1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 1603-1] New bind9 packages fix cache poisoning (1/4)

    From Florian Weimer@1:229/2 to All on Tue Jul 8 19:10:15 2008
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------ Debian Security Advisory DSA-1603-1 [email protected] http://www.debian.org/security/ Florian Weimer
    July 08, 2008 http://www.debian.org/security/faq
    - ------------------------------------------------------------------------

    Package : bind9
    Vulnerability : DNS cache poisoning
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1447
    CERT advisory : VU#800113


    Dan Kaminsky discovered that properties inherent to the DNS protocol
    lead to practical DNS cache poisoning attacks. Among other things,
    successful attacks can lead to misdirected web traffic and email
    rerouting.

    This update changes Debian's BIND 9 packages to implement the
    recommended countermeasure: UDP query source port randomization. This
    change increases the size of the space from which an attacker has to
    guess values in a backwards-compatible fashion and makes successful
    attacks significantly more difficult.

    Note that this security update changes BIND network behavior in a
    fundamental way, and the following steps are recommended to ensure a
    smooth upgrade.


    1. Make sure that your network configuration is compatible with source
    port randomization. If you guard your resolver with a stateless packet
    filter, you may need to make sure that no non-DNS services listen on on
    the 1024--65535 UDP port range and open it at the packet filter. For
    instance, packet filters based on etch's Linux 2.6.18 kernel only
    support stateless filtering of IPv6 packets, and are therefore pose this additional difficulty. (If you use IPv4 with iptables and ESTABLISHED
    rules, networking changes are likely not required.)

    2. Install the BIND 9 upgrade, using "apt-get update" followed by
    "apt-get install bind9". Verify that the named process has been
    restarted and answers recursive queries. (If all queries result in
    timeouts, this indicates that networking changes are necessary; see the
    first step.)

    3. Verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following
    form

    named[6106]: /etc/bind/named.conf.options:28: using specific
    query-source port suppresses port randomization and can be insecure.

    right after the "listening on IPv6 interface" and "listening on IPv4
    interface" messages logged by BIND upon startup. If these messages are present, you should remove the indicated lines from the configuration,
    or replace the port numbers contained within them with "*" sign (e.g.,
    replace "port 53" with "port *").

    For additional certainty, use tcpdump or some other network monitoring
    tool to check for varying UDP source ports. If there is a NAT device
    in front of your resolver, make sure that it does not defeat the
    effect of source port randomization.

    4. If you cannot activate source port randomization, consider
    configuring BIND 9 to forward queries to a resolver which can, possibly
    over a VPN such as OpenVPN to create the necessary trusted network link.
    (Use BIND's forward-only mode in this case.)


    Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
    Unbound) already employ source port randomization, and no updated
    packages are needed. BIND 9.5 up to and including version
    1:9.5.0.dfsg-4 only implements a weak form of source port
    randomization and needs to be updated as well. For information on
    BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
    see DSA-1605-1.

    The updated bind9 packages contain changes originally scheduled for
    the next stable point release, including the changed IP address of L.ROOT-SERVERS.NET (Debian bug #449148).

    For the stable distribution (etch), this problem has been fixed in
    version 9.3.4-2etch3.

    For the unstable distribution (sid), this problem will be fixed soon.

    We recommend that you upgrade your bind9 package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch
    - -------------------------------

    Debian (stable)
    - ---------------

    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

    Source archives:

    http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.dsc
    Size/MD5 checksum: 897 aeb15f8babb1e6e38367b9f19fea87da
    http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4.orig.tar.gz
    Size/MD5 checksum: 4043577 198181d47c58a0a9c0265862cd5557b0
    http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.diff.gz
    Size/MD5 checksum: 302126 521abea46b1104f2251cc398f30af303

    Architecture independent packages:

    http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.3.4-2etch3_all.deb
    Size/MD5 checksum: 189560 46ff778db82d2e171d292ecac93ea9b6

    alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_alpha.deb
    Size/MD5 checksum: 98154 bbdbcd3d0840f5ffcf4eaddf5a8c253f
    http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_alpha.deb
    Size/MD5 checksum: 1407380 ca8995875e76a25de6f32a47f62ea876
    http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_alpha.deb
    Size/MD5 checksum: 226088 93100774ae6da891caf9fa27a2134cdf
    http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_alpha.deb
    Size/MD5 checksum: 112616 bca5dcca8abff15f4f9cc911f9f94818
    http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_alpha.deb
    Size/MD5 checksum: 322286 677fdcf8e9a8c272a08ed47a79e09209
    http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_alpha.deb
    Size/MD5 checksum: 190084 87d64554a1cdde9f58cc850f7d5961a1
    http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_alpha.deb
    Size/MD5 checksum: 96508 48ba9fc0e884f093e95988bd4e088b9c
    http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_alpha.deb
    Size/MD5 checksum: 564862 7b23948d7c741d4f287698d28385ce71

    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)