≡ Menu

vulnerability

Security Alert: BIND9 DNS Cache Poisoning Bug

An unpatched security hole in BIND 9 package could be used by attackers to poison your DNS cache. Attacker to take control of all hosted domains and can can lead to misdirected web traffic and email rerouting.

This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult.

Details

  • Package : bind9
  • Vulnerability : DNS cache poisoning
  • Problem type : remote
  • Debian-specific: no
  • CVE Id(s) : CVE-2008-1447
  • CERT advisory : VU#800113

How do I fix BIND9 bug under Debian Linux?

Install the BIND 9 upgrade, using following commands, enter:
# apt-get update
# apt-get install bind9

Sample output:

Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libdns22 libisc11 libisccc0 libisccfg1
Suggested packages:
  bind9-doc
The following packages will be upgraded:
  bind9 libdns22 libisc11 libisccc0 libisccfg1
5 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Need to get 1267kB of archives.
After unpacking 4096B disk space will be freed.
Do you want to continue [Y/n]? y
Get:1 http://security.debian.org stable/updates/main bind9 1:9.3.4-2etch3 [319kB]
Get:2 http://security.debian.org stable/updates/main libisc11 1:9.3.4-2etch3 [188kB]
Get:3 http://security.debian.org stable/updates/main libisccc0 1:9.3.4-2etch3 [96.7kB]
Get:4 http://security.debian.org stable/updates/main libisccfg1 1:9.3.4-2etch3 [111kB]
Get:5 http://security.debian.org stable/updates/main libdns22 1:9.3.4-2etch3 [552kB]
Fetched 1267kB in 1s (724kB/s)
Reading changelogs... Done
(Reading database ... 27244 files and directories currently installed.)
Preparing to replace bind9 1:9.3.4-2etch1 (using .../bind9_1%3a9.3.4-2etch3_amd64.deb) ...
Stopping domain name service...: bind.
Unpacking replacement bind9 ...
Preparing to replace libisc11 1:9.3.4-2etch1 (using .../libisc11_1%3a9.3.4-2etch3_amd64.deb) ...
Unpacking replacement libisc11 ...
Preparing to replace libisccc0 1:9.3.4-2etch1 (using .../libisccc0_1%3a9.3.4-2etch3_amd64.deb) ...
Unpacking replacement libisccc0 ...
Preparing to replace libisccfg1 1:9.3.4-2etch1 (using .../libisccfg1_1%3a9.3.4-2etch3_amd64.deb) ...
Unpacking replacement libisccfg1 ...
Preparing to replace libdns22 1:9.3.4-2etch1 (using .../libdns22_1%3a9.3.4-2etch3_amd64.deb) ...
Unpacking replacement libdns22 ...
Setting up libisc11 (9.3.4-2etch3) ...
Setting up libdns22 (9.3.4-2etch3) ...
Setting up libisccc0 (9.3.4-2etch3) ...
Setting up libisccfg1 (9.3.4-2etch3) ...
Setting up bind9 (9.3.4-2etch3) ...
Configuration file `/etc/bind/db.root'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** db.root (Y/I/N/O/D/Z) [default=N] ? y
Installing new version of config file /etc/bind/db.root ...
Starting domain name service...: bind.

Also, verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following form:

 named[6106]: /etc/bind/named.conf.options:28: using specific
    query-source port suppresses port randomization and can be insecure.

If you see message replace replace the port numbers contained within them with "*" sign (e.g.,
replace "port 53" with "port *") in /etc/bind/named.conf.option file.

How do I fix this issue under Red Hat Linux / RHEL ?

Simply type the command, enter:
# yum update

RIP: BIND 8 under Debian 4.x

Debian team also posted BIND 8 deprecation notice. From the announcement:

The BIND 8 legacy code base could not be updated to include the recommended countermeasure (source port randomization, see DSA-1603-1 for details). There are two ways to deal with this situation:

1. Upgrade to BIND 9 (or another implementation with source port randomization). The documentation included with BIND 9 contains a migration guide.

2. Configure the BIND 8 resolver to forward queries to a BIND 9 resolver. Provided that the network between both resolvers is trusted, this protects the BIND 8 resolver from cache poisoning attacks (to the same degree that the BIND 9 resolver is protected).

This problem does not apply to BIND 8 when used exclusively as an authoritative DNS server. It is theoretically possible to safely use BIND 8 in this way, but updating to BIND 9 is strongly recommended.
BIND 8 (that is, the bind package) will be removed from the etch distribution in a future point release.

An unpatched security hole in Ubuntu Linux 8.04 LTS operating system could be used by attackers to send a crafted packet and cause a denial of service via application crash in applications linked against OpenSSL to take control of vulnerable servers. Also ruby package can be used to run a malicious script - an attacker could cause a denial of service or execute arbitrary code with the privileges of the user invoking the program. It is recommended that you immediately update your system. Affected systems:
OpenSSL Vulnerability - Ubuntu Linux LTS 8.04 and corresponding versions of Kubuntu, Edubuntu, and Xubuntu.
Ruby Vulnerability - Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS and corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

How do I fix this issue

Simply type the following two commands:
$ sudo apt-get update
$ sudo apt-get upgrade

After a standard system upgrade you need to reboot your computer to effect the necessary change:
$ sudo reboot

Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause applications linked against pcre3 to crash, leading to a denial of service.

A security issue affects the following Ubuntu releases for CVE-2008-2371:

=> Ubuntu 6.06 LTS
=> Ubuntu 7.04
=> Ubuntu 7.10
=> Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

How do I fix this issue?

Type the following two commands, enter:
$ sudo apt-get update
$ sudo apt-get upgrade

Cacti is an open source, web-based graphing tool designed as a frontend to RRDtool's data storage and graphing functionality. Cacti allows a user to poll services at predetermined intervals and graph the resulting data. It is generally used to graph time-series data like CPU load and bandwidth use. A common usage is to query network switch or router interfaces via SNMP to monitor network traffic.

It was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible.

Since the previous security update, the cacti package could no longer be rebuilt from the source package. This update corrects that problem. Note that this problem does not affect regular use of the provided binary packages (.deb).

Details:
=> Package : cacti
=> Vulnerability : insufficient input sanitising
=> Problem type : remote
=> Debian-specific: no
=> CVE Id(s) : CVE-2008-0783 CVE-2008-0785

How do I fix Cacti packages fix regression issues?

Simply type the following two commands as root user:
# apt-get update
# apt-get upgrade

FreeBSD has issued updated version of its Apache package. This release considered as important and encourage users of all prior versions to upgrade.

Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unpsecified vectors.

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

How do I upgrade Apache under FreeBSD?

Simply run the following two commands:
# portsnap fetch extract
# portupgrade -a
# portversion

Debian Linux has issued a security update for its dbus package which is simple interprocess messaging system for X11 and other software parts under Linux. There is privilege escalation bug i.e. it performs insufficient validation of security policies, which might allow local privilege escalation:
=> Package : dbus
=> Vulnerability : programming error
=> Problem type : local
=> Debian-specific: no
=> CVE Id(s) : CVE-2008-0595

How do I fix this bug

Type the following two commands to update the internal database, followed by actual installation of corrected package:
# apt-get update
# apt-get upgrade

There is a serious security flaw in Debian openssl - the random number generator in Debian's openssl package is predictable. As a result, cryptographic key material may be guessable.

=> Package : openssl
=> Vulnerability : predictable random number generator
=> Problem type : remote
=> Debian-specific: yes
=> CVE Id(s) : CVE-2008-0166
=> Checkout description and recommended fix at the following url:

[SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator