4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.039 Low
EPSS
Percentile
91.9%
ISC BIND version 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches.
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). Version 8 of the BIND software uses a weak algorithm to generate DNS query identifiers. This condition allows an attacker to reliably guess the next query ID, thereby allowing for DNS cache poisoning attacks.
ISC states that this bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFY
messages to slave name servers. Note that although this vulnerability is similar in nature and impact to VU#252735, it is a distinct issue.
A remote attacker with the ability to predict DNS query IDs and respond with arbitrary answers, could poison DNS caches.
Upgrade or apply a patch
Users should obtain a patch from their operating system vendor when available. Please see the Systems Affected section of this document for more information about specific vendors.
Users who compile their own versions of BIND 8 from the original ISC source code are encouraged to take the following actions described by ISC:
This issue is addressed in ISC BIND 8.4.7-P1, available as patch that
can be applied to BIND 8.4.7.
The more definitive solution is to upgrade to BIND 9. BIND 8 is being
declared "end of life" by ISC due to multiple architectural issues.
See ISC's website at ``<http://www.isc.org>`` for more information and
assistance.
927905
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 21, 2007 Updated: August 27, 2007
Affected
This issue is addressed in ISC BIND 8.4.7-P1, available as patch that
can be applied to BIND 8.4.7.
The more definitive solution is to upgrade to BIND 9. BIND 8 is being
declared "end of life" by ISC due to multiple architectural issues.
See ISC's website at ``<http://www.isc.org>`` for more information and
assistance.
The vendor has not provided us with any further information regarding this vulnerability.
Additional information about the problem and the End-of-life status for BIND version 8 can be found at the following location:
<<http://www.isc.org/sw/bind/bind8-eol.php>>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23927905 Feedback>).
Notified: August 27, 2007 Updated: August 28, 2007
Not Affected
No product from BlueCat Networks Inc. is affected by vulnerability VU#927905. Every product that we have issued has contained a version of BIND based on v9. We have no software that runs v8.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Not Affected
We currently run BIND 9.3.4 and are not vulnerable to VU#927905.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Not Affected
Mandriva does not ship BIND8 in any supported products and is not vulnerable to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 28, 2007
Not Affected
Thank you for the heads up. While we do use the BIND protocol, we have our own implementation so these implementation-specific vulnerabilities should not affect us.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: August 27, 2007 Updated: August 27, 2007
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
View all 51 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to the Internet Systems Consortium (ISC) for reporting this vulnerability. ISC, in turn, credits Amit Klein from Trusteer for reporting this issue to them.
This document was written by Chad Dougherty.
CVE IDs: | CVE-2007-2930 |
---|---|
Severity Metric: | 2.14 Date Public: |