Check Point Reference: | CPAI-2007-096 |
Date Published: | 16 Aug 2007 |
Severity: | Critical |
Last Updated: | Monday 01 January, 2007 |
Source: | Secunia Advisory: SA26152 |
Industry Reference: | CVE-2007-2926 |
Protection Provided by: | |
Who is Vulnerable? | Internet Systems Consortium (ISC) BIND 9.0.x Internet Systems Consortium (ISC) BIND 9.1.x Internet Systems Consortium (ISC) BIND 9.2.0 to 9.2.8 Internet Systems Consortium (ISC) BIND 9.3.0 to 9.3.4 Internet Systems Consortium (ISC) BIND 9.4.0 to 9.4.1 Internet Systems Consortium (ISC) BIND 9.5.0a1 to 9.5.0a5 |
Vulnerability Description | A DNS Cache Poisoning vulnerability has been reported in ISC BIND DNS server. DNS cache poisoning occurs when false DNS records are injected into a DNS server's cache tables. Once the cache tables have been altered, a remote attacker may inspect, capture or corrupt any information exchanged between hosts on the network. By poisoning a DNS server, a remote attacker could, for example, direct users to malicious sites or prevent them from accessing web sites of their choice. |
Update/Patch Avaliable | Upgrade to BIND version 9.2.8-P1, 9.3.4-P1, 9.4.1-P1 or 9.5.0a6: http://www.isc.org/index.pl?/sw/bind/ |
Vulnerability Details | The vulnerability in ISC is due to predictable transaction ID values in outgoing DNS queries. Cache poisoning occurs when malicious or false data received from a remote domain name server (DNS) is cached by another name server. The cached data can then be requested by other programs through the client interface. As a result, the mapping between host names and IP addresses may be changed, which means that any information exchanged between hosts on a network may be inspected or corrupted by attackers. A remote attacker can exploit this issue to poison the DNS cache by guessing the DNS transaction ID. SmartDefense offers the following cache poisoning protection: Scrambling - A host that initiates a DNS query assigns a Query ID number to each request. Given the ID number and source port, an attacker can send a spoofed reply that contains false information on behalf of the name server to which the request was initially sent. This enables the redirection of hosts to fake web sites that can be used to collect private user information. By enabling this protection, SmartDefense will scramble the source port and query ID number of each DNS request. The protection can be applied either to all traffic or to specific servers. |