4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.111 Low
EPSS
Percentile
95.1%
ISC (Internet Systems Consortiuim) BIND generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches.
From the ISC Bind security page:
_The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of guessing the next query id for 50% of the query ids. This can be used to perform cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers.
All users are encouraged to upgrade._
A remote attacker could predict DNS query IDs and respond with arbitrary answers, thus poisoning DNS caches.
Upgrade or Patch
This issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Users who obtain BIND from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.
252735
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 26, 2007 Updated: July 30, 2007
Affected
The Debian project has fixed this vulnerability in its stable distribution Debian GNU/Linux 4.0 in version 9.3.4-2etch1 of bind9 and in its old stable distribution Debian GNU/Linux 3.1 in version 9.2.4-1sarge3 of bind9 via Debian Security Advisory 1341 as in
<<http://www.debian.org/security/2007/dsa-1341>>
The vendor has not provided us with any further information regarding this vulnerability.
See <http://www.debian.org/security/2007/dsa-1341> for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23252735 Feedback>).
Notified: July 26, 2007 Updated: October 01, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Updated: July 27, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
See <http://www.isc.org/sw/bind/bind-security.php> for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23252735 Feedback>).
Notified: July 26, 2007 Updated: August 08, 2007
Affected
This weakness has been corrected for Openwall GNU/*/Linux (Owl) 2.0-stable and Owl-current as of 2007/07/30 by updating the BIND package to version 9.3.4-P1.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 28, 2007
Affected
This issue affected the Bind package as shipped with Red Hat Enterprise Linux 2.1, 4, 4, and 5. Updated packages to correct this issue are available along with our advisories at the URLs below and via Red Hat Network.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: August 03, 2007
Affected
SUSE is affected by VU#252735 (CVE-2007-2926) and has released updates for it. Our advisory is at:
<http://www.novell.com/linux/security/advisories/2007_47_bind.html>
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: August 03, 2007
Affected
Solaris 10 is affected by this issue. Sun has published Sun Alert 103018 for this issue which is available here:
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-103018-1>
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: August 06, 2008
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
See <http://www.ubuntu.com/usn/usn-491-1> for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23252735 Feedback>).
Notified: July 26, 2007 Updated: July 30, 2007
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 30, 2007
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: July 26, 2007 Updated: July 26, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
View all 41 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by ISC who credit Amit Klein from Trusteer.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2007-2926 |
---|---|
Severity Metric: | 3.83 Date Public: |