Vulnerabilities > CVE-2009-4022 - Remote Cache Poisoning vulnerability in ISC BIND 9 DNSSEC Query Response Additional Section
Summary
Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
Vulnerable Configurations
Nessus
NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL15787.NASL description ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022. last seen 2020-06-01 modified 2020-06-02 plugin id 78835 published 2014-11-04 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78835 title F5 Networks BIG-IP : BIND vulnerability (SOL15787) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution SOL15787. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(78835); script_version("1.6"); script_cvs_date("Date: 2019/01/04 10:03:40"); script_cve_id("CVE-2009-4022", "CVE-2010-0382"); script_bugtraq_id(37118); script_name(english:"F5 Networks BIG-IP : BIND vulnerability (SOL15787)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022." ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K15787" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution SOL15787." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_wan_optimization_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip_protocol_security_manager"); script_set_attribute(attribute:"patch_publication_date", value:"2014/11/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "SOL15787"; vmatrix = make_array(); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("10.1.0"); vmatrix["APM"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["ASM"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # GTM vmatrix["GTM"] = make_array(); vmatrix["GTM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["GTM"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # LC vmatrix["LC"] = make_array(); vmatrix["LC"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["LC"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # LTM vmatrix["LTM"] = make_array(); vmatrix["LTM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["LTM"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # PSM vmatrix["PSM"] = make_array(); vmatrix["PSM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["PSM"]["unaffected"] = make_list("11.0.0-11.4.1","10.2.0-10.2.4"); # WAM vmatrix["WAM"] = make_array(); vmatrix["WAM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["WAM"]["unaffected"] = make_list("11.0.0-11.3.0","10.2.0-10.2.4"); # WOM vmatrix["WOM"] = make_array(); vmatrix["WOM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["WOM"]["unaffected"] = make_list("11.0.0-11.3.0","10.2.0-10.2.4"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get()); else security_hole(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running any of the affected modules"); }
NASL family DNS NASL id BIND9_DNSSEC_CACHE_POISONING.NASL description According to its version number, the remote installation of BIND suffers from a cache poisoning vulnerability. This issue affects all versions prior to 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3. Note that only nameservers that allow recursive queries and validate DNSSEC records are affected. Nessus has not attempted to verify if this configuration applies to the remote service, though, so this could be a false positive. last seen 2020-06-01 modified 2020-06-02 plugin id 42983 published 2009-12-02 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42983 title ISC BIND 9 DNSSEC Cache Poisoning code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42983); script_version("1.19"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_cve_id("CVE-2009-4022", "CVE-2010-0382"); script_bugtraq_id(37118); script_xref(name:"CERT", value:"418861"); script_name(english:"ISC BIND 9 DNSSEC Cache Poisoning"); script_summary(english:"Checks version of BIND"); script_set_attribute(attribute:"synopsis", value:"The remote name server is affected by a cache poisoning vulnerability."); script_set_attribute(attribute:"description", value: "According to its version number, the remote installation of BIND suffers from a cache poisoning vulnerability. This issue affects all versions prior to 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3. Note that only nameservers that allow recursive queries and validate DNSSEC records are affected. Nessus has not attempted to verify if this configuration applies to the remote service, though, so this could be a false positive."); script_set_attribute(attribute:"see_also", value:"https://www.isc.org/advisories/CVE2009-4022"); script_set_attribute(attribute:"see_also", value:"http://www.vupen.com/english/advisories/2010/1352"); script_set_attribute(attribute:"see_also", value:"http://www.vupen.com/english/advisories/2010/0622"); script_set_attribute(attribute:"see_also", value:"http://www.vupen.com/english/advisories/2009/3335"); script_set_attribute(attribute:"solution", value:"Upgrade to BIND 9.4.3-P5 / 9.5.2-P2 / 9.6.1-P3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/02"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"DNS"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("bind_version.nasl", "dnssec_resolver.nasl"); script_require_keys("bind/version", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); ver = get_kb_item("bind/version"); if (!ver) exit(1, "BIND version is unknown or DNS is not running."); # Versions affected: # 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0-9.4.3-P3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.6.1-P1 pattern = "^(" + "9\.4-ESVb1|" + "9\.4\.([0-2]([^0-9]|$)|3(-P[1-4]$|[^0-9\-]|$))|"+ "9\.5\.([01]([^0-9]|$)|2(-P1$|[^0-9\-]|$))|" + "9\.6\.(0([^0-9]|$)|1(-P[1-2]$|[^0-9\-]|$)|2b1$)|" + "9\.7\.0([ab][0-3]$|rc1$)" + ")"; if (ver =~ "^9\.[0-3]\.") { security_note(port:53, proto:"udp", extra: '\nNo fix is available on branches 9.0 to 9.3 (end of life).'); exit(0); } if (ereg(pattern:pattern, string:ver) ) security_note(port:53, proto:"udp"); else exit(0, "BIND version "+ ver + " is running on port 53 and is not vulnerable.");
NASL family SuSE Local Security Checks NASL id SUSE_11_2_BIND-100121.NASL description bind when configured for DNSSEC could incorrectly cache NXDOMAIN responses (CVE-2010-0097). Moreover, the fix for CVE-2009-4022 was incomplete. Despite the previous fix CNAME and DNAME responses could be incorrectly cached (CVE-2010-0290). last seen 2020-06-01 modified 2020-06-02 plugin id 44309 published 2010-01-26 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44309 title openSUSE Security Update : bind (bind-1845) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update bind-1845. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(44309); script_version("1.9"); script_cvs_date("Date: 2019/10/25 13:36:38"); script_cve_id("CVE-2009-4022", "CVE-2010-0097", "CVE-2010-0290"); script_name(english:"openSUSE Security Update : bind (bind-1845)"); script_summary(english:"Check for the bind-1845 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "bind when configured for DNSSEC could incorrectly cache NXDOMAIN responses (CVE-2010-0097). Moreover, the fix for CVE-2009-4022 was incomplete. Despite the previous fix CNAME and DNAME responses could be incorrectly cached (CVE-2010-0290)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=570912" ); script_set_attribute(attribute:"solution", value:"Update the affected bind packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bind-chrootenv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bind-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bind-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bind-libs-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bind-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2010/01/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"bind-9.6.1P3-1.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"bind-chrootenv-9.6.1P3-1.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"bind-devel-9.6.1P3-1.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"bind-libs-9.6.1P3-1.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"bind-utils-9.6.1P3-1.1.1") ) flag++; if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"bind-libs-32bit-9.6.1P3-1.1.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bind / bind-chrootenv / bind-devel / bind-libs / bind-libs-32bit / etc"); }
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0004.NASL description a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1 Newt is a programming library for color text mode, widget based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, etc., to text mode user interfaces. A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2905 to this issue. b. vMA and Service Console update for vMA package nfs-utils to 1.0.9-42.el5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in last seen 2020-06-01 modified 2020-06-02 plugin id 44993 published 2010-03-05 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44993 title VMSA-2010-0004 : ESX Service Console and vMA third-party updates code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2010-0004. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(44993); script_version("1.31"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id("CVE-2008-3916", "CVE-2008-4316", "CVE-2008-4552", "CVE-2009-0115", "CVE-2009-0590", "CVE-2009-1189", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1386", "CVE-2009-1387", "CVE-2009-2695", "CVE-2009-2849", "CVE-2009-2904", "CVE-2009-2905", "CVE-2009-2908", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3560", "CVE-2009-3563", "CVE-2009-3612", "CVE-2009-3613", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3720", "CVE-2009-3726", "CVE-2009-4022"); script_bugtraq_id(30815, 31602, 31823, 34100, 34256, 35001, 35138, 35174, 36304, 36515, 36552, 36639, 36706, 36723, 36824, 36827, 36901, 36936, 37118, 37203, 37255); script_xref(name:"VMSA", value:"2010-0004"); script_name(english:"VMSA-2010-0004 : ESX Service Console and vMA third-party updates"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1 Newt is a programming library for color text mode, widget based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, etc., to text mode user interfaces. A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2905 to this issue. b. vMA and Service Console update for vMA package nfs-utils to 1.0.9-42.el5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in '/etc/hosts.allow' and '/etc/hosts.deny' may not have been honored, possibly allowing remote attackers to bypass intended access restrictions. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4552 to this issue. c. vMA and Service Console package glib2 updated to 2.12.3-4.el5_3.1 GLib is the low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system. Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either from or to a base64 representation. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4316 to this issue. d. vMA and Service Console update for openssl to 0.9.8e-12.el5 SSL is a toolkit implementing SSL v2/v3 and TLS protocols with full- strength cryptography world-wide. Multiple denial of service flaws were discovered in OpenSSL's DTLS implementation. A remote attacker could use these flaws to cause a DTLS server to use excessive amounts of memory, or crash on an invalid memory access or NULL pointer dereference. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386, CVE-2009-1387 to these issues. An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a specially crafted X.509 certificate that could cause applications using the affected function to crash when printing certificate contents. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0590 to this issue. e. vMA and Service Console package bind updated to 9.3.6-4.P1.el5_4.1 It was discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-4022 to this issue. f. vMA and Service Console package expat updated to 1.95.8-8.3.el5_4.2. Two buffer over-read flaws were found in the way Expat handled malformed UTF-8 sequences when processing XML files. A specially- crafted XML file could cause applications using Expat to fail while parsing the file. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-3560 and CVE-2009-3720 to these issues. g. vMA and Service Console package openssh update to 4.3p2-36.el5_4.2 A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2904 to this issue. h. vMA and Service Console package ntp updated to ntp-4.2.2p1-9.el5_4.1.i386.rpm A flaw was discovered in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. A remote attacker could use this flaw to create an NTP packet reply loop between two ntpd servers through a malformed packet with a spoofed source IP address and port, causing ntpd on those servers to use excessive amounts of CPU time and fill disk space with log messages. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3563 to this issue. i. vMA update for package kernel to 2.6.18-164.9.1.el5 Updated vMA package kernel addresses the security issues listed below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2849 to the security issue fixed in kernel 2.6.18-128.2.1 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228, CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues fixed in kernel 2.6.18-128.6.1 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621, CVE-2009-3726 to the security issues fixed in kernel 2.6.18-128.9.1 j. vMA 4.0 updates for the packages kpartx, libvolume-id, device-mapper-multipath, fipscheck, dbus, dbus-libs, and ed kpartx updated to 0.4.7-23.el5_3.4, libvolume-id updated to 095-14.20.el5 device-mapper-multipath package updated to 0.4.7-23.el5_3.4, fipscheck updated to 1.0.3-1.el5, dbus updated to 1.1.2-12.el5, dbus-libs updated to 1.1.2-12.el5, and ed package updated to 0.2-39.el5_2. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3916, CVE-2009-1189 and CVE-2009-0115 to these issues." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000104.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(16, 20, 119, 189, 200, 264, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2010/03/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2010-03-03"); flag = 0; if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201006407-SG")) flag++; if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201008406-SG")) flag++; if ( esx_check( ver : "ESX 4.0.0", patch : "ESX400-201002404-SG", patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.0.0", patch : "ESX400-201002406-SG", patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.0.0", patch : "ESX400-201002407-SG", patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.0.0", patch : "ESX400-201005403-SG", patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.0.0", patch : "ESX400-201005404-SG", patch_updates : make_list("ESX400-201404402-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_11_BIND-100121.NASL description When bind is configured for DNSSEC it could incorrectly cache NXDOMAIN responses (CVE-2010-0097). Moreover, the fix for CVE-2009-4022 was incomplete. Despite the previous fix CNAME and DNAME responses could be incorrectly cached (CVE-2010-0290). All these bugs have been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 44311 published 2010-01-26 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44311 title SuSE 11 Security Update : bind (SAT Patch Number 1844) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(44311); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:39"); script_cve_id("CVE-2009-4022", "CVE-2010-0097", "CVE-2010-0290"); script_name(english:"SuSE 11 Security Update : bind (SAT Patch Number 1844)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "When bind is configured for DNSSEC it could incorrectly cache NXDOMAIN responses (CVE-2010-0097). Moreover, the fix for CVE-2009-4022 was incomplete. Despite the previous fix CNAME and DNAME responses could be incorrectly cached (CVE-2010-0290). All these bugs have been fixed." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=570912" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-4022.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0097.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0290.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 1844."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:bind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:bind-chrootenv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:bind-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:bind-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:bind-libs-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:bind-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2010/01/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (pl) audit(AUDIT_OS_NOT, "SuSE 11.0"); flag = 0; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"bind-libs-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"bind-utils-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"bind-libs-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"bind-libs-32bit-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"bind-utils-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"bind-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"bind-chrootenv-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"bind-doc-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"bind-libs-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"bind-utils-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"bind-libs-32bit-9.5.0P2-20.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"bind-libs-32bit-9.5.0P2-20.7.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201006-11.NASL description The remote host is affected by the vulnerability described in GLSA-201006-11 (BIND: Multiple vulnerabilities) Multiple cache poisoning vulnerabilities were discovered in BIND. For further information please consult the CVE entries and the ISC Security Bulletin referenced below. Note: CVE-2010-0290 and CVE-2010-0382 exist because of an incomplete fix and a regression for CVE-2009-4022. Impact : An attacker could exploit this weakness to poison the cache of a recursive resolver and thus spoof DNS traffic, which could e.g. lead to the redirection of web or mail traffic to malicious sites. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 46778 published 2010-06-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46778 title GLSA-201006-11 : BIND: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201006-11. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(46778); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2009-4022", "CVE-2010-0097", "CVE-2010-0290", "CVE-2010-0382"); script_xref(name:"GLSA", value:"201006-11"); script_name(english:"GLSA-201006-11 : BIND: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201006-11 (BIND: Multiple vulnerabilities) Multiple cache poisoning vulnerabilities were discovered in BIND. For further information please consult the CVE entries and the ISC Security Bulletin referenced below. Note: CVE-2010-0290 and CVE-2010-0382 exist because of an incomplete fix and a regression for CVE-2009-4022. Impact : An attacker could exploit this weakness to poison the cache of a recursive resolver and thus spoof DNS traffic, which could e.g. lead to the redirection of web or mail traffic to malicious sites. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://www.isc.org/advisories/CVE2009-4022" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201006-11" ); script_set_attribute( attribute:"solution", value: "All BIND users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-dns/bind-9.4.3_p5'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:bind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/06/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-dns/bind", unaffected:make_list("ge 9.4.3_p5"), vulnerable:make_list("lt 9.4.3_p5"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "BIND"); }
NASL family Scientific Linux Local Security Checks NASL id SL_20100120_BIND_ON_SL5_X.NASL description CVE-2010-0097 BIND DNSSEC NSEC/NSEC3 validation code could cause bogus NXDOMAIN responses CVE-2010-0290 BIND upstream fix for CVE-2009-4022 is incomplete A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-0097) The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-0290) After installing the update, the BIND daemon (named) will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 60726 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60726 title Scientific Linux Security Update : bind on SL5.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60726); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:18"); script_cve_id("CVE-2009-4022", "CVE-2010-0097", "CVE-2010-0290"); script_name(english:"Scientific Linux Security Update : bind on SL5.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "CVE-2010-0097 BIND DNSSEC NSEC/NSEC3 validation code could cause bogus NXDOMAIN responses CVE-2010-0290 BIND upstream fix for CVE-2009-4022 is incomplete A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-0097) The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-0290) After installing the update, the BIND daemon (named) will be restarted automatically." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1001&L=scientific-linux-errata&T=0&P=1792 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?137641e1" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL5", reference:"bind-9.3.6-4.P1.el5_4.2")) flag++; if (rpm_check(release:"SL5", reference:"bind-chroot-9.3.6-4.P1.el5_4.2")) flag++; if (rpm_check(release:"SL5", reference:"bind-devel-9.3.6-4.P1.el5_4.2")) flag++; if (rpm_check(release:"SL5", reference:"bind-libbind-devel-9.3.6-4.P1.el5_4.2")) flag++; if (rpm_check(release:"SL5", reference:"bind-libs-9.3.6-4.P1.el5_4.2")) flag++; if (rpm_check(release:"SL5", reference:"bind-sdb-9.3.6-4.P1.el5_4.2")) flag++; if (rpm_check(release:"SL5", reference:"bind-utils-9.3.6-4.P1.el5_4.2")) flag++; if (rpm_check(release:"SL5", reference:"caching-nameserver-9.3.6-4.P1.el5_4.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0004_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - bind - expat - glib2 - Kernel - newt - nfs-utils - NTP - OpenSSH - OpenSSL last seen 2020-06-01 modified 2020-06-02 plugin id 89737 published 2016-03-08 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89737 title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89737); script_version("1.5"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id( "CVE-2008-3916", "CVE-2008-4316", "CVE-2008-4552", "CVE-2009-0115", "CVE-2009-0590", "CVE-2009-1189", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1386", "CVE-2009-1387", "CVE-2009-2695", "CVE-2009-2849", "CVE-2009-2904", "CVE-2009-2905", "CVE-2009-2908", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3560", "CVE-2009-3563", "CVE-2009-3612", "CVE-2009-3613", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3720", "CVE-2009-3726", "CVE-2009-4022" ); script_bugtraq_id( 30815, 31602, 31823, 34100, 34256, 35001, 35138, 35174, 36304, 36515, 36552, 36639, 36706, 36723, 36824, 36827, 36901, 36936, 37118, 37203, 37255 ); script_xref(name:"VMSA", value:"2010-0004"); script_name(english:"VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check)"); script_summary(english:"Checks the ESX / ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESX host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - bind - expat - glib2 - Kernel - newt - nfs-utils - NTP - OpenSSH - OpenSSL"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2010-0004"); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000104.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory that pertains to ESX version 3.5 / 4.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(16, 20, 119, 189, 200, 264, 362, 399); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/21"); script_set_attribute(attribute:"patch_publication_date", value:"2010/03/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); esx = ''; if ("ESX" >!< rel) audit(AUDIT_OS_NOT, "VMware ESX/ESXi"); extract = eregmatch(pattern:"^(ESXi?) (\d\.\d).*$", string:ver); if (isnull(extract)) audit(AUDIT_UNKNOWN_APP_VER, "VMware ESX/ESXi"); else { esx = extract[1]; ver = extract[2]; } # fixed build numbers are the same for ESX and ESXi fixes = make_array( "4.0", "236512", "3.5", "283373" ); fix = FALSE; fix = fixes[ver]; # get the build before checking the fix for the most complete audit trail extract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel); if (isnull(extract)) audit(AUDIT_UNKNOWN_BUILD, "VMware " + esx, ver); build = int(extract[1]); # if there is no fix in the array, fix is FALSE if (!fix) audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build); if (build < fix) { report = '\n Version : ' + esx + " " + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build);
NASL family HP-UX Local Security Checks NASL id HPUX_PHNE_40339.NASL description s700_800 11.23 BIND 9.2.0 Revision 5.0 : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to create a Denial of Service (DoS) and permit unauthorized disclosure of information. (HPSBUX02546 SSRT100159) - A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to create a Denial of Service (DoS). (HPSBUX02451 SSRT090137) last seen 2020-06-01 modified 2020-06-02 plugin id 46813 published 2010-06-07 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46813 title HP-UX PHNE_40339 : s700_800 11.23 BIND 9.2.0 Revision 5.0 code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHNE_40339. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(46813); script_version("1.20"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2009-0696", "CVE-2009-4022", "CVE-2010-0290", "CVE-2010-0382"); script_bugtraq_id(35848, 37118); script_xref(name:"HP", value:"emr_na-c01835108"); script_xref(name:"HP", value:"emr_na-c02263226"); script_xref(name:"HP", value:"HPSBUX02451"); script_xref(name:"HP", value:"HPSBUX02546"); script_xref(name:"HP", value:"SSRT090137"); script_xref(name:"HP", value:"SSRT100159"); script_name(english:"HP-UX PHNE_40339 : s700_800 11.23 BIND 9.2.0 Revision 5.0"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.23 BIND 9.2.0 Revision 5.0 : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to create a Denial of Service (DoS) and permit unauthorized disclosure of information. (HPSBUX02546 SSRT100159) - A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to create a Denial of Service (DoS). (HPSBUX02451 SSRT090137)" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01835108 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?937b96ed" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02263226 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?237e5744" ); script_set_attribute( attribute:"solution", value:"Install patch PHNE_40339 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/05/28"); script_set_attribute(attribute:"patch_modification_date", value:"2010/09/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.23")) { exit(0, "The host is not affected since PHNE_40339 applies to a different OS release."); } patches = make_list("PHNE_40339", "PHNE_41721", "PHNE_42727", "PHNE_43096", "PHNE_43278", "PHNE_43369"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"InternetSrvcs.INET-ENG-A-MAN", version:"B.11.23")) flag++; if (hpux_check_patch(app:"InternetSrvcs.INET-JPN-E-MAN", version:"B.11.23")) flag++; if (hpux_check_patch(app:"InternetSrvcs.INET-JPN-S-MAN", version:"B.11.23")) flag++; if (hpux_check_patch(app:"InternetSrvcs.INETSVCS-INETD", version:"B.11.23")) flag++; if (hpux_check_patch(app:"InternetSrvcs.INETSVCS-RUN", version:"B.11.23")) flag++; if (hpux_check_patch(app:"InternetSrvcs.INETSVCS2-RUN", version:"B.11.23")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-021.NASL description Some vulnerabilities were discovered and corrected in bind : The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries (CVE-2010-0290). There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set (CVE-2010-0097). ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022 (CVE-2010-0382). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. Additionally BIND has been upgraded to the latest patch release version. last seen 2020-06-01 modified 2020-06-02 plugin id 44102 published 2010-01-21 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44102 title Mandriva Linux Security Advisory : bind (MDVSA-2010:021) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2010:021. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(44102); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:53"); script_cve_id("CVE-2009-4022", "CVE-2010-0097", "CVE-2010-0290", "CVE-2010-0382"); script_bugtraq_id(37118, 37865); script_xref(name:"MDVSA", value:"2010:021"); script_name(english:"Mandriva Linux Security Advisory : bind (MDVSA-2010:021)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Some vulnerabilities were discovered and corrected in bind : The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries (CVE-2010-0290). There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set (CVE-2010-0097). ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022 (CVE-2010-0382). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. Additionally BIND has been upgraded to the latest patch release version." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=557121" ); # https://www.isc.org/advisories/CVE-2009-4022v6 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bind-announce&m=126392310412888" ); script_set_attribute( attribute:"see_also", value:"https://www.isc.org/advisories/CVE-2010-0097" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bind-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bind-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bind-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.0"); script_set_attribute(attribute:"patch_publication_date", value:"2010/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"bind-9.4.3-0.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"bind-devel-9.4.3-0.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"bind-utils-9.4.3-0.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"bind-9.5.2-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"bind-devel-9.5.2-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"bind-doc-9.5.2-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"bind-utils-9.5.2-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"bind-9.6.1-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"bind-devel-9.6.1-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"bind-doc-9.6.1-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", reference:"bind-utils-9.6.1-0.2mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.0", reference:"bind-9.6.1-4.2mdv2010.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.0", reference:"bind-devel-9.6.1-4.2mdv2010.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.0", reference:"bind-doc-9.6.1-4.2mdv2010.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.0", reference:"bind-utils-9.6.1-4.2mdv2010.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1961.NASL description Michael Sinatra discovered that the DNS resolver component in BIND does not properly check DNS records contained in additional sections of DNS responses, leading to a cache poisoning vulnerability. This vulnerability is only present in resolvers which have been configured with DNSSEC trust anchors, which is still rare. Note that this update contains an internal ABI change, which means that all BIND-related packages (bind9, dnsutils and the library packages) must be updated at the same time (preferably using last seen 2020-06-01 modified 2020-06-02 plugin id 44826 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44826 title Debian DSA-1961-1 : bind9 - DNS cache poisoning code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1961. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44826); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-4022"); script_bugtraq_id(37118); script_xref(name:"CERT", value:"418861"); script_xref(name:"DSA", value:"1961"); script_name(english:"Debian DSA-1961-1 : bind9 - DNS cache poisoning"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Michael Sinatra discovered that the DNS resolver component in BIND does not properly check DNS records contained in additional sections of DNS responses, leading to a cache poisoning vulnerability. This vulnerability is only present in resolvers which have been configured with DNSSEC trust anchors, which is still rare. Note that this update contains an internal ABI change, which means that all BIND-related packages (bind9, dnsutils and the library packages) must be updated at the same time (preferably using 'apt-get update' and 'apt-get upgrade'). In the unlikely event that you have compiled your own software against libdns, you must recompile this programs, too." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1961" ); script_set_attribute( attribute:"solution", value: "Upgrade the bind9 packages. For the old stable distribution (etch), this problem has been fixed in version 9.3.4-2etch6. For the stable distribution (lenny), this problem has been fixed in version 9.5.1.dfsg.P3-1+lenny1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind9"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"bind9", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"bind9-doc", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"bind9-host", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"dnsutils", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"libbind-dev", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"libbind9-0", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"libdns22", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"libisc11", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"libisccc0", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"libisccfg1", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"liblwres9", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"4.0", prefix:"lwresd", reference:"9.3.4-2etch6")) flag++; if (deb_check(release:"5.0", prefix:"bind9", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"bind9-doc", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"bind9-host", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"bind9utils", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"dnsutils", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libbind-dev", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libbind9-40", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libdns45", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libisc45", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libisccc40", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libisccfg40", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"liblwres40", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"lwresd", reference:"9.5.1.dfsg.P3-1+lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL15748.NASL description Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022. (CVE-2010-0290) last seen 2020-06-01 modified 2020-06-02 plugin id 78697 published 2014-10-28 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78697 title F5 Networks BIG-IP : BIND vulnerability (SOL15748) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution SOL15748. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(78697); script_version("1.4"); script_cvs_date("Date: 2019/01/04 10:03:40"); script_cve_id("CVE-2009-4022", "CVE-2010-0290"); script_bugtraq_id(37118); script_name(english:"F5 Networks BIG-IP : BIND vulnerability (SOL15748)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022. (CVE-2010-0290)" ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K15748" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution SOL15748." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_wan_optimization_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip_protocol_security_manager"); script_set_attribute(attribute:"patch_publication_date", value:"2014/10/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "SOL15748"; vmatrix = make_array(); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("10.1.0"); vmatrix["APM"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["ASM"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # GTM vmatrix["GTM"] = make_array(); vmatrix["GTM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["GTM"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # LC vmatrix["LC"] = make_array(); vmatrix["LC"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["LC"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # LTM vmatrix["LTM"] = make_array(); vmatrix["LTM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["LTM"]["unaffected"] = make_list("11.0.0-11.6.0","10.2.0-10.2.4"); # PSM vmatrix["PSM"] = make_array(); vmatrix["PSM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["PSM"]["unaffected"] = make_list("11.0.0-11.4.1","10.2.0-10.2.4"); # WAM vmatrix["WAM"] = make_array(); vmatrix["WAM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["WAM"]["unaffected"] = make_list("11.0.0-11.3.0","10.2.0-10.2.4"); # WOM vmatrix["WOM"] = make_array(); vmatrix["WOM"]["affected" ] = make_list("10.0.0-10.1.0"); vmatrix["WOM"]["unaffected"] = make_list("11.0.0-11.3.0","10.2.0-10.2.4"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get()); else security_warning(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running any of the affected modules"); }
NASL family SuSE Local Security Checks NASL id SUSE_11_BIND-091127.NASL description The bind DNS server was updated to close a possible cache poisoning vulnerability which allowed to bypass DNSSEC. CVE-2009-4022: CVSS v2 Base Score: 2.6 last seen 2020-06-01 modified 2020-06-02 plugin id 42956 published 2009-12-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42956 title SuSE 11 Security Update : bind (SAT Patch Number 1617) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0062.NASL description From Red Hat Security Advisory 2010:0062 : Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-0097) The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-0290) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 67991 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67991 title Oracle Linux 5 : bind (ELSA-2010-0062) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0062.NASL description Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-0097) The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-0290) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 44099 published 2010-01-21 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44099 title CentOS 5 : bind (CESA-2010:0062) NASL family SuSE Local Security Checks NASL id SUSE_11_0_BIND-091127.NASL description The bind DNS server was updated to close a possible cache poisoning vulnerability which allowed to bypass DNSSEC. CVE-2009-4022: CVSS v2 Base Score: 2.6 last seen 2020-06-01 modified 2020-06-02 plugin id 42949 published 2009-12-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42949 title openSUSE Security Update : bind (bind-1615) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-304.NASL description Some vulnerabilities were discovered and corrected in php : PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive (CVE-2009-4017). The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable (CVE-2009-4018). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42918 published 2009-11-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42918 title Mandriva Linux Security Advisory : php (MDVSA-2009:304) NASL family Fedora Local Security Checks NASL id FEDORA_2009-12218.NASL description Update to 9.6.1-P2 release which contains following fix: * Additional section of response could be cached without successful DNSSEC validation even if DNSSEC validation is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42910 published 2009-11-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42910 title Fedora 11 : bind-9.6.1-7.P2.fc11 (2009-12218) NASL family Fedora Local Security Checks NASL id FEDORA_2009-12233.NASL description Update to 9.6.1-P2 release which contains following fix: * Additional section of response could be cached without successful DNSSEC validation even if DNSSEC validation is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42911 published 2009-11-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42911 title Fedora 12 : bind-9.6.1-13.P2.fc12 (2009-12233) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-888-1.NASL description It was discovered that Bind would incorrectly cache bogus NXDOMAIN responses. When DNSSEC validation is in use, a remote attacker could exploit this to cause a denial of service, and possibly poison DNS caches. (CVE-2010-0097) USN-865-1 provided updated Bind packages to fix a security vulnerability. The upstream security patch to fix CVE-2009-4022 was incomplete and CVE-2010-0290 was assigned to the issue. This update corrects the problem. Michael Sinatra discovered that Bind did not correctly validate certain records added to its cache. When DNSSEC validation is in use, a remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 44106 published 2010-01-21 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44106 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : bind9 vulnerabilities (USN-888-1) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2010-176-01.NASL description New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues when DNSSEC is enabled (which is not the default setting). last seen 2020-06-01 modified 2020-06-02 plugin id 54879 published 2011-05-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54879 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2010-176-01) NASL family SuSE Local Security Checks NASL id SUSE_11_1_BIND-100121.NASL description bind when configured for DNSSEC could incorrectly cache NXDOMAIN responses (CVE-2010-0097). Moreover, the fix for CVE-2009-4022 was incomplete. Despite the previous fix CNAME and DNAME responses could be incorrectly cached (CVE-2010-0290). last seen 2020-06-01 modified 2020-06-02 plugin id 44307 published 2010-01-26 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44307 title openSUSE Security Update : bind (bind-1845) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1620.NASL description Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-4022) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 42946 published 2009-12-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42946 title RHEL 5 : bind (RHSA-2009:1620) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1620.NASL description Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-4022) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 43809 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43809 title CentOS 5 : bind (CESA-2009:1620) NASL family SuSE Local Security Checks NASL id SUSE_11_1_BIND-091127.NASL description The bind DNS server was updated to close a possible cache poisoning vulnerability which allowed to bypass DNSSEC. CVE-2009-4022: CVSS v2 Base Score: 2.6 last seen 2020-06-01 modified 2020-06-02 plugin id 42951 published 2009-12-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42951 title openSUSE Security Update : bind (bind-1615) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1620.NASL description From Red Hat Security Advisory 2009:1620 : Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-4022) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 67965 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67965 title Oracle Linux 5 : bind (ELSA-2009-1620) NASL family SuSE Local Security Checks NASL id SUSE_11_0_BIND-100121.NASL description bind when configured for DNSSEC could incorrectly cache NXDOMAIN responses (CVE-2010-0097). Moreover, the fix for CVE-2009-4022 was incomplete. Despite the previous fix CNAME and DNAME responses could be incorrectly cached (CVE-2010-0290). bind was updated to version 9.4.3-P5 in order to fix those issues. last seen 2020-06-01 modified 2020-06-02 plugin id 44305 published 2010-01-26 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44305 title openSUSE Security Update : bind (bind-1843) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2011-006.NASL description The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2011-006 applied. This update contains numerous security-related fixes for the following components : - Apache - Application Firewall - ATS - BIND - Certificate Trust Policy - CFNetwork - CoreFoundation - CoreMedia - File Systems - IOGraphics - iChat Server - Mailman - MediaKit - PHP - postfix - python - QuickTime - Tomcat - User Documentation - Web Server - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 56481 published 2011-10-13 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56481 title Mac OS X Multiple Vulnerabilities (Security Update 2011-006) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0062.NASL description Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-0097) The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-0290) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 44105 published 2010-01-21 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44105 title RHEL 5 : bind (RHSA-2010:0062) NASL family Scientific Linux Local Security Checks NASL id SL_20091130_BIND_ON_SL5_X.NASL description CVE-2009-4022 bind: cache poisoning using not validated DNSSEC responses Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-4022) After installing the update, the BIND daemon (named) will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 60697 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60697 title Scientific Linux Security Update : bind on SL5.x i386/x86_64 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-865-1.NASL description Michael Sinatra discovered that Bind did not correctly validate certain records added to its cache. When DNSSEC validation is in use, a remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43058 published 2009-12-08 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43058 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : bind9 vulnerability (USN-865-1) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL10898.NASL description Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x through 9.3.x with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks via additional sections in a response sent for resolution of a recursive client query, which is not properly handled when the response is processed last seen 2020-06-01 modified 2020-06-02 plugin id 78124 published 2014-10-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78124 title F5 Networks BIG-IP : DNSSEC BIND vulnerability (SOL10898) NASL family SuSE Local Security Checks NASL id SUSE_11_2_BIND-091127.NASL description The bind DNS server was updated to close a possible cache poisoning vulnerability which allowed to bypass DNSSEC. CVE-2009-4022: CVSS v2 Base Score: 2.6 last seen 2020-06-01 modified 2020-06-02 plugin id 42954 published 2009-12-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42954 title openSUSE Security Update : bind (bind-1615) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-336-01.NASL description New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 54874 published 2011-05-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54874 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2009-336-01) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-313.NASL description Some vulnerabilities were discovered and corrected in bind : Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x through 9.3.x with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks via additional sections in a response sent for resolution of a recursive client query, which is not properly handled when the response is processed at the same time as requesting DNSSEC records (DO). (CVE-2009-4022). Additionally BIND has been upgraded to the latest point release or closest supported version by ISC. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 42999 published 2009-12-04 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42999 title Mandriva Linux Security Advisory : bind (MDVSA-2009:313-1)
Oval
accepted 2013-04-29T04:09:04.652-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. family unix id oval:org.mitre.oval:def:10821 status accepted submitted 2010-07-09T03:56:16-04:00 title Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. version 18 accepted 2011-01-10T04:00:06.579-05:00 class vulnerability contributors name Varun Narula organization Hewlett-Packard definition_extensions comment IBM AIX 6100-02 is installed oval oval:org.mitre.oval:def:5685 comment IBM AIX 6100-03 is installed oval oval:org.mitre.oval:def:6736 comment IBM AIX 6100-04 is installed oval oval:org.mitre.oval:def:7373
description Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. family unix id oval:org.mitre.oval:def:11745 status accepted submitted 2010-11-25T10:44:46.000-05:00 title Vulnerability with DNSSEC validation enabled in BIND. version 45 accepted 2014-03-24T04:01:54.737-04:00 class vulnerability contributors name Chandan M C organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard
description Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. family unix id oval:org.mitre.oval:def:7261 status accepted submitted 2010-10-25T11:04:56.000-05:00 title HP-UX Running BIND, Remote Denial of Service (DoS), Unauthorized Disclosure of Information version 41 accepted 2010-06-14T04:00:54.759-04:00 class vulnerability contributors name Pai Peng organization Hewlett-Packard definition_extensions comment Solaris 9 (SPARC) is installed oval oval:org.mitre.oval:def:1457 comment Solaris 10 (SPARC) is installed oval oval:org.mitre.oval:def:1440 comment Solaris 9 (x86) is installed oval oval:org.mitre.oval:def:1683 comment Solaris 10 (x86) is installed oval oval:org.mitre.oval:def:1926
description Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. family unix id oval:org.mitre.oval:def:7459 status accepted submitted 2010-05-03T13:51:32.000-04:00 title Security Vulnerability in BIND DNS Software Shipped With Solaris May Allow DNS Cache Poisoning version 36
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 37118 CVE(CAN) ID: CVE-2009-4022 BIND是一个应用非常广泛的DNS协议的实现,由ISC负责维护,具体的开发由Nominum公司完成。 启用了DNSSEC验证的名称服务器在解析递归客户端查询期间可能错误的从所接收到响应的附加部分向其缓存添加记录,这是一种缓存中毒的情况。 DNS缓存中毒指的是更改了DNS服务器的DNS缓存中某项,这样缓存中与主机名相关的IP地址就不再指向正确的位置。例如,如果www.example.com映射到IP地址192.168.0.1且DNS服务器的缓存中存在这个映射,则成功向这个服务器的DNS缓存投毒的攻击者就可以将www.example.com映射到10.0.0.1。在这种情况下,试图访问www.example.com的用户就可能与错误的Web服务器联络。 仅在处理禁用了检查(CD)的客户端查询同时请求DNSSEC记录(DO)的情况下才会出现上述行为。 ISC BIND 9.6.x ISC BIND 9.5.x ISC BIND 9.4.x ISC BIND 9.3.x ISC BIND 9.2.x ISC BIND 9.1.x ISC BIND 9.0.x 临时解决方法: * 在named.conf中通过allow-recursion选项限制递归。 * 禁用DNSSEC验证。 厂商补丁: ISC --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: ftp://ftp.isc.org/isc/bind9/9.5.2-P1/bind-9.5.2-P1.tar.gz ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz ftp://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz |
id | SSV:14986 |
last seen | 2017-11-19 |
modified | 2009-11-27 |
published | 2009-11-27 |
reporter | Root |
title | ISC BIND 9 DNSSEC查询响应远程缓存中毒漏洞 |
References
- ftp://ftp.sco.com/pub/unixware7/714/security/p535243_uw7/p535243b.txt
- http://aix.software.ibm.com/aix/efixes/security/bind9_advisory.asc
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
- http://lists.vmware.com/pipermail/security-announce/2010/000082.html
- http://osvdb.org/60493
- http://secunia.com/advisories/37426
- http://secunia.com/advisories/37491
- http://secunia.com/advisories/38219
- http://secunia.com/advisories/38240
- http://secunia.com/advisories/38794
- http://secunia.com/advisories/38834
- http://secunia.com/advisories/39334
- http://secunia.com/advisories/40730
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021660.1-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021798.1-1
- http://support.apple.com/kb/HT5002
- http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018
- http://www.ibm.com/support/docview.wss?uid=isg1IZ68597
- http://www.ibm.com/support/docview.wss?uid=isg1IZ71667
- http://www.ibm.com/support/docview.wss?uid=isg1IZ71774
- http://www.kb.cert.org/vuls/id/418861
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:304
- http://www.openwall.com/lists/oss-security/2009/11/24/1
- http://www.openwall.com/lists/oss-security/2009/11/24/2
- http://www.openwall.com/lists/oss-security/2009/11/24/8
- http://www.redhat.com/support/errata/RHSA-2009-1620.html
- http://www.securityfocus.com/bid/37118
- http://www.ubuntu.com/usn/USN-888-1
- http://www.vupen.com/english/advisories/2009/3335
- http://www.vupen.com/english/advisories/2010/0176
- http://www.vupen.com/english/advisories/2010/0528
- http://www.vupen.com/english/advisories/2010/0622
- https://bugzilla.redhat.com/show_bug.cgi?id=538744
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54416
- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952488
- https://issues.rpath.com/browse/RPL-3152
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10821
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11745
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7261
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7459
- https://www.isc.org/advisories/CVE2009-4022
- https://www.isc.org/advisories/CVE-2009-4022v6
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01172.html
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01188.html