Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2012

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2008

MA-135.072008 : MyCERT Special Alert - Multiple Vendor DNS vulnerabilities

Original Issue Date: 25th July 2008

1.0 Affected Products

Apart from Microsoft DNS that is affected by vulnerability (MA-134.072008), there are other DNS services from other developers that are experiencing this vulnerability. In addition to the Microsoft DNS, this will sum up to affect a greater number of Internet users.

Other DNS services/products that are affected by Man in the Middle attacks are:

Cisco
http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml
ISC-BIND
http://www.isc.org/index.pl?/sw/bind/bind-security.php

ISC-BIND based DNS services are in service in multiple products. Thus, various products are affected by this vulnerability. Full list are available at US-CERT website, http://www.kb.cert.org/vuls/id/800113

Listed below are among commonly used distribution that uses ISC-BIND.

RedHat
https://rhn.redhat.com/errata/RHSA-2008-0533.html
Sun
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239392-1
Debian
http://www.debian.org/security/2008/
Ubuntu
http://www.ubuntu.com/usn/usn-622-1

2.0 Impact

The vulnerabilities could enable attacker to send spoof response of a DNS query and inject false information to the DNS request. This may allow the attacker to trick unsuspecting users to fraudulent or malicious websites. This vulnerability lies in the guessable DNS transaction ID that enables attacker to guess and implement the exploit. Please be aware that there is EXPLOIT AVAILABLE that could be obtained from the Internet for this vulnerability

3.0 Fixes

Administrators are advised to implement the remedial action based on their version of BIND and/or Operating System respectively. Please also ensure that DNS responses are allowed back and forth between authorized networks and machines only. Set the firewall to allow DNS requests and response to port 53 between known machines only.

4.0 References

http://www.kb.cert.org/vuls/id/800113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://osvdb.org/search/advsearch?search%5Bvuln_title%5D=&vuln_title_search_type=and&search%5Bs_date%5D=&search%5Be_date%5D=&search%5Brefid%5D=2008-1447&search%5Breferencetypes%5D=CVEID&search%5Bgeneral%5D=&search%5Bvendors%5D=&kthx=search

Produced in 25th July 2008 by MyCERT, CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI).

Revision History:

Initial Release: 25th July 2008