User: Password:
Subscribe / Log in / New account


Cache poisoning vulnerability found in BIND

Domain Name System (DNS) cache poisoning has been a problem, on and off, for years. There has been a kind of an arms race with security researchers periodically finding problems in DNS server implementations and the vendors racing to fix them. Amit Klein of Trusteer recently released a vulnerability report for the Berkeley Internet Name Daemon (BIND) showing a rather reliable means to poison the cache of a nameserver that runs it. The consequences of this poisoning can be quite severe, invisibly rerouting traffic bound for a given host to one under an attacker's control.

We will dispense with the usual overview of DNS, it was briefly described in an April LWN article - the vulnerability executive summary and Wikipedia article have useful descriptions as well.

There are essentially two types of DNS servers: those that directly reply to queries about a particular zone (zone servers) and those that cache query results (caching servers). An internet service provider or company will typically set up a few caching DNS servers that actually talk to the zone servers, and configure all client machines to make their DNS requests to the caching servers. Once an entry has been entered into the cache of those servers, it will not be requested again until the time-to-live (TTL) of the entry expires. If an attacker can get an incorrect entry put into the cache, especially one with a very long TTL, he can redirect traffic to servers under his control. This is the "poison" in the cache.

DNS uses User Datagram Protocol (UDP), which is stateless rather than connection-oriented. This allows attackers to send "answers" to DNS queries that they never received. They can forge the IP address of the nameserver that would be queried; if the bogus response is received before the real response, it will be used and the real one dropped. Several steps are taken to make it more difficult for an attacker to forge a response, but one of those countermeasures was not correctly implemented in BIND, leading to this most recent vulnerability.

The DNS protocol contains a 16-bit transaction ID field that must be matched between the query and the response in order to be considered valid. Early DNS implementations just incremented those transaction IDs for each new query, making it trivial for an attacker's program to predict which was coming next. The obvious fix is to randomize the transaction IDs, which is exactly what BIND did, unfortunately not quite as randomly as they might have hoped.

Random number generation (RNG) is one of those things that seems like it should be blindingly simple, but turns out to be incredibly difficult to do correctly. For things like games or simulations, it is relatively straightforward to create an RNG with reasonable properties, but for security and cryptography, it is much more difficult. One of the key properties that a crypto-strength RNG must have is unpredictability. One way to look at that is to determine how much RNG output an attacker must see before they can make informed guesses about the next "random" number. This is where the BIND algorithm was found to be lacking.

By studying the code used to generate the transaction IDs, Klein noticed that if the transaction ID was even (least significant bit was zero), there were only ten possible values that could be generated as the next transaction ID. Other techniques had been able to reduce the search space to around 5000 possibilities, but forging and sending that many bogus DNS responses before the real reply reaches the recipient is not a very reliable poisoning technique. With only ten responses to send, it is quite possible to get the bogus response there first, especially if the real DNS server is busy and responds a little slowly.

If an attacker (at wanted to poison the cache entry of for the users at, they would need to lure a user of's caching DNS server to visit When the DNS server at queries the DNS server, that server looks at the transaction ID, if it is odd, it sends back a redirection to itself (using a DNS feature called CNAME chaining). If the transaction ID is even, it quickly calculates the ten possible values for the next transaction ID and starts sending responses for using those IDs. In addition, it redirects the query to If that site is not in the cache, or its cache entry has expired,'s DNS server will make a query, probably using one of the ten transaction IDs (unless an intervening query has gone out), to It is very likely that one of the bogus responses will be picked up and the attacker now controls the mapping of to an IP address, for all users of

Normally, the invitation to visit would go out as spam or by some other means that tricks users into going places that they probably should not. No particular ISP is targeted, the poisoning is used as part of a pharming attack. Pharming is typically used to get credentials, usernames and passwords, for financial and other sites by spoofing a well-known website on an attacker's server. Because of the cache poisoning, the user could use a bookmark or even type in the address, but still end up at the attacker's site. The website graphics and login process are duplicated there which causes the user (or his browser's password manager) to type in the credentials and hit submit.

The full report makes for quite an interesting read. Klein describes several other means of attack and weaknesses in the BIND RNG, including ways to completely recover the internal state of the RNG. Internet Systems Consortium (ISC), the maintainers of BIND have released an updated version, with a new RNG, though there was very little description of the problem or the fix in their advisory. The problem has been assigned CVE-2007-2926 but, as of this writing, that is just a placeholder.

This is quite a serious vulnerability and should be rather embarrassing to the folks at ISC. The problems with transaction IDs and the need for their unpredictability have been known for many years. It is not at all beyond the realm of possibility that the analysis done by Klein, was done by the attacker community some time ago, and has been used already. Widespread usage would likely have been detected, but if used judiciously, it could have been exploited for quite some time.

Another technique that could help avoid these kinds of attacks would be to randomize (crypto-strength RNG, of course) the source UDP port on each query. BIND currently chooses a single random UDP source port at startup time and uses that throughout its life. If an attacker could not predict the port to send a bogus response to, it almost would not matter that they could predict what response to send.

Comments (14 posted)

Brief items

Samsung fixes its printer drivers

One week ago we reported that Samsung's printer driver installation script compromised the security of the systems it was run on by turning a few small applications (like into setuid root executables. We have just heard from Samsung that this problem has been fixed. A quick look at the new installer confirms that the calls making those applications setuid have been commented out, though the structure to do that work remains in place.

Comments (1 posted)

Wesabe's automatic banking Firefox extension

Wesabe has announced the availability of an open source Firefox extension to help with online banking. "Setting up Wesabe accounts for banks that provide automatic data downloads, including American Express, Chase and USAA, only takes seconds -- members simply need to enter their username and password. The extension auto-records a login and download, and then plays it back as frequently as the member wants updated data. The extension works equally as well for banks that don't provide automatic downloads -- members use the extension to 'record' an actual download session from their bank Web site, a process that typically takes between one and two minutes." One can only hope that this source gets audited well; it would be an optimal trojan horse platform, and is sure to be a cracker target as well.

Comments (1 posted)

New vulnerabilities

bind: DNS cache poisoning

Package(s):bind CVE #(s):CVE-2007-2926
Created:July 24, 2007 Updated:August 20, 2007
Description: A flaw was found in the way BIND generates outbound DNS query ids. If an attacker is able to acquire a finite set of query IDs, it becomes possible to accurately predict future query IDs. Future query ID prediction may allow an attacker to conduct a DNS cache poisoning attack, which can result in the DNS server returning incorrect client query data.
Gentoo 200708-13 bind 2007-08-18
SuSE SUSE-SA:2007:047 bind, 2007-08-01
Trustix TSLSA-2007-0023 bind, clamav, curl, mod_perl, perl-net-dns, tcpdump 2007-07-28
Slackware SSA:2007-207-01 bind 2007-07-27
rPath rPSA-2007-0149-1 bind 2007-07-27
Fedora FEDORA-2007-647 bind 2007-07-26
Debian DSA-1341-2 bind9 2007-07-25
Mandriva MDKSA-2007:149 bind 2007-12-31
Debian DSA-1341-1 bind9 2007-07-25
Ubuntu USN-491-1 bind9 2007-07-25
OpenPKG OpenPKG-SA-2007.022 bind-9 2007-07-25
Fedora FEDORA-2007-1247 bind 2007-07-24
Red Hat RHSA-2007:0740-01 bind 2007-07-24

Comments (none posted)

bochs: buffer overflow

Package(s):bochs CVE #(s):CVE-2007-2893
Created:July 20, 2007 Updated:November 19, 2007
Description: A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
Gentoo 200711-21 bochs 2007-11-17
Fedora FEDORA-2007-1778 bochs 2007-08-23
Debian DSA-1351-1 bochs 2007-08-07
Fedora FEDORA-2007-1153 bochs 2007-07-19

Comments (none posted)

centericq: buffer overflows

Package(s):centericq CVE #(s):CVE-2007-3713
Created:July 20, 2007 Updated:December 17, 2007
Description: Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160.
Debian DSA-1433-1 centericq 2007-12-16
Debian-Testing DTSA-55-1 centerim 2007-09-03
Fedora FEDORA-2007-1160 centericq 2007-07-19

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-3725
Created:July 24, 2007 Updated:February 27, 2008
Description: A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives.
SuSE SUSE-SR:2007:015 PHP, moodle, tomcat5, lighttpd, asterisk, libarchive, xpdf, evolution, kvirc, wireshark, gd, opera, clamav, gimp 2007-08-03
Gentoo 200708-04 clamav 2007-08-09
Mandriva MDKSA-2007:150 clamav 2007-07-25
Debian DSA-1340-1 clamav 2007-07-24

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2007-3642
Created:July 23, 2007 Updated:November 14, 2007
Description: The decode_choice function in net/netfilter/bf_conntrack_h323_asn1.c in the Linux kernel before 2.6.22 allows remote attackers to cause a denial of service (crash) via an encoded, out-of-range index value for a choice field, which triggers a NULL pointer dereference.
Ubuntu USN-510-1 linux-source-2.6.20 2007-08-31
Debian DSA-1356-1 linux-2.6 2007-08-15
Fedora FEDORA-2007-655 kernel 2007-08-09
Fedora FEDORA-2007-1130 kernel 2007-07-20

Comments (none posted)

lighttpd: denial of service

Package(s):lighttpd CVE #(s):CVE-2007-3946 CVE-2007-3947 CVE-2007-3948 CVE-2007-3949 CVE-2007-3950
Created:July 19, 2007 Updated:July 15, 2008
Description: The lighttpd web server has multiple vulnerabilities involving a remote access-control setting circumvention that is performed by the sending of malformed requests. This can be used to crash the server and cause a denial of service.
Debian DSA-1609-1 lighttpd 2008-07-15
SuSE SUSE-SR:2007:015 PHP, moodle, tomcat5, lighttpd, asterisk, libarchive, xpdf, evolution, kvirc, wireshark, gd, opera, clamav, gimp 2007-08-03
Debian DSA-1362 lighttpd 2007-08-29
Gentoo 200708-11 lighttpd 2007-08-16
Fedora FEDORA-2007-1299 lighttpd 2007-07-26
Foresight FLEA-2007-0034-1 lighttpd 2007-07-26
rPath rPSA-2007-0145-1 lighttpd 2007-07-19

Comments (none posted)

nginx: cross site scripting

Package(s):nginx CVE #(s):
Created:July 20, 2007 Updated:September 14, 2009
Description: Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server written by Igor Sysoev. The "msie_refresh" directive could allow cross site scripting.
Fedora FEDORA-2007-1158 nginx 2007-07-19

Comments (none posted)

nvclock: insecure tmp file usage

Package(s):nvclock CVE #(s):CVE-2007-3531
Created:July 25, 2007 Updated:July 25, 2007
Description: A local attacker could create a specially crafted temporary file in /tmp to execute arbitrary code with the privileges of the user running NVCLock.
Gentoo 200707-08 nvclock 2007-07-24

Comments (1 posted)

redhat-cluster-suite: denial of service

Package(s):redhat-cluster-suite CVE #(s):CVE-2007-3380
Created:July 19, 2007 Updated:November 14, 2007
Description: The redhat cluster suite's cluster manager is vulnerable to a remote attack. Attackers can connect to the DLM port and block subsequent DLM operations, resulting in a denial of service.
Ubuntu USN-489-1 linux-source-2.6.15 2007-07-19
Red Hat RHSA-2007:0940-01 kernel 2007-10-22
Ubuntu USN-489-2 redhat-cluster-suite 2007-07-19

Comments (1 posted)

tcpdump: integer overflow

Package(s):tcpdump CVE #(s):CVE-2007-3798
Created:July 20, 2007 Updated:November 15, 2007
Description: An integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
Red Hat RHSA-2007:0387-02 tcpdump 2007-11-15
Red Hat RHSA-2007:0368-03 tcpdump 2007-11-07
Slackware SSA:2007-230-01 tcpdump 2007-08-20
Debian DSA-1353-1 tcpdump 2007-08-11
Fedora FEDORA-2007-654 tcpdump 2007-08-01
Fedora FEDORA-2007-1361 tcpdump 2007-07-31
Ubuntu USN-492-1 tcpdump 2007-07-30
Gentoo 200707-14 tcpdump 2007-07-28
Mandriva MDKSA-2007:148 tcpdump 2007-07-25
rPath rPSA-2007-0147-1 tcpdump 2007-07-20

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds