Para informação... Welkson
----- Original Message ----- From: "Alexander Pereira Girald" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, July 13, 2008 7:24 PM Subject: [INFOSEG] FreeBSD Security Advisory FreeBSD-SA-08:06.bind > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-08:06.bind Security > Advisory > The FreeBSD > Project > > Topic: DNS cache poisoning > > Category: contrib > Module: bind > Announced: 2008-07-13 > Credits: Dan Kaminsky > Affects: All supported FreeBSD versions. > Corrected: 2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE) > 2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3) > 2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE) > 2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3) > CVE Name: CVE-2008-1447 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. DNS requests > contain a query id which is used to match a DNS request with the response > and to make it harder for anybody but the DNS server which received the > request to send a valid response. > > II. Problem Description > > The BIND DNS implementation does not randomize the UDP source port when > doing remote queries, and the query id alone does not provide adequate > randomization. > > III. Impact > > The lack of source port randomization reduces the amount of data the > attacker needs to guess in order to successfully execute a DNS cache > poisoning attack. This allows the attacker to influence or control > the results of DNS queries being returned to users from target systems. > > IV. Workaround > > Limiting the group of machines that can do recursive queries on the DNS > server will make it more difficult, but not impossible, for this > vulnerability to be exploited. > > To limit the machines able to perform recursive queries, add an ACL in > named.conf and limit recursion like the following: > > acl example-acl { > 192.0.2.0/24; > }; > > options { > recursion yes; > allow-recursion { example-acl; }; > }; > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the > RELENG_7_0 or RELENG_6_3 security branch dated after the correction > date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3 and > 7.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 6.3] > # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch > # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch.asc > > [FreeBSD 7.0] > # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch > # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/bind > # make obj && make depend && make && make install > # cd /usr/src/usr.sbin/named > # make obj && make depend && make && make install > > NOTE WELL: This update causes BIND to choose a new, random UDP port for > each new query; this may cause problems for some network configurations, > particularly if firewall(s) block incoming UDP packets on particular > ports. The avoid-v4-udp-ports and avoid-v6-udp-ports options should be > used to avoid selecting random port numbers within a blocked range. > > NOTE WELL: If a port number is specified via the query-source or > query-source-v6 options to BIND, randomized port selection will not be > used. Consequently it is strongly recommended that these options not > be used to specify fixed port numbers. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_6 > src/contrib/bind9/bin/named/client.c 1.1.1.2.2.5 > src/contrib/bind9/bin/named/server.c 1.1.1.2.2.4 > src/contrib/bind9/lib/dns/api 1.1.1.2.2.5 > src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.4 > src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.3 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.8 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.8 > src/sys/conf/newvers.sh 1.69.2.15.2.7 > src/contrib/bind9/bin/named/client.c 1.1.1.2.2.3.2.1 > src/contrib/bind9/bin/named/server.c 1.1.1.2.2.2.2.1 > src/contrib/bind9/lib/dns/api 1.1.1.2.2.3.2.1 > src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.2.2.1 > src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.1.2.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.1 > RELENG_7 > src/contrib/bind9/bin/named/client.c 1.1.1.6.2.2 > src/contrib/bind9/bin/named/server.c 1.1.1.6.2.2 > src/contrib/bind9/lib/dns/api 1.1.1.6.2.2 > src/contrib/bind9/lib/dns/dispatch.c 1.1.1.4.2.2 > src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.3.2.2 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.2 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.7 > src/sys/conf/newvers.sh 1.72.2.5.2.7 > src/contrib/bind9/bin/named/client.c 1.1.1.6.2.1.2.1 > src/contrib/bind9/bin/named/server.c 1.1.1.6.2.1.2.1 > src/contrib/bind9/lib/dns/api 1.1.1.6.2.1.2.1 > src/contrib/bind9/lib/dns/dispatch.c 1.1.1.4.2.1.2.1 > src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.3.2.1.2.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.1.2.1 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 > http://www.kb.cert.org/vuls/id/800113 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-08:06.bind.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iEYEARECAAYFAkh6UiMACgkQFdaIBMps37IE5ACfYzpWMhEXgWNdjwVlzd7JTwBS > Eu0AnRIogMIJ3fjQF4hcymtdwR6buRNc > =shnR > -----END PGP SIGNATURE----- > _______________________________________________ > Lista [EMAIL PROTECTED] > Para mudar opgues pessoais: > http://virgo.pop-rs.rnp.br/mailman/listinfo/infoseg > Para ver mensagens ja postadas: > http://virgo.pop-rs.rnp.br/pipermail/infoseg > Para se descadastrar da lista: > http://virgo.pop-rs.rnp.br/mailman/listinfo/infoseg > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
