debian-security-announce July 2008 archive
Main Archive Page > Month Archives  > debian-security-announce archives
debian-security-announce: [Full-disclosure] [SECURITY] [DSA 1603

[Full-disclosure] [SECURITY] [DSA 1603-1] New bind9 packages fix cache poisoning

From: Florian Weimer <fw_at_nospam>
Date: Tue Jul 08 2008 - 17:03:12 GMT


Hash: SHA1

Package : bind9 Vulnerability : DNS cache poisoning Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1447 CERT advisory : VU#800113

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult.

Note that this security update changes BIND network behavior in a fundamental way, and the following steps are recommended to ensure a smooth upgrade.

  1. Make sure that your network configuration is compatible with source port randomization. If you guard your resolver with a stateless packet filter, you may need to make sure that no non-DNS services listen on on the 1024--65535 UDP port range and open it at the packet filter. For instance, packet filters based on etch's Linux 2.6.18 kernel only support stateless filtering of IPv6 packets, and are therefore pose this additional difficulty. (If you use IPv4 with iptables and ESTABLISHED rules, networking changes are likely not required.)
  2. Install the BIND 9 upgrade, using "apt-get update" followed by "apt-get install bind9". Verify that the named process has been restarted and answers recursive queries. (If all queries result in timeouts, this indicates that networking changes are necessary; see the first step.)
  3. Verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following form

  named[6106]: /etc/bind/named.conf.options:28: using specific     query-source port suppresses port randomization and can be insecure.

right after the "listening on IPv6 interface" and "listening on IPv4 interface" messages logged by BIND upon startup. If these messages are present, you should remove the indicated lines from the configuration, or replace the port numbers contained within them with "*" sign (e.g., replace "port 53" with "port *").

For additional certainty, use tcpdump or some other network monitoring tool to check for varying UDP source ports. If there is a NAT device in front of your resolver, make sure that it does not defeat the effect of source port randomization.

4. If you cannot activate source port randomization, consider configuring BIND 9 to forward queries to a resolver which can, possibly over a VPN such as OpenVPN to create the necessary trusted network link. (Use BIND's forward-only mode in this case.)

Other caching resolvers distributed by Debian (PowerDNS, MaraDNS, Unbound) already employ source port randomization, and no updated packages are needed. BIND 9.5 up to and including version 1:9.5.0.dfsg-4 only implements a weak form of source port randomization and needs to be updated as well. For information on BIND 8, see DSA-1604-1, and for the status of the libc stub resolver, see DSA-1605-1.

The updated bind9 packages contain changes originally scheduled for the next stable point release, including the changed IP address of L.ROOT-SERVERS.NET (Debian bug #449148).

For the stable distribution (etch), this problem has been fixed in version 9.3.4-2etch3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your bind9 package.

Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

        will update the internal database apt-get upgrade

        will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch - -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives: Size/MD5 checksum: 897 aeb15f8babb1e6e38367b9f19fea87da Size/MD5 checksum: 4043577 198181d47c58a0a9c0265862cd5557b0 Size/MD5 checksum: 302126 521abea46b1104f2251cc398f30af303

Architecture independent packages:     Size/MD5 checksum: 189560 46ff778db82d2e171d292ecac93ea9b6

alpha architecture (DEC Alpha) Size/MD5 checksum: 98154 bbdbcd3d0840f5ffcf4eaddf5a8c253f Size/MD5 checksum: 1407380 ca8995875e76a25de6f32a47f62ea876 Size/MD5 checksum: 226088 93100774ae6da891caf9fa27a2134cdf Size/MD5 checksum: 112616 bca5dcca8abff15f4f9cc911f9f94818 Size/MD5 checksum: 322286 677fdcf8e9a8c272a08ed47a79e09209 Size/MD5 checksum: 190084 87d64554a1cdde9f58cc850f7d5961a1 Size/MD5 checksum: 96508 48ba9fc0e884f093e95988bd4e088b9c Size/MD5 checksum: 564862 7b23948d7c741d4f287698d28385ce71 Size/MD5 checksum: 188742 5dd8024a9864137f4529785fcc9c9231 Size/MD5 checksum: 116534 2e7dc9ea95bae40dc396ff504abb03bb Size/MD5 checksum: 115784 b961fd6c797a2d1422ae588bfc25ed9d

amd64 architecture (AMD x86_64 (AMD64)) Size/MD5 checksum: 224294 4d33744bb92300b061cad41dd8de7ea5 Size/MD5 checksum: 1111932 e43ced7eae496d7835247a068bef4a66 Size/MD5 checksum: 190742 9e39ced5d3464594b9dda6ce683fc653 Size/MD5 checksum: 319008 e36a35983ebc5061e8669ef7f004a851 Size/MD5 checksum: 552414 c93c2863bddd5661010ae3472e210aa8 Size/MD5 checksum: 95922 f114eb76add0d7dabad1d082d38ccf08 Size/MD5 checksum: 117072 a70d1d96ea01aa24fb9642e09133824f Size/MD5 checksum: 187646 70372cec3522356dcd00901ea64714d4 Size/MD5 checksum: 111270 6dc6edfcca9fecb28c7e66d31ab14a74 Size/MD5 checksum: 114722 905d0f9b7b5ebc0308c54158e71d03cc Size/MD5 checksum: 96704 09d3c850f12a6c1f6eab4e800a118c87

arm architecture (ARM) Size/MD5 checksum: 107888 b2ea4933e233a1af8dd1e5ee641999a2 Size/MD5 checksum: 112714 27b1fde9b144cacb1ae06a441d7c5787 Size/MD5 checksum: 116076 cafc3294083de02518ab5fe0f0488c3b Size/MD5 checksum: 532206 a005bdff779fed950e4750231d0184b2 Size/MD5 checksum: 187364 72fdca60a20876be71b678028cefc316 Size/MD5 checksum: 95752 bce98b259a2821d59f6e6b441b491d77 Size/MD5 checksum: 182950 26a15d51a4e6f1ea1dda99ab4d3ea34c Size/MD5 checksum: 217686 97f538e27ab7c765b514a9ce59869a41 Size/MD5 checksum: 95168 374d7f18915fc8eb6b775d272cf28f2e Size/MD5 checksum: 1074498 fdada51888027e9c3e89961b31a48ded Size/MD5 checksum: 311078 43d1c044b0cc81b072b8962ad3b8f019

hppa architecture (HP PA RISC) Size/MD5 checksum: 96986 bba6d0a611b7088e284564b430f91405 Size/MD5 checksum: 97140 14f3dacd102208700660873637dea18b Size/MD5 checksum: 185570 012eb78b091c0991988a95160df7d65d Size/MD5 checksum: 115822 d717418b7ec770e5419e0941670eab19 Size/MD5 checksum: 543342 201331119c074430d503b68dc210e187 Size/MD5 checksum: 1258146 2f092d0708338d0a3ac8924218fee0d7 Size/MD5 checksum: 315070 bc8d94bec7b1c8cf80f64fb72d1f38e5 Size/MD5 checksum: 187942 1cd85afac13850d1807a5b50b9d3262f Size/MD5 checksum: 114612 912dc2007ca7cb6097a3e6a4e98897e3 Size/MD5 checksum: 217378 49276452262a155ba17db2ad8c66e3e2 Size/MD5 checksum: 113466 428d268ce8ad5386c1af758ca4cff2ce

i386 architecture (Intel ia32) Size/MD5 checksum: 106034 ce4d4a024472317185d4c6492b7d30df Size/MD5 checksum: 180292 1fd02a86a31b68a8db2407904495a0db Size/MD5 checksum: 94838 9dbc2734dd8b8bb7c3e7684faabea64e Size/MD5 checksum: 206330 a22fb6cb47d6e449007d665b9e6d8c52 Size/MD5 checksum: 113162 b9bc5fa7f96313235a53ab6fd819b58b Size/MD5 checksum: 472708 9edfb07c186a93aea1a2e602e0ee6335 Size/MD5 checksum: 94822 d2fc00416dc090a535b280f48eee7f46 Size/MD5 checksum: 169930 47c43c9738afb7ed72618930dc702ed3 Size/MD5 checksum: 296722 dd1979969210386fc36d119e19e12cc2 Size/MD5 checksum: 996528 56db22ee21e053443e72ccd11a25181b Size/MD5 checksum: 110134 5491e4e33e43f1300840b62947690b7a

ia64 architecture (Intel ia64) Size/MD5 checksum: 232052 eb9215cb2ba71ded815b4ca6f0ac0744 Size/MD5 checksum: 99978 ceee4c1dc16fdf2d7fefe1aee6d8dd85 Size/MD5 checksum: 393324 553b67ca638482db8e1586d231f03abe Size/MD5 checksum: 740264 a30c98b25296a147d47d7f44c8418883 Size/MD5 checksum: 127606 33d62368c2ce437e660708eb6b0ffe2b Size/MD5 checksum: 216344 0a0b33f34dbeb744bd8af8ad8388048f Size/MD5 checksum: 125806 3aafce71b9e4ecaf01602c409a355b54 Size/MD5 checksum: 1584302 d982b4443c38056cdeb80b327ee36f3a Size/MD5 checksum: 117782 ae8ae735a8054ff473d305b06c90c68a Size/MD5 checksum: 102432 4443f6e43cc1e4c7448965a0501bfe54 Size/MD5 checksum: 280866 c20244c3a06177b934ac804b382b85c7

mips architecture (MIPS (Big Endian)) Size/MD5 checksum: 174012 cf61e15aa7c79b40ae94a3c1d08ba496 Size/MD5 checksum: 301476 4094fd919da162322ea07d62378cc664 Size/MD5 checksum: 110326 be73e626902012ca986d4192804017e7 Size/MD5 checksum: 180490 dde7f37a0a2456190461f5f26bf30ab6 Size/MD5 checksum: 1229398 37af92bf5074d9a260fd4ff5346dc4b8 Size/MD5 checksum: 211386 8083484e19ebc9099022954350c6baf7 Size/MD5 checksum: 94992 46f858e2ed33a864539476d25bd9b44f Size/MD5 checksum: 94230 6bfa6b8d78c46567a341f6174f9aa874 Size/MD5 checksum: 491862 fc2d747a29c0116da5936b4964ef8146 Size/MD5 checksum: 113268 58fb17d2ee0415e13fdad4727534b6cc Size/MD5 checksum: 107912 5834642a56bb9548510f8cd0a3ae766f

mipsel architecture (MIPS (Little Endian)) Size/MD5 checksum: 299514 0b5de102f7ddf83d497498b320613556 Size/MD5 checksum: 488260 7b85b99ea5c24f74e531bbd9056672e9 Size/MD5 checksum: 1205384 a3211957988d4aaae40776ff41cf6a01 Size/MD5 checksum: 113016 dddd0a37c778cd68696318a7adc1abcd Size/MD5 checksum: 110254 6754bc57fcac807b5569531f7e821802 Size/MD5 checksum: 174148 23e91bbb42a44ca80535079660813277 Size/MD5 checksum: 179630 fa26c51aa248cb502ac54544bdd6ced0 Size/MD5 checksum: 210904 21784fc7019a384e78ecc94a10f4e315 Size/MD5 checksum: 94936 2068abe2f2e78675ad94ea28579efc87 Size/MD5 checksum: 107166 2cfce41a4fc41aa9986cdef01e09705d Size/MD5 checksum: 94098 c95a157cfa3feef62450afdef3fe65a8

powerpc architecture (PowerPC) Size/MD5 checksum: 173606 9618a781d59f94f751e18db86cf6b948 Size/MD5 checksum: 112276 e786724068250eb53c475a3e51035d51 Size/MD5 checksum: 113842 4961da1e75c17f3f00621acfc06d10fe Size/MD5 checksum: 488428 b777fc3fe13b319817f955f116b40e83 Size/MD5 checksum: 1167832 75f402f7bf328da5deee364f4266558d Size/MD5 checksum: 96204 57ec688c7f24161e347054dc93fbd757 Size/MD5 checksum: 96170 77d5b9189a05f2b3dca7901bff6e56df Size/MD5 checksum: 301276 dddf71278c1f4afbbc49019248f4328e Size/MD5 checksum: 109288 8fd2b3005fcf95e3616ec8a77b3ad322 Size/MD5 checksum: 183310 b9eb85b58aaf29a3106d16410c0d379a Size/MD5 checksum: 206830 b286690dde8d1412c2de3fa99f7d3c5b

s390 architecture (IBM S/390) Size/MD5 checksum: 114234 23a30b0e26db0210a1be48c4d44b6d7f Size/MD5 checksum: 331864 7c3fab929f1e29873ecfc7c7c4b52ddc Size/MD5 checksum: 116656 8abeeeb22e800f63e4b30e0c2dd974e0 Size/MD5 checksum: 1137342 820a17acdc24ef1dd0c1db7b8e6fc470 Size/MD5 checksum: 233948 635487d4e6ea4d15704bb14b8cf9236c Size/MD5 checksum: 196598 2198086ee8c358aa3ed5046708a31f45 Size/MD5 checksum: 194704 c897d956b11161ae8e31e4bffb489883 Size/MD5 checksum: 118140 e5e11d59852a32dcd1b78b4aabd22fff Size/MD5 checksum: 95664 050d558c3d06e520fb4e6c6cebd520c3 Size/MD5 checksum: 579484 6fc80f5cde0c2d01b49ae53f027eeecc Size/MD5 checksum: 97786 5dda64259aa80e1c2e085e7fc2430299

sparc architecture (Sun SPARC/UltraSPARC) Size/MD5 checksum: 300090 21095a9477d8db8bdbca300235ddc296 Size/MD5 checksum: 210606 8bd074b427b5f732c5584ca265bb2c28 Size/MD5 checksum: 1121664 2750abf3a8e3ffa54d1b15f6a5b6738e Size/MD5 checksum: 94822 4e2634cf2561a237174a6863377b24cd Size/MD5 checksum: 175248 4231a2791083fc82977535613d38ef2a Size/MD5 checksum: 184036 aea98952994fb97c74df02ae4ed2f28d Size/MD5 checksum: 107574 b6a3a3204c134d54dce2d8d79f77f647 Size/MD5 checksum: 493628 b5c5a9638091fd0d6543a405bfdefd53 Size/MD5 checksum: 94828 4657a6a42f7f2fac5ef96d273e9de4df Size/MD5 checksum: 114258 32f88744a6e6e648377dda42ff910cbb Size/MD5 checksum: 111158 a59dbf1edb5518b09b2993049922c01a

  These files will probably be moved into the stable distribution on   its next update.

iQEVAwUBSHOID797/wQC1SS+AQLt/ggAjgiVFP8JkM02lokQLFu0LG7DwPfZUINz 3cn771JAPpFqeyW1UjuArHQlfhiiQ6Baxv2iCsF/TBabhqLggCRYjc+92d/0oQkh qoqCqk475kC8Y3I0lrG+9l2hRqxrW4XRpY/O45rgxQ569ZrAm5i5zZFbx9cNpfrP HP3KQ+hnQeLD9ci9kemgwFCI9w7PCCx3ns8ZqfNigEt6iiEqO5vrHOStfQNs96K0 wmmkyfKRGBuJIIXv+8vhxAcsqOmgyHpN0C+soUlsVSXmje2kpEljATvCBj/LRYXs WueLQPQvx1kH/4mbJyXvAFNpAjF6HN5iW66nkXT96udtI1YbjTP4Tg== =AJo4

Full-Disclosure - We believe in it.
Charter: Hosted and sponsored by Secunia -