-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2008-009 ================================= Topic: BIND cache poisoning Version: NetBSD-current: affected NetBSD 4.0: affected NetBSD 3.1.*: affected NetBSD 3.1: affected NetBSD 3.0.*: affected NetBSD 3.0: affected bind 8.x packages bind 9.4.x packages prior to 9.4.2pl1 bind 9.5.x packages prior to 9.5.0pl1 Severity: Remote DNS cache poisoning Fixed: NetBSD-current: July 10, 2008 NetBSD-4-0 branch: July 16, 2008 (4.0.1 will include the fix) NetBSD-4 branch: July 16, 2008 (4.1 will include the fix) NetBSD-3-1 branch: July 24, 2008 (3.1.2 will include the fix) NetBSD-3-0 branch: July 24, 2008 (3.0.4 will include the fix) NetBSD-3 branch: July 24, 2008 (3.2 will include the fix) pkgsrc: bind-9.4.2pl1 corrects the issue bind-9.5.0pl1 corrects the issue Abstract ======== Deficiencies in the DNS protocol can allow attackers to inject poisoned responses into a caching nameserver. This vulnerability has been assigned CVE reference CVE-2008-1447 and CERT Vulnerability Note VU#800113. Technical Details ================= New cache poisoning techniques have been discovered by Dan Kaminsky which allow an attacker to poison a cache. This vulnerability can be exploited by an attacker in a short amount of time. For further information see: http://www.kb.cert.org/vuls/id/800113 http://www.isc.org/sw/bind/forgery-resilience.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.isc.org/sw/bind/docs/FAQ-about-random-query-issue.php Solutions and Workarounds ========================= It is recommended that NetBSD users of vulnerable versions update their binaries. If you are unable to update BIND in the base operating system there are fixed versions in pkgsrc that can be used. The listed source changes will update to the following versions of BIND: Branch: Updated to: HEAD 9.5.0-P1 netbsd-4, netbsd-4-0 9.4.2-P1 netbsd-3, netbsd-3-0, netbsd-3-0 9.3.5-P1 To check the version of BIND you are currently running examine the output of "/usr/sbin/named -v". The following points should be taken into consideration when assessing this issue: * Do not hard code a query source port using the 'query-source' and/or 'query-source-v6' options. This option was set by default in netbsd-4, netbsd-4-0 and HEAD branches. Please check your named.conf(5) to ensure that this option is not used. This option has already been removed from the default configuration in HEAD as of July 23, 2008 and netbsd-4 and netbsd-4-0 as of July 24, 2008. * You are only impacted by this issue if you are running BIND as a caching resolver. * For the fixed versions of BIND (9.5.0-P1, 9.4.2-P1 and 9.3.5-P1) ISC have stated that there is a noticeable impact on the performance of BIND caching resolvers with high query rates. See http://www.isc.org/index.pl?/sw/bind/bind-security.php for more information. NetBSD has taken the additional step of further updates to BIND in the base operating system. The following table lists the dates that later versions of BIND were imported which address these performance issues. If you require these later releases ensure that you have build BIND from sources on or later than the dates listed below: Branch: Date: Updated to: HEAD August 16, 2008 9.5.0-P2 netbsd-4, netbsd-4-0 August 30, 2008 9.4.2-P2 netbsd-3, netbsd-3-0, netbsd-3-0 August 30, 2008 9.3.5-P2 * Devices performing Network Address Translation (NAT), more specifically Port Address Translation (PAT) can either decrease or increase the randomness of source ports used for DNS queries. ipfilter(8) currently by design assigns ports in sequence when doing port mapping. The work around for this is to not do port translation on DNS traffic if that traffic has already been randomised. e.g. If you have: map foo0 a/b -> c/d portmap tcp/udp 10000:20000 then you need to do this: map foo0 from a/b to any port = 53 -> c/d tcp/udp map foo0 a/b -> c/d portmap tcp/udp 10000:20000 A patch has been committed to the HEAD, netbsd-4 and netbsd-4-0 branches that makes ipfilter(8) use random port numbers by default. Updates are also being created for the netbsd-3, netbsd-3-0 and netbsd-3-1 branches. This advisory will be updated with further details when patches for the netbsd-3* branches become available. The following instructions describe how to upgrade your bind binaries by updating your source tree and rebuilding and installing a new version of bind. * NetBSD-current: Systems running NetBSD-current dated from before 2008-07-10 should be upgraded to NetBSD-current dated 2008-07-11 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): dist/bind usr.sbin/bind lib/libbind9 lib/libdns lib/libisc lib/libisccc lib/libisccfg lib/liblwres To update from CVS, re-build, and re-install bind: # cd src # cvs update -d -P dist/bind usr.sbin/bind lib/libbind9 \ lib/libdns lib/libisc lib/libisccc lib/libisccfg \ lib/liblwres # cd lib/libpthread # make USETOOLS=no cleandir dependall # cd ../lib/libcrypt # make USETOOLS=no cleandir dependall # cd ../lib/libcrypto # make USETOOLS=no cleandir dependall # cd ../libbind9 # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libdns # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libisc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libisccc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libisccfg # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../liblwres # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../usr.sbin/bind # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-07-16 should be upgraded from NetBSD 4.* sources dated 2008-07-17 or later. The following directories need to be updated from the netbsd-4 or netbsd-4-0 branches: dist/bind usr.sbin/bind To update from CVS, re-build, and re-install bind: # cd src # cvs update -r -d -P dist/bind # cvs update -r -d -P usr.sbin/bind # cd usr.sbin/bind # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2008-07-24 should be upgraded from NetBSD 3.* sources dated 2008-07-25 or later. The following directories need to be updated from the netbsd-3, netbsd-3-0 or netbsd-3-1 branches: dist/bind usr.sbin/bind To update from CVS, re-build, and re-install bind: # cd src # cvs update -r -d -P dist/bind # cvs update -r -d -P usr.sbin/bind # cd usr.sbin/bind # make USETOOLS=no cleandir dependall # make USETOOLS=no install The following instructions describe how to upgrade your ipfilter binaries by updating your source tree and rebuilding and installing a new version of ipfilter. * NetBSD-current: Systems running NetBSD-current dated from before 2008-07-24 should be upgraded to NetBSD-current dated 2008-07-25 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): dist/ipf regress/sys/kern/ipf/regress sys/dist/ipf/netinet To update from CVS, re-build, and re-install ipfilter: # cd src # cvs update -d -P dist/ipf regress/sys/kern/ipf/regress \ sys/dist/ipf/netinet # cd usr.sbin/ipf # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-09-18 should be upgraded from NetBSD 4.* sources dated 2008-09-19 or later. The following directories need to be updated from the netbsd-4 or netbsd-4-0 branches: dist/ipf regress/sys/kern/ipf/regress sys/dist/ipf/netinet To update from CVS, re-build, and re-install ipfilter: # cd src # cvs update -d -P dist/ipf regress/sys/kern/ipf/regress \ sys/dist/ipf/netinet # cd usr.sbin/ipf # make USETOOLS=no cleandir dependall # make USETOOLS=no install The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Christos Zoulas, Greg Troxel, Jeremy C. Reed, Havard Eidnes and Manuel Bouyer for initial patches and testing on various releases. Dan Kaminsky is credited with discovering this issue. Revision History ================ 2008-07-25 Initial release 2008-08-30 Updated with BIND versions and additional updates 2008-10-18 Updated with ipfilter(8) port randomisation details More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2008-009.txt,v 1.4 2008/10/18 14:30:34 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQCVAwUBSPnzFT5Ru2/4N2IFAQL21AP+IBNOSwU3ebUoGl6spbIovMFFajECO1KE zxAu31AQ2XR+bdlKh9dNChVE3fQ+EeVpyGFr1k3DU8LNIz+N56oFLXlRednpJK6W o8iehBJYTy8+Sxdc0RDIJ9ER2xqc1emwAY+ShBMsMLwUeZeKJFHX4QNFUMTGGfAl GsJQxbvaugk= =L+wQ -----END PGP SIGNATURE-----