Subject: NetBSD Security Advisory 2007-007: BIND cryptographically weak query IDs
To: None <tech-security@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: tech-security
Date: 09/13/2007 22:55:54 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2007-007
		 =================================

Topic:		BIND cryptographically weak query IDs

Version:	NetBSD-current:	source prior to July 24, 2007
		NetBSD 4.0_BETA2:	affected
		NetBSD 3.1:		affected
		NetBSD 3.0.*:		affected
		NetBSD 3.0:		affected
		NetBSD 2.1:		affected
		NetBSD 2.0.*:		affected
		NetBSD 2.0:		affected

Severity:	Remote DNS cache poisoning

Fixed:		NetBSD-current:		July 24, 2007
		NetBSD-4 branch:	July 31, 2007
			(4.0 will include the fix)
		NetBSD-3-1 branch:	August 14, 2007
			(3.1.1 will include the fix)
		NetBSD-3-0 branch:	August 14, 2007
			(3.0.3 will include the fix)
		NetBSD-3 branch:	August 14, 2007
		NetBSD-2-1 branch:	September 13, 2007
		NetBSD-2-0 branch:	September 13, 2007
		NetBSD-2 branch:	September 13, 2007
		pkgsrc:			bind-9.4.1pl1 corrects the issue
					bind-8.4.7pl1 corrects the issue

Abstract
========

Due to the use of cryptographically weak query IDs an attacker can predict
query IDs and poison the cache by injecting their own responses.

This vulnerability has been assigned CVE references CVE-2007-2926 for BIND 9.x
and CVE-2007-2930 for BIND 8.x.

Technical Details
=================

- From www.isc.org:

BIND 9.x:
"The DNS query id generation is vulnerable to cryptographic analysis which
provides a 1 in 8 chance of guessing the next query id for 50% of the query
ids. This can be used to perform cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers."

BIND 8.x:
"This bug only affects outgoing queries, generated by BIND 8 to answer
questions as a resolver, or when it is looking up data for internal uses,
such as when sending NOTIFYs to slave name servers."

Solutions and Workarounds
=========================

It is recommended that NetBSD users of vulnerable versions update
their binaries.

The following instructions describe how to upgrade your bind
binaries by updating your source tree and rebuilding and
installing a new version of bind.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2007-07-24
	should be upgraded to NetBSD-current dated 2007-07-25 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		dist/bind

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -d -P dist/bind
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2007-08-14 should be upgraded from NetBSD 3.* sources dated
	2007-08-15 or later.

	The following files need to be updated from the
	netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
		dist/bind/bin/named/client.c
		dist/bind/lib/dns/dispatch.c
		dist/bind/lib/dns/include/dns/dispatch.h

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -r <branch_name> dist/bind/bin/named/client.c
		# cvs update -r <branch_name> dist/bind/lib/dns/dispatch.c
		# cvs update -r <branch_name> \
			dist/bind/lib/dns/include/dns/dispatch.h
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2007-09-12 should be upgraded from NetBSD 3.* sources dated
	2007-09-13 or later.

	The following files need to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 branches:
		dist/bind/bin/named/ns_forw.c
		dist/bind/bin/named/ns_func.h
		dist/bind/bin/named/ns_main.c
		dist/bind/bin/named/ns_resp.c

	To update from CVS, re-build, and re-install bind:

		# cd src
		# cvs update -r <branch_name> dist/bind/bin/named/ns_forw.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_func.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_main.c
		# cvs update -r <branch_name> dist/bind/bin/named/ns_resp.c
		# cd usr.sbin/bind
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

Thanks To
=========

Amit Klein for discovering and reporting this problem.

Revision History
================

	2007-09-13	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2007, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2007-007.txt,v 1.1 2007/09/12 21:45:39 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRumhsT5Ru2/4N2IFAQLQiwP/aLkPFQuSa56XdfbgYEdtWYmMAOMBvvYf
+U5hSdDK3K/02jQCkcUeHKVDOPEb3Ls21H/mMwk1AgVvI6+YW0ycPLGIMpXxgY15
Zn5WlqQtTtHkvdFHB9d0kGYVSuUxSRq0LCBEfcvk3aOQi57wuwO77O5yT+2yZJwl
ZREyrWwp7Dc=
=Oije
-----END PGP SIGNATURE-----