Para informação...
Welkson
- Original Message -
From: "Alexander Pereira Girald" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 13, 2008 7:24 PM
Subject: [INFOSEG] FreeBSD Security Advisory FreeBSD-SA-08:06.bind
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> =
> FreeBSD-SA-08:06.bind Security
> Advisory
> The FreeBSD
> Project
>
> Topic: DNS cache poisoning
>
> Category: contrib
> Module: bind
> Announced: 2008-07-13
> Credits:Dan Kaminsky
> Affects:All supported FreeBSD versions.
> Corrected: 2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
> 2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
> 2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
> 2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)
> CVE Name: CVE-2008-1447
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit http://security.FreeBSD.org/>.
>
> I. Background
>
> BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> The named(8) daemon is an Internet Domain Name Server. DNS requests
> contain a query id which is used to match a DNS request with the response
> and to make it harder for anybody but the DNS server which received the
> request to send a valid response.
>
> II. Problem Description
>
> The BIND DNS implementation does not randomize the UDP source port when
> doing remote queries, and the query id alone does not provide adequate
> randomization.
>
> III. Impact
>
> The lack of source port randomization reduces the amount of data the
> attacker needs to guess in order to successfully execute a DNS cache
> poisoning attack. This allows the attacker to influence or control
> the results of DNS queries being returned to users from target systems.
>
> IV. Workaround
>
> Limiting the group of machines that can do recursive queries on the DNS
> server will make it more difficult, but not impossible, for this
> vulnerability to be exploited.
>
> To limit the machines able to perform recursive queries, add an ACL in
> named.conf and limit recursion like the following:
>
> acl example-acl {
>192.0.2.0/24;
> };
>
> options {
> recursion yes;
> allow-recursion { example-acl; };
> };
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the
> RELENG_7_0 or RELENG_6_3 security branch dated after the correction
> date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3 and
> 7.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 6.3]
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch.asc
>
> [FreeBSD 7.0]
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch
> # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/bind
> # make obj && make depend && make && make install
> # cd /usr/src/usr.sbin/named
> # make obj && make depend && make && make install
>
> NOTE WELL: This update causes BIND to choose a new, random UDP port for
> each new query; this may cause problems for some network configurations,
> particularly if firewall(s) block incoming UDP packets on particular
> ports. The avoid-v4-udp-ports and avoid-v6-udp-ports options should be
> used to avoid selecting random port numbers within a blocked range.
>
> NOTE WELL: If a port number is specified via the query-source or
> query-source-v6 options to BIND, randomized port selection will not be
> used. Consequently it is strongly recommended that these options not
> be used to specify fixed port numbers.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch Revision
> Path
> - -
> RELENG_6
> src/contrib/bind9/bin/named/client.c1.1.1.2.2.5
> src/contrib/bind9/bin/named/server.c1.1.1.2.2.4
> src/contrib/bind9/lib/dns/api 1.1.1.2.2.5
> src/contrib/bind9/lib/dns/dispatch.c1.1.1.1.4.4
> src/contrib/bind9/lib/dns/include/dns/dispatch.h1.1.1.1.4.3
> src/contrib/bind9/lib/dns/resolver.c1.1.1.2.2.8
> RELENG_6_3
> src/UPDATING