[FUG-BR] [INFOSEG] FreeBSD Security Advisory FreeBSD-SA-08:06.bind

Welkson Renny de Medeiros welkson em focusautomacao.com.br
Segunda Julho 14 08:55:50 BRT 2008 

Para informação...

Welkson

----- Original Message ----- 
From: "Alexander Pereira Girald" <girald em etcom.ufrgs.br>
To: <infoseg em pop-rs.rnp.br>
Sent: Sunday, July 13, 2008 7:24 PM
Subject: [INFOSEG] FreeBSD Security Advisory FreeBSD-SA-08:06.bind


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-08:06.bind                                       Security 
> Advisory
>                                                           The FreeBSD 
> Project
>
> Topic:          DNS cache poisoning
>
> Category:       contrib
> Module:         bind
> Announced:      2008-07-13
> Credits:        Dan Kaminsky
> Affects:        All supported FreeBSD versions.
> Corrected:      2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
>                 2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
>                 2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
>                 2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)
> CVE Name:       CVE-2008-1447
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I.   Background
>
> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> The named(8) daemon is an Internet Domain Name Server.  DNS requests
> contain a query id which is used to match a DNS request with the response
> and to make it harder for anybody but the DNS server which received the
> request to send a valid response.
>
> II.  Problem Description
>
> The BIND DNS implementation does not randomize the UDP source port when
> doing remote queries, and the query id alone does not provide adequate
> randomization.
>
> III. Impact
>
> The lack of source port randomization reduces the amount of data the
> attacker needs to guess in order to successfully execute a DNS cache
> poisoning attack.  This allows the attacker to influence or control
> the results of DNS queries being returned to users from target systems.
>
> IV.  Workaround
>
> Limiting the group of machines that can do recursive queries on the DNS
> server will make it more difficult, but not impossible, for this
> vulnerability to be exploited.
>
> To limit the machines able to perform recursive queries, add an ACL in
> named.conf and limit recursion like the following:
>
> acl example-acl {
>    192.0.2.0/24;
> };
>
> options {
> recursion yes;
> allow-recursion { example-acl; };
> };
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the
> RELENG_7_0 or RELENG_6_3 security branch dated after the correction
> date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3 and
> 7.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 6.3]
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch.asc
>
> [FreeBSD 7.0]
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/bind
> # make obj && make depend && make && make install
> # cd /usr/src/usr.sbin/named
> # make obj && make depend && make && make install
>
> NOTE WELL: This update causes BIND to choose a new, random UDP port for
> each new query; this may cause problems for some network configurations,
> particularly if firewall(s) block incoming UDP packets on particular
> ports.  The avoid-v4-udp-ports and avoid-v6-udp-ports options should be
> used to avoid selecting random port numbers within a blocked range.
>
> NOTE WELL: If a port number is specified via the query-source or
> query-source-v6 options to BIND, randomized port selection will not be
> used.  Consequently it is strongly recommended that these options not
> be used to specify fixed port numbers.
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch                                                           Revision
>   Path
> - -------------------------------------------------------------------------
> RELENG_6
>   src/contrib/bind9/bin/named/client.c                        1.1.1.2.2.5
>   src/contrib/bind9/bin/named/server.c                        1.1.1.2.2.4
>   src/contrib/bind9/lib/dns/api                               1.1.1.2.2.5
>   src/contrib/bind9/lib/dns/dispatch.c                        1.1.1.1.4.4
>   src/contrib/bind9/lib/dns/include/dns/dispatch.h            1.1.1.1.4.3
>   src/contrib/bind9/lib/dns/resolver.c                        1.1.1.2.2.8
> RELENG_6_3
>   src/UPDATING                                             1.416.2.37.2.8
>   src/sys/conf/newvers.sh                                   1.69.2.15.2.7
>   src/contrib/bind9/bin/named/client.c                    1.1.1.2.2.3.2.1
>   src/contrib/bind9/bin/named/server.c                    1.1.1.2.2.2.2.1
>   src/contrib/bind9/lib/dns/api                           1.1.1.2.2.3.2.1
>   src/contrib/bind9/lib/dns/dispatch.c                    1.1.1.1.4.2.2.1
>   src/contrib/bind9/lib/dns/include/dns/dispatch.h        1.1.1.1.4.1.2.1
>   src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.6.2.1
> RELENG_7
>   src/contrib/bind9/bin/named/client.c                        1.1.1.6.2.2
>   src/contrib/bind9/bin/named/server.c                        1.1.1.6.2.2
>   src/contrib/bind9/lib/dns/api                               1.1.1.6.2.2
>   src/contrib/bind9/lib/dns/dispatch.c                        1.1.1.4.2.2
>   src/contrib/bind9/lib/dns/include/dns/dispatch.h            1.1.1.3.2.2
>   src/contrib/bind9/lib/dns/resolver.c                        1.1.1.9.2.2
> RELENG_7_0
>   src/UPDATING                                              1.507.2.3.2.7
>   src/sys/conf/newvers.sh                                    1.72.2.5.2.7
>   src/contrib/bind9/bin/named/client.c                    1.1.1.6.2.1.2.1
>   src/contrib/bind9/bin/named/server.c                    1.1.1.6.2.1.2.1
>   src/contrib/bind9/lib/dns/api                           1.1.1.6.2.1.2.1
>   src/contrib/bind9/lib/dns/dispatch.c                    1.1.1.4.2.1.2.1
>   src/contrib/bind9/lib/dns/include/dns/dispatch.h        1.1.1.3.2.1.2.1
>   src/contrib/bind9/lib/dns/resolver.c                    1.1.1.9.2.1.2.1
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
> http://www.kb.cert.org/vuls/id/800113
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-08:06.bind.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (FreeBSD)
>
> iEYEARECAAYFAkh6UiMACgkQFdaIBMps37IE5ACfYzpWMhEXgWNdjwVlzd7JTwBS
> Eu0AnRIogMIJ3fjQF4hcymtdwR6buRNc
> =shnR
> -----END PGP SIGNATURE-----
> _______________________________________________
> Lista infoseg em pop-rs.rnp.br
> Para mudar opgues pessoais: 
> http://virgo.pop-rs.rnp.br/mailman/listinfo/infoseg
> Para ver mensagens ja postadas: 
> http://virgo.pop-rs.rnp.br/pipermail/infoseg
> Para se descadastrar da lista: 
> http://virgo.pop-rs.rnp.br/mailman/listinfo/infoseg
>

Mais detalhes sobre a lista de discussão freebsd