BIND Vulnerability with Current Version

[Orbixx]

Hi,

The current BIND version supplied with Directadmin is vulnerable to man-in-the-middle attacks. Can a new version be supplied with Custombuild? As soon as possible, please.

The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka DNS Insufficient Socket Entropy Vulnerability or the Kaminsky bug.

http://www.milw0rm.com/exploits/6122
http://www.milw0rm.com/exploits/6123
http://www.milw0rm.com/exploits/6130

 

[floyd]

Just grab the patched version from you OS distributor. yum or apt-get. I don't know what FreeBSD uses but I know they have something.

Keep in mind that RedHat does not update the version numbers so it will still say bind-9.3 .... even though it is patched.

 

[tillo]

This is a few months old vulnerability, which is quite hard to exploit, requires that the DNS server permits open forwarding resolution and has a relatively small impact in security.
DA anyway doesn't have bind in its distribution, it just configures it; you will have to update your system just like DA wasn't there, like floyd said.

 

[gaw]

If you are using yum make sure that your exclude list does not include bind* but does include bind-chroot* . I may be confused, but I swear that my yum.conf had a bind* exclusion predated the DA install......

 

[floyd]

You are absolutely right. Mine had the bind* exclusion. I took it out and was able to update from bind-9.3.3-9.0.1.el5 to bind-9.3.4-6.0.3.P1.el5_2