[CVE-2008-1447] Randomize DNS query source ports to prevent cache poisoning

Bug #246702 reported by Till Ulen on 2008-07-08
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
High
LaMont Jones
glibc (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: bind9

Debian issued three security advisories related to the possibility of DNS cache poisoning in Bind 9 (DSA-1603), Bind 8 (DSA-1604) and the libc stub resolver (DSA-1605).

Here is the description of the problem with Bind 9 from DSA-1603-1:

"Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.

This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult."

[...]

"Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
Unbound) already employ source port randomization, and no updated
packages are needed. BIND 9.5 up to and including version
1:9.5.0.dfsg-4 only implements a weak form of source port
randomization and needs to be updated as well. For information on
BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
see DSA-1605-1."

As described in DSA-1605-1, glibc stub resolver hasn't been updated yet and is still vulnerable. The advisory suggests to install a local Bind 9 resolver, possibly in forward-only mode, as a work-around. So this bug in package glibc is a request to make the stub resolver randomize source ports as well because non-technical Ubuntu users can't be expected to configure Bind 9 on their own.

References

DSA-1603-1:
http://lists.debian.org/debian-security-announce/2008/msg00184.html
http://www.debian.org/security/2008/dsa-1603

DSA-1604-1:
http://lists.debian.org/debian-security-announce/2008/msg00185.html
http://www.debian.org/security/2008/dsa-1604

DSA-1605-1:
http://lists.debian.org/debian-security-announce/2008/msg00186.html
http://www.debian.org/security/2008/dsa-1605

CVE References

Kees Cook (kees) wrote :

Thanks for the report. Ubuntu is already in the process of publishing fixes for these issues. They should be visible in the archive shortly.

Changed in glibc:
assignee: nobody → kees
importance: Undecided → Medium
status: New → Confirmed
Changed in bind9:
assignee: nobody → lamont
importance: Undecided → High
status: New → Fix Committed
LaMont Jones (lamont) wrote :

fixed in 1:9.3.2-2ubuntu1.5, 1:9.3.4-2ubuntu2.3, 1:9.4.1-P1-3ubuntu2, 1:9.4.2-10ubuntu0.1, and 1:9.5.0.dfsg.P1-1

Changed in bind9:
status: Fix Committed → Fix Released
Kees Cook (kees) on 2008-09-09
Changed in glibc:
assignee: kees → nobody
importance: Medium → Low
Marc Deslauriers (mdeslaur) wrote :

This is fixed in all currently-supported versions of Ubuntu.

Changed in glibc (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers