Another BIND vulnerability (cache poisoning)

Jan-Erik Söderholm wrote:
> Jeffrey H. Coffield wrote:
>> I contacted HP support for one of my customers and got the following
>> response:
>>
>>> There are 2 part to DNS.
>>> 1) Server
>>> - The vulnerability only affects the servers and may render it
>>> "compromised", and there is a fix for this.
>>>
>>> 2) Resolver/client
>>> - The vulnerability will not affect the clients directly and there is
>>> no fix for it.
>>>
>
> I take it for granted that the above was regarding VMS, right ?
>

Yes

On Mon, 28 Jul 2008 08:12:34 -0700, wrote:

> In article , "Tom Linden"
> writes:
>> On Mon, 28 Jul 2008 06:42:43 -0700, wrote:
>>
>>> No - unpatched internal DNS servers which are setup to do recursive
>>> queries are
>>> vulnerable to attack from compromised internal windows systems.
>>
>> How do you check if it is set up that way?
>>
>
> Look in TCPIP$BIND.CONF
>
> If recursion is restricted to internal systems you will have something
> like
>
> acl "internal" {
> xxx.xxx.xxxx/24 ; 10/8 ;
> };
>
> options {
> directory "SYS$SPECIFIC:[TCPIP$BIND]";
> allow-recursion { "internal"; };
> max-cache-size 10M;
> };
>
> If there is no allow-recursion option specified then recursion is allowed
> from all hosts.
>
Don't have an acl statement, and only

options {
directory "TCPIP$BIND_COMMON:[TCPIP$BIND]";
recursion yes;

> see
>
> http://www.openvms.compaq.com/doc/83...nd9_access_tab
>
> and for the acl statement
>
> http://www.openvms.compaq.com/doc/83...#bind9_acl_sec
>
>
> David Webb
> Security team leader
> CCSS
> Middlesex University
>
>> --
>> PL/I for OpenVMS
>> www.kednos.com

--
PL/I for OpenVMS
www.kednos.com

On 28 Jul, 14:12, davi...@alpha1.mdx.ac.uk wrote:
> In article , koeh...@eisner.nospam..encompasserve.org (Bob Koehler) writes:
>
> >In article <488a10c0$0$14356$c3e8...@news.astraweb.com>, JF Mezei writes:
>
> >> If VMS is not affected, then HP should post this info on the CERT web
> >> site to indicate that VMS has been tested and while the public tests
> >> show it as vulnerable, it is not vulnerable to actual "attacks".
>
> > * How does HP define whether VMS is affected, when HP doesn't own all
> > * the BIND implementations being run on VMS? * The best HP can do is
> > * tell us whether UCX (clear throat, "HP TCP/IP Services for OpenVMS")
> > * is affected.
>
> That is ALL that is being asked of them.
>
> > * What has Process got to say about theirs?
>
> They have already released patches for the vulnerability
>
> see
>
> http://www.multinet.process.com/scri...NAMED-050_A052
>
> released 16th July
>
> and for TCPWARE
>
> http://vms.process.com/scripts/eco/e...NAMED_V582P010
>
> released 18th July
>
> David Webb
> Security team leader
> CCSS
> Middlesex University

Note those are for the current versions. Patches for earlier versions
(e.g. TCPWARE V5.7-2) will be along sometime.

On 28 Jul, 14:12, Jan-Erik Söderholm
wrote:
> IanMiller wrote:
> > On Jul 25, 9:37 pm, Jan-Erik Söderholm
> > wrote:
>
> >> I'm failing to see how this is a major problem for
> >> my VMS systems, at least...
>
> >> Jan-Erik.
>
> > As far as I can see you only have a problem if you have BIND resolver
> > that does recursive searches *using DNS servers you don't control.
> > So if you use local host file then not a problem. If you use internal
> > corporate DNS servers only then not a problem either.
> > I suspect few VMS systems are vulnerable in practice.
>
> OK, as I thought.
>
> So probably the only affected VMS systems are a few hobbyist
> systems with direct Internet connections here and there.
> Hardly something to care *that* much about.
>
> And I'd guess that the only case when a VMS systems has to
> resolve a lot of external domains, is if you use your
> VMS systems for "surfing", and I can't realy see why
> you'd want to do that. There are much better and cheaper
> "surf-platforms" available...
>
> So, again, where *is* the problem ?? Besides of the
> possible perception that HP don't care, of course...
>
> Jan-Erik.
>
> > As usual, the problem is perception not reality. HP have not yet
> > produced a patch therefore they don't care rather than actually
> > looking at how many VMS systems that you manage have problem and doing
> > something about it (if necessary).

The reaction here is as expected. The usual arguments rehashed. :-(
I expect those few people that have had a potential problem on their
VMS systems have done something about it - changed configuration or
contacted the vendor of their TCPIP product.

In article <488e0fbb$0$1845$c3e8da3@news.astraweb.com>, JF Mezei writes:
>david20@alpha1.mdx.ac.uk wrote:
>> Look in TCPIP$BIND.CONF
>>
>> If recursion is restricted to internal systems you will have something like
>>
>> acl "internal" {
>> xxx.xxx.xxxx/24 ; 10/8 ;
>> };
>>
>> options {
>> directory "SYS$SPECIFIC:[TCPIP$BIND]";
>> allow-recursion { "internal"; };
>> max-cache-size 10M;
>> };
>>
>> If there is no allow-recursion option specified then recursion is allowed
>> from all hosts.
>
>
>Pardon my ignorance, but this latest issue happens when a local client
>tries to resolve a list of foreign hosts and uses his designated DNS
>server to do this. So the requests come from the internal lan and are
>thus validated in the above rule, aren't they ?

Yes the above just shows the the DNS being set up so that only internal hosts
can send requests for recursive replies. This is a fairly common setup since
providing recursion for external hosts has long been frowned upon.

(
note. If you turn off recursion totally then the DNS server will then send
back a referral to your client which will then have to contact a more
authorative server itself. This would mean that your DNS server would do no
caching but would also slow down DNS lookups. It would also mean that your
internal DNS clients would need to have the ability to make direct calls to
external DNS servers over udp 53 (and possibly tcp 53 depending upon the
client) through your firewall.
)

The issue is the DNS cache being poisoned by someone managing to get a record
for say google.com into your DNS' cache pointing at their site.
To do this they send requests for domain1.google.com, domain2.google.com ...
to your DNS and at the same time forge lots of responses which contain as
additional information that the DNS server should goto google.com
(with their address) for an authorative answer. The address they provide for
google.com is then cached by your server. Without the patch getting this to
work ie getting the false google record cached is a low probability event but
is feasible in a reasonable amount of time by just keeping repeating this
attack. With the patch the amount of time required becomes pretty much
totally infeasible.
This can all theoretically be carried out from an owned internal system
ie virus infected system, system which has downloaded something from the
web etc etc

David Webb
Security team leader
CCSS
Middlesex University

In article , "Tom Linden" writes:
>On Mon, 28 Jul 2008 08:12:34 -0700, wrote:
>
>> In article , "Tom Linden"
>> writes:
>>> On Mon, 28 Jul 2008 06:42:43 -0700, wrote:
>>>
>>>> No - unpatched internal DNS servers which are setup to do recursive
>>>> queries are
>>>> vulnerable to attack from compromised internal windows systems.
>>>
>>> How do you check if it is set up that way?
>>>
>>
>> Look in TCPIP$BIND.CONF
>>
>> If recursion is restricted to internal systems you will have something
>> like
>>
>> acl "internal" {
>> xxx.xxx.xxxx/24 ; 10/8 ;
>> };
>>
>> options {
>> directory "SYS$SPECIFIC:[TCPIP$BIND]";
>> allow-recursion { "internal"; };
>> max-cache-size 10M;
>> };
>>
>> If there is no allow-recursion option specified then recursion is allowed
>> from all hosts.
>>
>Don't have an acl statement, and only
>
>options {
> directory "TCPIP$BIND_COMMON:[TCPIP$BIND]";
> recursion yes;
>

In that case it looks like anyone, internal or external, who can send a
DNS query on udp or tcp 53 to your server can send a recursive query.
(Of course you may have firewalls in place protecting the DNS server from
external access).

David Webb
Security team leader
CCSS
Middlesex University

>> see
>>
>> http://www.openvms.compaq.com/doc/83...nd9_access_tab
>>
>> and for the acl statement
>>
>> http://www.openvms.compaq.com/doc/83...#bind9_acl_sec
>>
>>
>> David Webb
>> Security team leader
>> CCSS
>> Middlesex University
>>
>>> --
>>> PL/I for OpenVMS
>>> www.kednos.com
>
>
>
>--
>PL/I for OpenVMS
>www.kednos.com

In article <090544ea-822b-4c3c-99f3-2325bc826c1a@c65g2000hsa.googlegroups.com>, IanMiller writes:
>On 28 Jul, 14:12, davi...@alpha1.mdx.ac.uk wrote:
>> In article , koeh...@eisner.nospam=
>..encompasserve.org (Bob Koehler) writes:
>>
>> >In article <488a10c0$0$14356$c3e8...@news.astraweb.com>, JF Mezei
>ei.spam...@vaxination.ca> writes:
>>
>> >> If VMS is not affected, then HP should post this info on the CERT web
>> >> site to indicate that VMS has been tested and while the public tests
>> >> show it as vulnerable, it is not vulnerable to actual "attacks".
>>
>> > =A0 How does HP define whether VMS is affected, when HP doesn't own all
>> > =A0 the BIND implementations being run on VMS? =A0 The best HP can do i=
>s
>> > =A0 tell us whether UCX (clear throat, "HP TCP/IP Services for OpenVMS"=
>)
>> > =A0 is affected.
>>
>> That is ALL that is being asked of them.
>>
>> > =A0 What has Process got to say about theirs?
>>
>> They have already released patches for the vulnerability
>>
>> see
>>
>> http://www.multinet.process.com/scri...NAMED-050_A052
>>
>> released 16th July
>>
>> and for TCPWARE
>>
>> http://vms.process.com/scripts/eco/e...NAMED_V582P010
>>
>> released 18th July
>>
>> David Webb
>> Security team leader
>> CCSS
>> Middlesex University
>
>
>Note those are for the current versions. Patches for earlier versions
>(e.g. TCPWARE V5.7-2) will be along sometime.

Though that is slightly less of an issue since the latest versions of
TCPWARE and Multinet will run on versions of VMS back to VMS 5.5-2.
Hence it is much more likely users will either already be running the latest
version or will be able to upgrade without too much difficulty.
With UCX it is more of an issue since recent versions have been much more tied
to the OS version hence upgrading to the latest DEC TCPIP service version may
also mean upgrading to a new OS version.

David Webb
Security team leader
CCSS
Middlesex University

Note that Apple is behind on this patch too:

http://db.tidbits.com/article/9706

In article , "Richard Whalen" writes:
> Note that Apple is behind on this patch too:
>
> http://db.tidbits.com/article/9706

How many folks are using thier Macs as DNS servers? Suns are much
more popular for that purpose, although I no longer know what is
being used "around here".

On 29 Jul, 13:37, "Richard Whalen" wrote:
> Note that Apple is behind on this patch too:
>
> http://db.tidbits.com/article/9706

and are the apple mac newsgroups filled with people shouting that this
is the end of the mac? I guess not.

On Tue, 29 Jul 2008 04:04:03 -0700, wrote:

> In article , "Tom Linden"
> writes:
>> On Mon, 28 Jul 2008 08:12:34 -0700, wrote:
>>
>>> In article , "Tom
>>> Linden"
>>> writes:
>>>> On Mon, 28 Jul 2008 06:42:43 -0700, wrote:
>>>>
>>>>> No - unpatched internal DNS servers which are setup to do recursive
>>>>> queries are
>>>>> vulnerable to attack from compromised internal windows systems.
>>>>
>>>> How do you check if it is set up that way?
>>>>
>>>
>>> Look in TCPIP$BIND.CONF
>>>
>>> If recursion is restricted to internal systems you will have something
>>> like
>>>
>>> acl "internal" {
>>> xxx.xxx.xxxx/24 ; 10/8 ;
>>> };
>>>
>>> options {
>>> directory "SYS$SPECIFIC:[TCPIP$BIND]";
>>> allow-recursion { "internal"; };
>>> max-cache-size 10M;
>>> };
>>>
>>> If there is no allow-recursion option specified then recursion is
>>> allowed
>>> from all hosts.
>>>
>> Don't have an acl statement, and only
>>
>> options {
>> directory "TCPIP$BIND_COMMON:[TCPIP$BIND]";
>> recursion yes;
>>
>
>
> In that case it looks like anyone, internal or external, who can send a
> DNS query on udp or tcp 53 to your server can send a recursive query.
> (Of course you may have firewalls in place protecting the DNS server from
> external access).
>

So how should it be configured to obviate this flaw?

> David Webb
> Security team leader
> CCSS
> Middlesex University
>
>
>
>
>
>
>>> see
>>>
>>> http://www.openvms.compaq.com/doc/83...nd9_access_tab
>>>
>>> and for the acl statement
>>>
>>> http://www.openvms.compaq.com/doc/83...#bind9_acl_sec
>>>
>>>
>>> David Webb
>>> Security team leader
>>> CCSS
>>> Middlesex University
>>>
>>>> --
>>>> PL/I for OpenVMS
>>>> www.kednos.com
>>
>>
>>
>> --
>> PL/I for OpenVMS
>> www.kednos.com

--
PL/I for OpenVMS
www.kednos.com

In article , "Tom Linden" writes:
>On Tue, 29 Jul 2008 04:04:03 -0700, wrote:
>
>> In article , "Tom Linden"
>> writes:
>>> On Mon, 28 Jul 2008 08:12:34 -0700, wrote:
>>>
>>>> In article , "Tom
>>>> Linden"
>>>> writes:
>>>>> On Mon, 28 Jul 2008 06:42:43 -0700, wrote:
>>>>>
>>>>>> No - unpatched internal DNS servers which are setup to do recursive
>>>>>> queries are
>>>>>> vulnerable to attack from compromised internal windows systems.
>>>>>
>>>>> How do you check if it is set up that way?
>>>>>
>>>>
>>>> Look in TCPIP$BIND.CONF
>>>>
>>>> If recursion is restricted to internal systems you will have something
>>>> like
>>>>
>>>> acl "internal" {
>>>> xxx.xxx.xxxx/24 ; 10/8 ;
>>>> };
>>>>
>>>> options {
>>>> directory "SYS$SPECIFIC:[TCPIP$BIND]";
>>>> allow-recursion { "internal"; };
>>>> max-cache-size 10M;
>>>> };
>>>>
>>>> If there is no allow-recursion option specified then recursion is
>>>> allowed
>>>> from all hosts.
>>>>
>>> Don't have an acl statement, and only
>>>
>>> options {
>>> directory "TCPIP$BIND_COMMON:[TCPIP$BIND]";
>>> recursion yes;
>>>
>>
>>
>> In that case it looks like anyone, internal or external, who can send a
>> DNS query on udp or tcp 53 to your server can send a recursive query.
>> (Of course you may have firewalls in place protecting the DNS server from
>> external access).
>>
>
>So how should it be configured to obviate this flaw?
>

Set it up with an ACL to restrict recursion to your internal systems which will
stop external attacks and then patch this vulnerability when a patch is
released.

David Webb
Security team leader
CCSS
Middlesex University

>> David Webb
>> Security team leader
>> CCSS
>> Middlesex University
>>
>>
>>
>>
>>
>>
>>>> see
>>>>
>>>> http://www.openvms.compaq.com/doc/83...nd9_access_tab
>>>>
>>>> and for the acl statement
>>>>
>>>> http://www.openvms.compaq.com/doc/83...#bind9_acl_sec
>>>>
>>>>
>>>> David Webb
>>>> Security team leader
>>>> CCSS
>>>> Middlesex University
>>>>
>>>>> --
>>>>> PL/I for OpenVMS
>>>>> www.kednos.com
>>>
>>>
>>>
>>> --
>>> PL/I for OpenVMS
>>> www.kednos.com
>
>
>
>--
>PL/I for OpenVMS
>www.kednos.com

On Jul 29, 8:30*am, IanMiller wrote:
> On 29 Jul, 13:37, "Richard Whalen" wrote:
>
> > Note that Apple is behind on this patch too:
>
> >http://db.tidbits.com/article/9706
>
> and are the apple mac newsgroups filled with people shouting that this
> is the end of the mac? I guess not.

No, but there are a lot of very unhappy and heated posts about it; I
imagine Apple is catching flak more directly too. We'll see how they
respond (since they already missed the boat on a proactive one)
compared to HP.

Richard Whalen wrote:
> Note that Apple is behind on this patch too:
>
> http://db.tidbits.com/article/9706
>

This is bad for Apple that is trying to make it into offices. And it is
made even worse because tidbits picked up on it and that will give
OS-X/Apple a bad image.

VMS is lucky in the sense that the media won't mention the fact that HP
isn't publically releasing a patch or making any mention of VMS in this
issue.

BTW, Ricky Branson unveiled a new aircraft yesterday, the one that will
get his space capsule high enough to be launched. Its name uses 2
formerly copywrited terms in the VMS community:

VMS eve !!!!!!

(I lost a lot of respect for him when his ISP business in the UK
publically announced that net neutrality was bull**** and that it woudl
fight efforts to preserve net neutrality).

Hi Richard

"Richard Whalen" wrote in message
news:g6n2uh$25k$1@news.process.com...
> Note that Apple is behind on this patch too:
>
> http://db.tidbits.com/article/9706
>
>

Apparently it's because Steve Jobs is coding the changes himself, and is
feeling (certainly looking) a bit off-colour at the moment.

Should be along shortly; just after Java 6 :-)

Cheers Richard Maher

koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes in article dated 29 Jul 2008 07:59:57 -0500:
>In article , "Richard Whalen" writes:
>> Note that Apple is behind on this patch too:
>>
>> http://db.tidbits.com/article/9706
>
> How many folks are using thier Macs as DNS servers? Suns are much
> more popular for that purpose, although I no longer know what is
> being used "around here".

Only a hobbyist would use a boutique OS like VMS or MACOS for a service as
mundane as DNS in the first place. But this threat was enough to make me
migrate to Linux. All it took was some minor editing of the .conf file;
the .db files just worked.

Next migrations: HTTP and the dreaded mail services (SMTP and IMAP).

--Spud Demon

On Thu, 31 Jul 2008 20:53:24 -0700, Spud Demon
wrote:

> koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes in article
> dated 29 Jul 2008 07:59:57 -0500:
>> In article , "Richard Whalen"
>> writes:
>>> Note that Apple is behind on this patch too:
>>>
>>> http://db.tidbits.com/article/9706
>>
>> How many folks are using thier Macs as DNS servers? Suns are much
>> more popular for that purpose, although I no longer know what is
>> being used "around here".
>
> Only a hobbyist would use a boutique OS like VMS or MACOS for a service
> as
> mundane as DNS in the first place. But this threat was enough to make me
> migrate to Linux. All it took was some minor editing of the .conf file;
> the .db files just worked.
>
> Next migrations: HTTP and the dreaded mail services (SMTP and IMAP).

What don't you like about WASD or MX?

>
> --Spud Demon

--
PL/I for OpenVMS
www.kednos.com

In article , "Tom Linden" writes:
>On Thu, 31 Jul 2008 20:53:24 -0700, Spud Demon
> wrote:
>
>> koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes in article
>> dated 29 Jul 2008 07:59:57 -0500:
>>> In article , "Richard Whalen"
>>> writes:
>>>> Note that Apple is behind on this patch too:
>>>>
>>>> http://db.tidbits.com/article/9706
>>>
>>> How many folks are using thier Macs as DNS servers? Suns are much
>>> more popular for that purpose, although I no longer know what is
>>> being used "around here".
>>
>> Only a hobbyist would use a boutique OS like VMS or MACOS for a service
>> as
>> mundane as DNS in the first place. But this threat was enough to make me
>> migrate to Linux. All it took was some minor editing of the .conf file;
>> the .db files just worked.
>>
>> Next migrations: HTTP and the dreaded mail services (SMTP and IMAP).
>
>What don't you like about WASD or MX?
>
Or PMDF

or even Communigate PRO

David Webb
Security team leader
CCSS
Middlesex

>>
>> --Spud Demon
>
>
>
>--
>PL/I for OpenVMS
>www.kednos.com

On Jul 29, 7:37*am, "Richard Whalen" wrote:
> Note that Apple is behind on this patch too:
>
> http://db.tidbits.com/article/9706

Apple has released a fix for OS-X 10.4 and 10.5

http://support.apple.com/kb/HT2647

So I guess now we're just waiting on HP for a fix or at least a
statement.

In article , Rich Jordan writes:
>On Jul 29, 7:37=A0am, "Richard Whalen" wrote:
>> Note that Apple is behind on this patch too:
>>
>> http://db.tidbits.com/article/9706
>
>Apple has released a fix for OS-X 10.4 and 10.5
>
>http://support.apple.com/kb/HT2647
>
>So I guess now we're just waiting on HP for a fix or at least a
>statement.

It seems they do have a fix available but for some reason don't seem to be
publicising that fact

"
As I mentioned before, we do have the updated images in hand -- just need to
confirm that you need them and for which platform and version (Alpha or
Integrity; V5.6, V5.5, or V5.4). I guess another option would be to go ahead
and distribute a saveset containing images for all those versions; we have
such a saveset built also.
I am pleased to hear that you are using the BIND server on OpenVMS, and I
wish more customers would choose such a configuration.
"

Maybe VMS engineering should for security patches think of following the HP-UX
teams lead by notifying comp.os.vms. They regularly publish security patch
notifications to

comp.sys.hp.hpux,
comp.security.unix
and
comp.security.misc

David Webb
Security team leader
CCSS
Middlesex University

Another BIND vulnerability (cache poisoning) - VMS

Thread: Another BIND vulnerability (cache poisoning)

LinkBack

Tools

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)

Re: Another BIND vulnerability (cache poisoning)