen2020-06-01
    modified2020-06-02
    plugin id35188
    published2008-12-17
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35188
    titleGLSA-200812-17 : Ruby: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-1069.NASL
    descriptionUpdate to newer upstream version - 2.45. Version of dnsmasq previously shipped in Fedora 9 did not properly drop privileges, causing it to run as root instead of intended user nobody. Issue was caused by a bug in kernel-headers used in build environment of the original packages. (#454415) New upstream version also adds DNS query source port randomization, mitigating DNS spoofing attacks. (CVE-2008-1447) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id35693
    published2009-02-17
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35693
    titleFedora 9 : dnsmasq-2.45-1.fc9 (2009-1069)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-6256.NASL
    description9.5.0-P1 release which contains fix for CVE-2008-1447. This update also fixes typo in bind-sdb summary and fixes parsing of inner ACLs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33468
    published2008-07-10
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33468
    titleFedora 9 : bind-9.5.0-33.P1.fc9 (2008-6256)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1619.NASL
    descriptionMultiple weaknesses have been identified in PyDNS, a DNS client implementation for the Python language. Dan Kaminsky identified a practical vector of DNS response spoofing and cache poisoning, exploiting the limited entropy in a DNS transaction ID and lack of UDP source port randomization in many DNS implementations. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery. The Common Vulnerabilities and Exposures project identifies this class of weakness as CVE-2008-1447 and this specific instance in PyDNS as CVE-2008-4099.
    last seen2020-06-01
    modified2020-06-02
    plugin id33739
    published2008-07-28
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33739
    titleDebian DSA-1619-1 : python-dns - DNS response spoofing
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-139.NASL
    descriptionA weakness was found in the DNS protocol by Dan Kaminsky. A remote attacker could exploit this weakness to spoof DNS entries and poison DNS caches. This could be used to misdirect users and services; i.e. for web and email traffic (CVE-2008-1447). This update provides the latest stable BIND releases for all platforms except Corporate Server/Desktop 3.0 and MNF2, which have been patched to correct the issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id36526
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36526
    titleMandriva Linux Security Advisory : bind (MDVSA-2008:139)
  • NASL familyDNS
    NASL idDNS_NON_RANDOM_SOURCE_PORTS.NASL
    descriptionThe remote DNS resolver does not use random ports when making queries to third-party DNS servers. An unauthenticated, remote attacker can exploit this to poison the remote DNS server, allowing the attacker to divert legitimate traffic to arbitrary sites.
    last seen2020-06-01
    modified2020-06-02
    plugin id33447
    published2008-07-09
    reporterThis script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33447
    titleMultiple Vendor DNS Query ID Field Prediction Cache Poisoning
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-8738.NASL
    descriptionUpdate to new upstream release fixing multiple security issues detailed in the upstream advisories: http://www.ruby-lang.org/en/news/2008/08/08/multiple- vulnerabilities-in-ruby/ - CVE-2008-3655 - multiple insufficient safe mode restrictions - CVE-2008-3656 - WEBrick DoS vulnerability (CPU consumption) - CVE-2008-3657 - missing
    last seen2020-06-01
    modified2020-06-02
    plugin id34380
    published2008-10-10
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34380
    titleFedora 9 : ruby-1.8.6.287-2.fc9 (2008-8738)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_DNSMASQ-5512.NASL
    descriptionThis update of dnsmasq uses random UDP source ports and a random TRXID now. (CVE-2008-1447)
    last seen2020-06-01
    modified2020-06-02
    plugin id33895
    published2008-08-15
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33895
    titleopenSUSE 10 Security Update : dnsmasq (dnsmasq-5512)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-005.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-005 applied. This update contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id33790
    published2008-08-01
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33790
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-005)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_36973.NASL
    descriptions700_800 11.23 Bind 9.2.0 components : A potential vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to cause DNS cache poisoning.
    last seen2020-06-01
    modified2020-06-02
    plugin id26139
    published2007-09-25
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26139
    titleHP-UX PHNE_36973 : HP-UX Running BIND, Remote DNS Cache Poisoning (HPSBUX02251 SSRT071449 rev.3)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2008-334-01.NASL
    descriptionNew ruby packages are available for Slackware 11.0, 12.0, and 12.1 to fix bugs and a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id34972
    published2008-12-01
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34972
    titleSlackware 11.0 / 12.0 / 12.1 : ruby (SSA:2008-334-01)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_BIND-080708.NASL
    descriptionThe transaction id and the UDP source port used for DNS queries by the bind nameserver were predicatable. Attackers could potentially exploit that weakness to manipulate the DNS cache (
    last seen2020-06-01
    modified2020-06-02
    plugin id39920
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39920
    titleopenSUSE Security Update : bind (bind-82)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200807-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200807-08 (BIND: Cache poisoning) Dan Kaminsky of IOActive has reported a weakness in the DNS protocol related to insufficient randomness of DNS transaction IDs and query source ports. Impact : An attacker could exploit this weakness to poison the cache of a recursive resolver and thus spoof DNS traffic, which could e.g. lead to the redirection of web or mail traffic to malicious sites. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id33494
    published2008-07-15
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33494
    titleGLSA-200807-08 : BIND: Cache poisoning
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1623.NASL
    descriptionDan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian
    last seen2020-06-01
    modified2020-06-02
    plugin id33772
    published2008-08-01
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33772
    titleDebian DSA-1623-1 : dnsmasq - DNS cache poisoning
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-622-1.NASL
    descriptionDan Kaminsky discovered weaknesses in the DNS protocol as implemented by Bind. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33464
    published2008-07-10
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33464
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : bind9 vulnerability (USN-622-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2009-0022.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-2957 Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request. CVE-2009-2958 The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option. - problems with strings when enabling tftp (CVE-2009-2957, CVE-2009-2957) - Resolves: rhbg#519021 - update to new upstream version - fixes for CVE-2008-1447/CERT VU#800113 - Resolves: rhbz#454869
    last seen2020-06-01
    modified2020-06-02
    plugin id79464
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79464
    titleOracleVM 2.1 : dnsmasq (OVMSA-2009-0022)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-6281.NASL
    description9.5.0-P1 release which contains fix for CVE-2008-1447. This update also fixes parsing of inner ACLs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33470
    published2008-07-10
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33470
    titleFedora 8 : bind-9.5.0-28.P1.fc8 (2008-6281)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0789.NASL
    descriptionAn updated dnsmasq package that implements UDP source-port randomization is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. The dnsmasq DNS resolver used a fixed source UDP port. This could have made DNS spoofing attacks easier. dnsmasq has been updated to use random UDP source ports, helping to make DNS spoofing attacks harder. (CVE-2008-1447) All dnsmasq users are advised to upgrade to this updated package, that upgrades dnsmasq to version 2.45, which resolves this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id33865
    published2008-08-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33865
    titleRHEL 5 : dnsmasq (RHSA-2008:0789)
  • NASL familyCISCO
    NASL idCISCO-SA-20080708-DNSHTTP.NASL
    descriptionMultiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected. Cisco has released free software updates that address these vulnerabilities.
    last seen2020-03-17
    modified2010-09-01
    plugin id49017
    published2010-09-01
    reporterThis script is (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49017
    titleMultiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS8_X86_109327.NASL
    descriptionSunOS 5.8_x86: libresolv.so.2, in.named an. Date this patch was last updated by Sun : Mar/09/09
    last seen2020-06-01
    modified2020-06-02
    plugin id13429
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13429
    titleSolaris 8 (x86) : 109327-24
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS9_X86_114265.NASL
    descriptionSunOS 5.9_x86: in.dhcpd libresolv and BIND. Date this patch was last updated by Sun : Jul/21/11
    last seen2020-06-01
    modified2020-06-02
    plugin id27094
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27094
    titleSolaris 9 (x86) : 114265-23
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-651-1.NASL
    descriptionAkira Tagoh discovered a vulnerability in Ruby which lead to an integer overflow. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2376) Laurent Gaffie discovered that Ruby did not properly check for memory allocation failures. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service. (CVE-2008-3443) Keita Yamaguchi discovered several safe level vulnerabilities in Ruby. An attacker could use this to bypass intended access restrictions. (CVE-2008-3655) Keita Yamaguchi discovered that WEBrick in Ruby did not properly validate paths ending with
    last seen2020-06-01
    modified2020-06-02
    plugin id37068
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37068
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : ruby1.8 vulnerabilities (USN-651-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_BIND-5410.NASL
    descriptionThe transaction id and the UDP source port used for DNS queries by the bind nameserver were predicatable. Attackers could potentially exploit that weakness to manipulate the DNS cache (
    last seen2020-06-01
    modified2020-06-02
    plugin id33501
    published2008-07-15
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33501
    titleopenSUSE 10 Security Update : bind (bind-5410)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1605.NASL
    descriptionDan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS spoofing and cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.
    last seen2017-10-29
    modified2012-12-28
    plugin id33452
    published2008-07-10
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=33452
    titleDebian DSA-1605-1 : glibc - DNS cache poisoning
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-627-1.NASL
    descriptionDan Kaminsky discovered weaknesses in the DNS protocol as implemented by Dnsmasq. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33560
    published2008-07-23
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33560
    titleUbuntu 8.04 LTS : dnsmasq vulnerability (USN-627-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_959D384D6B5911DD9D79001FC61C2A55.NASL
    descriptionThe official ruby site reports : resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports.
    last seen2020-06-01
    modified2020-06-02
    plugin id33905
    published2008-08-17
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33905
    titleFreeBSD : ruby -- DNS spoofing vulnerability (959d384d-6b59-11dd-9d79-001fc61c2a55)
  • NASL familyDNS
    NASL idMS_DNS_KB951746.NASL
    descriptionAccording to its self-reported version number, the Microsoft DNS Server running on the remote host contains issues in the DNS library that could allow an attacker to send malicious DNS responses to DNS requests made by the remote host thereby spoofing or redirecting internet traffic from legitimate locations.
    last seen2020-06-01
    modified2020-06-02
    plugin id72834
    published2014-03-05
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72834
    titleMS08-037: Vulnerabilities in DNS Could Allow Spoofing (951746) (uncredentialed check)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS8_109326.NASL
    descriptionSunOS 5.8: libresolv.so.2, in.named and BI. Date this patch was last updated by Sun : Mar/09/09
    last seen2020-06-01
    modified2020-06-02
    plugin id13321
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13321
    titleSolaris 8 (sparc) : 109326-24
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS9_112837.NASL
    descriptionSunOS 5.9: in.dhcpd libresolv and BIND9 pa. Date this patch was last updated by Sun : Jul/21/11
    last seen2020-06-01
    modified2020-06-02
    plugin id26165
    published2007-09-25
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/26165
    titleSolaris 9 (sparc) : 112837-24
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1617.NASL
    descriptionIn DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447 ). The fix, while correct, was incompatible with the version of SELinux Reference Policy shipped with Debian Etch, which did not permit a process running in the named_t domain to bind sockets to UDP ports other than the standard
    last seen2020-06-01
    modified2020-06-02
    plugin id33737
    published2008-07-28
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33737
    titleDebian DSA-1617-1 : refpolicy - incompatible policy
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-006.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-006 applied. This update contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id34210
    published2008-09-16
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34210
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-006)
  • NASL familyCISCO
    NASL idCISCO-SA-20080924-IOSIPSHTTP.NASL
    descriptionThe Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition. Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability. Note: This vulnerability is not related in any way to CVE-2008-1447 - Cache poisoning attacks.
    last seen2019-10-28
    modified2010-09-01
    plugin id49019
    published2010-09-01
    reporterThis script is (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49019
    titleCisco IOS IPS Denial of Service Vulnerability - Cisco Systems
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1603.NASL
    descriptionDan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian
    last seen2020-06-01
    modified2020-06-02
    plugin id33450
    published2008-07-10
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33450
    titleDebian DSA-1603-1 : bind9 - DNS cache poisoning
  • NASL familySuSE Local Security Checks
    NASL idSUSE_BIND-5409.NASL
    descriptionThe transaction id and the udp source port used for DNS queries by the bind nameserver were predicatable. Attackers could potentially exploit that weakness to manipulate the DNS cache (
    last seen2020-06-01
    modified2020-06-02
    plugin id33500
    published2008-07-15
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33500
    titleSuSE 10 Security Update : bind (ZYPP Patch Number 5409)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2020-0021.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0021 for details.
    last seen2020-06-10
    modified2020-06-05
    plugin id137170
    published2020-06-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137170
    titleOracleVM 3.3 / 3.4 : bind (OVMSA-2020-0021)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201209-25.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201209-25 (VMware Player, Server, Workstation: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in VMware Player, Server, and Workstation. Please review the CVE identifiers referenced below for details. Impact : Local users may be able to gain escalated privileges, cause a Denial of Service, or gain sensitive information. A remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code, or a Denial of Service. Remote attackers also may be able to spoof DNS traffic, read arbitrary files, or inject arbitrary web script to the VMware Server Console. Furthermore, guest OS users may be able to execute arbitrary code on the host OS, gain escalated privileges on the guest OS, or cause a Denial of Service (crash the host OS). Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id62383
    published2012-10-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62383
    titleGLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHNE_37865.NASL
    descriptions700_800 11.23 Bind 9.2.0 components : A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to cause DNS cache poisoning.
    last seen2020-06-01
    modified2020-06-02
    plugin id33864
    published2008-08-12
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33864
    titleHP-UX PHNE_37865 : HP-UX Running BIND, Remote DNS Cache Poisoning (HPSBUX02351 SSRT080058 rev.6)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2008-191-02.NASL
    descriptionNew bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to address a security problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id54869
    published2011-05-28
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/54869
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2008-191-02)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0533.NASL
    descriptionUpdated bind packages that help mitigate DNS spoofing attacks are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 10th July 2008] We have updated the Enterprise Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports. ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. The DNS protocol protects against spoofing attacks by requiring an attacker to predict both the DNS transaction ID and UDP source port of a request. In recent years, a number of papers have found problems with DNS implementations which make it easier for an attacker to perform DNS cache-poisoning attacks. Previous versions of BIND did not use randomized UDP source ports. If an attacker was able to predict the random DNS transaction ID, this could make DNS cache-poisoning attacks easier. In order to provide more resilience, BIND has been updated to use a range of random UDP source ports. (CVE-2008-1447) Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4 and 5 to allow BIND to use random UDP source ports. Users of BIND are advised to upgrade to these updated packages, which contain a backported patch to add this functionality. Red Hat would like to thank Dan Kaminsky for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id33462
    published2008-07-10
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33462
    titleRHEL 2.1 / 3 / 4 / 5 : bind (RHSA-2008:0533)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080711_BIND_ON_SL_3_0_X.NASL
    descriptionThe DNS protocol protects against spoofing attacks by requiring an attacker to predict both the DNS transaction ID and UDP source port of a request. In recent years, a number of papers have found problems with DNS implementations which make it easier for an attacker to perform DNS cache-poisoning attacks. Previous versions of BIND did not use randomized UDP source ports. If an attacker was able to predict the random DNS transaction ID, this could make DNS cache-poisoning attacks easier. In order to provide more resilience, BIND has been updated to use a range of random UDP source ports. (CVE-2008-1447) Note: This errata also updates SELinux policy to allow BIND to use random UDP source ports.
    last seen2020-06-01
    modified2020-06-02
    plugin id60437
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60437
    titleScientific Linux Security Update : bind on SL 3.0.x , SL 4.x, SL 5.x
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_DNSMASQ-080813.NASL
    descriptionThis update of dnsmasq uses random UDP source ports and a random TRXID now. (CVE-2008-1447)
    last seen2020-06-01
    modified2020-06-02
    plugin id39951
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39951
    titleopenSUSE Security Update : dnsmasq (dnsmasq-147)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200809-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200809-02 (dnsmasq: Denial of Service and DNS spoofing) Dan Kaminsky of IOActive reported that dnsmasq does not randomize UDP source ports when forwarding DNS queries to a recursing DNS server (CVE-2008-1447). Carlos Carvalho reported that dnsmasq in the 2.43 version does not properly handle clients sending inform or renewal queries for unknown DHCP leases, leading to a crash (CVE-2008-3350). Impact : A remote attacker could send spoofed DNS response traffic to dnsmasq, possibly involving generating queries via multiple vectors, and spoof DNS replies, which could e.g. lead to the redirection of web or mail traffic to malicious sites. Furthermore, an attacker could generate invalid DHCP traffic and cause a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id34091
    published2008-09-05
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34091
    titleGLSA-200809-02 : dnsmasq: Denial of Service and DNS spoofing
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS08-037.NASL
    descriptionFlaws in the remote DNS library may let an attacker send malicious DNS responses to DNS requests made by the remote host, thereby spoofing or redirecting internet traffic from legitimate locations.
    last seen2020-06-01
    modified2020-06-02
    plugin id33441
    published2008-07-08
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33441
    titleMS08-037: Vulnerabilities in DNS Could Allow Spoofing (953230)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0014.NASL
    descriptionI Security Issues a. Setting ActiveX kill bit Starting from this release, VMware has set the kill bit on its ActiveX controls. Setting the kill bit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the Microsoft KB article 240797 and the related references on this topic. Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of- service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user. Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested. Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls. To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions. VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai, and Michal Bucko for reporting these issues to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls. b. VMware ISAPI Extension Denial of Service The Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product. One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual. VMware would like to thank the Juniper Networks J-Security Security Research Team for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3697 to this issue. c. OpenProcess Local Privilege Escalation on Host System This release fixes a privilege escalation vulnerability in host systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges. VMware would like to thank Sun Bing from McAfee, Inc. for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3698 to this issue. d. Update to Freetype FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to 2.3.7. The Common Vulnerabilities and Exposures Project (cve.mitre.com) has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6. e. Update to Cairo Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to 1.4.14. The Common Vulnerabilities and Exposures (cve.mitre.com) has assigned the name CVE-2007-5503 to this issue. f. VMware Consolidated Backup (VCB) command-line utilities may expose sensitive information VMware Consolidated Backup command-line utilities accept the user password through the -p command-line option. Users logged into the ESX service console or into the system that runs VCB could gain access to the username and password used by VCB command-line utilities when such commands are running. The ESX patch and the new version of VCB resolve this issue by providing an alternative way of passing the password used by VCB command-line utilities. VCB in ESX ---------- The following options are recommended for passing the password : 1. The password is specified in /etc/backuptools.conf (PASSWORD=xxxxx), and -p is not used in the command line. /etc/backuptools.conf file permissions are read/write only for root. 2. No password is specified in /etc/backuptools.conf and the -p option is not used in the command line. The user will be prompted to enter a password. ESX is not affected unless you use VCB. Stand-alone VCB --------------- The following options are recommended for passing the password : 1. The password is specified in config.js (PASSWORD=xxxxx), and -p is not used in the command line. The file permissions on config.js are read/write only for the administrator. The config.js file is located in folder
    last seen2020-06-01
    modified2020-06-02
    plugin id40382
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/40382
    titleVMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0789.NASL
    descriptionFrom Red Hat Security Advisory 2008:0789 : An updated dnsmasq package that implements UDP source-port randomization is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. The dnsmasq DNS resolver used a fixed source UDP port. This could have made DNS spoofing attacks easier. dnsmasq has been updated to use random UDP source ports, helping to make DNS spoofing attacks harder. (CVE-2008-1447) All dnsmasq users are advised to upgrade to this updated package, that upgrades dnsmasq to version 2.45, which resolves this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67735
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67735
    titleOracle Linux 5 : dnsmasq (ELSA-2008-0789)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0533.NASL
    descriptionUpdated bind packages that help mitigate DNS spoofing attacks are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 10th July 2008] We have updated the Enterprise Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports. ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. The DNS protocol protects against spoofing attacks by requiring an attacker to predict both the DNS transaction ID and UDP source port of a request. In recent years, a number of papers have found problems with DNS implementations which make it easier for an attacker to perform DNS cache-poisoning attacks. Previous versions of BIND did not use randomized UDP source ports. If an attacker was able to predict the random DNS transaction ID, this could make DNS cache-poisoning attacks easier. In order to provide more resilience, BIND has been updated to use a range of random UDP source ports. (CVE-2008-1447) Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4 and 5 to allow BIND to use random UDP source ports. Users of BIND are advised to upgrade to these updated packages, which contain a backported patch to add this functionality. Red Hat would like to thank Dan Kaminsky for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id33448
    published2008-07-10
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33448
    titleCentOS 3 / 4 / 5 : bind / selinux-policy (CESA-2008:0533)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200901-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200901-03 (pdnsd: Denial of Service and cache poisoning) Two issues have been reported in pdnsd: The p_exec_query() function in src/dns_query.c does not properly handle many entries in the answer section of a DNS reply, related to a
    last seen2020-06-01
    modified2020-06-02
    plugin id35347
    published2009-01-12
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35347
    titleGLSA-200901-03 : pdnsd: Denial of Service and cache poisoning
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0066.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix CVE-2017-3136 (ISC change 4575) - Fix CVE-2017-3137 (ISC change 4578) - Fix and test caching CNAME before DNAME (ISC change 4558) - Fix CVE-2016-9147 (ISC change 4510) - Fix regression introduced by CVE-2016-8864 (ISC change 4530) - Restore SELinux contexts before named restart - Use /lib or /lib64 only if directory in chroot already exists - Tighten NSS library pattern, escape chroot mount path - Fix (CVE-2016-8864) - Do not change lib permissions in chroot (#1321239) - Support WKS records in chroot (#1297562) - Do not include patch backup in docs (fixes #1325081 patch) - Backported relevant parts of [RT #39567] (#1259923) - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1326283) - Fix multiple realms in nsupdate script like upstream (#1313286) - Fix multiple realm in nsupdate script (#1313286) - Use resolver-query-timeout high enough to recover all forwarders (#1325081) - Fix (CVE-2016-2848) - Fix infinite loop in start_lookup (#1306504) - Fix (CVE-2016-2776)
    last seen2020-06-01
    modified2020-06-02
    plugin id99569
    published2017-04-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99569
    titleOracleVM 3.3 / 3.4 : bind (OVMSA-2017-0066)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL8938.NASL
    descriptionThe remote BIG-IP device is missing a patch required by a security advisory.
    last seen2020-06-01
    modified2020-06-02
    plugin id78224
    published2014-10-10
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78224
    titleF5 Networks BIG-IP : BIND DNS cache poisoning vulnerability (SOL8938)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080811_DNSMASQ_ON_SL5_X.NASL
    descriptionThe dnsmasq DNS resolver used a fixed source UDP port. This could have made DNS spoofing attacks easier. dnsmasq has been updated to use random UDP source ports, helping to make DNS spoofing attacks harder. (CVE-2008-1447)
    last seen2020-06-01
    modified2020-06-02
    plugin id60462
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60462
    titleScientific Linux Security Update : dnsmasq on SL5.x i386/x86_64
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.5. Mac OS X 10.5.5 contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id34211
    published2008-09-16
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34211
    titleMac OS X 10.5.x < 10.5.5 Multiple Vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0533.NASL
    descriptionFrom Red Hat Security Advisory 2008:0533 : Updated bind packages that help mitigate DNS spoofing attacks are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 10th July 2008] We have updated the Enterprise Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports. ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. The DNS protocol protects against spoofing attacks by requiring an attacker to predict both the DNS transaction ID and UDP source port of a request. In recent years, a number of papers have found problems with DNS implementations which make it easier for an attacker to perform DNS cache-poisoning attacks. Previous versions of BIND did not use randomized UDP source ports. If an attacker was able to predict the random DNS transaction ID, this could make DNS cache-poisoning attacks easier. In order to provide more resilience, BIND has been updated to use a range of random UDP source ports. (CVE-2008-1447) Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4 and 5 to allow BIND to use random UDP source ports. Users of BIND are advised to upgrade to these updated packages, which contain a backported patch to add this functionality. Red Hat would like to thank Dan Kaminsky for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67709
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67709
    titleOracle Linux 3 / 4 / 5 : bind (ELSA-2008-0533)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12197.NASL
    descriptionThe transaction id and the udp source port used for DNS queries by the bind nameserver were predictable. Attackers could potentially exploit that weakness to manipulate the DNS cache (
    last seen2020-06-01
    modified2020-06-02
    plugin id41221
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41221
    titleSuSE9 Security Update : bind (YOU Patch Number 12197)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1604.NASL
    descriptionDan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.
    last seen2017-10-29
    modified2013-06-03
    plugin id33451
    published2008-07-10
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=33451
    titleDebian DSA-1604-1 : bind - DNS cache poisoning
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2008-205-01.NASL
    descriptionNew dnsmasq packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to address possible DNS cache poisoning issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33565
    published2008-07-24
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33565
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / current : dnsmasq (SSA:2008-205-01)

Oval

  • accepted2015-04-20T04:00:16.171-04:00
    classvulnerability
    contributors
    • nameK, Balamurugan
      organizationHewlett-Packard
    • nameSushant Kumar Singh
      organizationHewlett-Packard
    • nameSushant Kumar Singh
      organizationHewlett-Packard
    • namePrashant Kumar
      organizationHewlett-Packard
    • nameMike Cokus
      organizationThe MITRE Corporation
    descriptionThe DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."
    familyunix
    idoval:org.mitre.oval:def:12117
    statusaccepted
    submitted2011-02-01T11:17:11.000-05:00
    titleHP-UX Running BIND, Remote DNS Cache Poisoning
    version50
  • accepted2011-11-14T04:00:45.190-05:00
    classvulnerability
    contributors
    • nameJeff Ito
      organizationSecure Elements, Inc.
    • nameChandan S
      organizationSecPod Technologies
    definition_extensions
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows XP Professional x64 Edition SP1 is installed
      ovaloval:org.mitre.oval:def:720
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
      ovaloval:org.mitre.oval:def:565
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 SP1 for Itanium is installed
      ovaloval:org.mitre.oval:def:1205
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    descriptionThe DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."
    familywindows
    idoval:org.mitre.oval:def:5725
    statusaccepted
    submitted2008-07-08T14:18:00
    titleDNS Insufficient Socket Entropy Vulnerability
    version71
  • accepted2015-04-20T04:02:27.378-04:00
    classvulnerability
    contributors
    • nameMichael Wood
      organizationHewlett-Packard
    • nameSushant Kumar Singh
      organizationHewlett-Packard
    • nameSushant Kumar Singh
      organizationHewlett-Packard
    • namePrashant Kumar
      organizationHewlett-Packard
    • nameMike Cokus
      organizationThe MITRE Corporation
    descriptionThe DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."
    familyunix
    idoval:org.mitre.oval:def:5761
    statusaccepted
    submitted2008-08-06T17:38:46.000-04:00
    titleHP-UX Running BIND, Remote DNS Cache Poisoning
    version47
  • accepted2009-10-05T04:00:05.186-04:00
    classvulnerability
    contributors
    namePai Peng
    organizationHewlett-Packard
    definition_extensions
    • commentSolaris 8 (SPARC) is installed
      ovaloval:org.mitre.oval:def:1539
    • commentSolaris 9 (SPARC) is installed
      ovaloval:org.mitre.oval:def:1457
    • commentSolaris 10 (SPARC) is installed
      ovaloval:org.mitre.oval:def:1440
    • commentSolaris 8 (x86) is installed
      ovaloval:org.mitre.oval:def:2059
    • commentSolaris 9 (x86) is installed
      ovaloval:org.mitre.oval:def:1683
    • commentSolaris 10 (x86) is installed
      ovaloval:org.mitre.oval:def:1926
    descriptionThe DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."
    familyunix
    idoval:org.mitre.oval:def:5917
    statusaccepted
    submitted2009-08-25T16:38:09.000-04:00
    titleSecurity Vulnerability in the DNS Protocol May Lead to DNS Cache Poisoning
    version34
  • accepted2013-04-29T04:20:49.236-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    descriptionThe DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."
    familyunix
    idoval:org.mitre.oval:def:9627
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleThe DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."
    version28

Packetstorm

Redhat

advisories
  • bugzilla
    id454852
    titleDefault caching-nameserver configuration blocks fixes for CVE-2008-1447 (rhel-5)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • commentbind is earlier than 20:9.2.4-28.0.1.el4
            ovaloval:com.redhat.rhsa:tst:20080533001
          • commentbind is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20070044002
        • AND
          • commentbind-libs is earlier than 20:9.2.4-28.0.1.el4
            ovaloval:com.redhat.rhsa:tst:20080533003
          • commentbind-libs is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20070044006
        • AND
          • commentbind-devel is earlier than 20:9.2.4-28.0.1.el4
            ovaloval:com.redhat.rhsa:tst:20080533005
          • commentbind-devel is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20070044004
        • AND
          • commentbind-chroot is earlier than 20:9.2.4-28.0.1.el4
            ovaloval:com.redhat.rhsa:tst:20080533007
          • commentbind-chroot is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20070044008
        • AND
          • commentbind-utils is earlier than 20:9.2.4-28.0.1.el4
            ovaloval:com.redhat.rhsa:tst:20080533009
          • commentbind-utils is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20070044010
        • AND
          • commentselinux-policy-targeted is earlier than 0:1.17.30-2.150.el4
            ovaloval:com.redhat.rhsa:tst:20080533011
          • commentselinux-policy-targeted is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20080533012
        • AND
          • commentselinux-policy-targeted-sources is earlier than 0:1.17.30-2.150.el4
            ovaloval:com.redhat.rhsa:tst:20080533013
          • commentselinux-policy-targeted-sources is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20080533014
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentselinux-policy-mls is earlier than 0:2.4.6-137.1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533016
          • commentselinux-policy-mls is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20080533017
        • AND
          • commentselinux-policy-targeted is earlier than 0:2.4.6-137.1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533018
          • commentselinux-policy-targeted is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20080533019
        • AND
          • commentselinux-policy is earlier than 0:2.4.6-137.1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533020
          • commentselinux-policy is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20080533021
        • AND
          • commentselinux-policy-strict is earlier than 0:2.4.6-137.1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533022
          • commentselinux-policy-strict is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20080533023
        • AND
          • commentselinux-policy-devel is earlier than 0:2.4.6-137.1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533024
          • commentselinux-policy-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20080533025
        • AND
          • commentbind-devel is earlier than 30:9.3.4-6.0.2.P1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533026
          • commentbind-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057012
        • AND
          • commentbind-sdb is earlier than 30:9.3.4-6.0.2.P1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533028
          • commentbind-sdb is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057010
        • AND
          • commentbind-utils is earlier than 30:9.3.4-6.0.2.P1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533030
          • commentbind-utils is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057014
        • AND
          • commentbind-libs is earlier than 30:9.3.4-6.0.2.P1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533032
          • commentbind-libs is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057002
        • AND
          • commentbind-chroot is earlier than 30:9.3.4-6.0.2.P1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533034
          • commentbind-chroot is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057008
        • AND
          • commentbind-libbind-devel is earlier than 30:9.3.4-6.0.2.P1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533036
          • commentbind-libbind-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057006
        • AND
          • commentbind is earlier than 30:9.3.4-6.0.2.P1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533038
          • commentbind is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057016
        • AND
          • commentcaching-nameserver is earlier than 30:9.3.4-6.0.2.P1.el5_2
            ovaloval:com.redhat.rhsa:tst:20080533040
          • commentcaching-nameserver is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070057004
    rhsa
    idRHSA-2008:0533
    released2008-07-10
    severityImportant
    titleRHSA-2008:0533: bind security update (Important)
  • bugzilla
    id449345
    titleCVE-2008-1447 bind: implement source UDP port randomization (CERT VU#800113)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • commentdnsmasq is earlier than 0:2.45-1.el5_2.1
        ovaloval:com.redhat.rhsa:tst:20080789001
      • commentdnsmasq is signed with Red Hat redhatrelease key
        ovaloval:com.redhat.rhsa:tst:20080789002
    rhsa
    idRHSA-2008:0789
    released2008-08-11
    severityModerate
    titleRHSA-2008:0789: dnsmasq security update (Moderate)
rpms
  • bind-0:9.2.1-10.el2
  • bind-20:9.2.4-22.el3
  • bind-20:9.2.4-28.0.1.el4
  • bind-30:9.3.4-6.0.2.P1.el5_2
  • bind-chroot-20:9.2.4-22.el3
  • bind-chroot-20:9.2.4-28.0.1.el4
  • bind-chroot-30:9.3.4-6.0.2.P1.el5_2
  • bind-debuginfo-20:9.2.4-22.el3
  • bind-debuginfo-20:9.2.4-28.0.1.el4
  • bind-debuginfo-30:9.3.4-6.0.2.P1.el5_2
  • bind-devel-0:9.2.1-10.el2
  • bind-devel-20:9.2.4-22.el3
  • bind-devel-20:9.2.4-28.0.1.el4
  • bind-devel-30:9.3.4-6.0.2.P1.el5_2
  • bind-libbind-devel-30:9.3.4-6.0.2.P1.el5_2
  • bind-libs-20:9.2.4-22.el3
  • bind-libs-20:9.2.4-28.0.1.el4
  • bind-libs-30:9.3.4-6.0.2.P1.el5_2
  • bind-sdb-30:9.3.4-6.0.2.P1.el5_2
  • bind-utils-0:9.2.1-10.el2
  • bind-utils-20:9.2.4-22.el3
  • bind-utils-20:9.2.4-28.0.1.el4
  • bind-utils-30:9.3.4-6.0.2.P1.el5_2
  • caching-nameserver-30:9.3.4-6.0.2.P1.el5_2
  • selinux-policy-0:2.4.6-137.1.el5_2
  • selinux-policy-devel-0:2.4.6-137.1.el5_2
  • selinux-policy-mls-0:2.4.6-137.1.el5_2
  • selinux-policy-strict-0:2.4.6-137.1.el5_2
  • selinux-policy-targeted-0:1.17.30-2.150.el4
  • selinux-policy-targeted-0:2.4.6-137.1.el5_2
  • selinux-policy-targeted-sources-0:1.17.30-2.150.el4
  • dnsmasq-0:2.45-1.el5_2.1
  • dnsmasq-debuginfo-0:2.45-1.el5_2.1

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:9168
    last seen2017-11-19
    modified2008-07-24
    published2008-07-24
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-9168
    titleBIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (py)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:17308
    last seen2017-11-19
    modified2008-07-24
    published2008-07-24
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-17308
    titleBIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:9165
    last seen2017-11-19
    modified2008-07-24
    published2008-07-24
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-9165
    titleBIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (meta)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:9178
    last seen2017-11-19
    modified2008-07-26
    published2008-07-26
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-9178
    titleBIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:65607
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-65607
    titleBIND 9.4.1-9.4.2 - Remote DNS Cache Poisoning Flaw Exploit (meta)

Statements

contributorMark J Cox
lastmodified2008-07-09
organizationRed Hat
statementhttp://rhn.redhat.com/errata/RHSA-2008-0533.html

References