Security: BIND9 exploit is out. please check your DNS!

Emanuele Gentili | Security | Thursday, July 24th, 2008

I am pleased (?) to annunce that BIND9 exploit is out (CVE-2008-1447).

This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver.
This exploit caches a single malicious host entry into the target nameserver.
By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.

This issue was fixed in ubuntu via USN-622-1 but more ISP are now vulnerable.

What to do?
First of all check your DNS on www.doxpara.com (right menu)
If your DNS are vulnerable I suggest to switch on Open DNS for fix this security issue.

emgent@amnistia:~$ sudo su root
[sudo] password for emgent:
root@amnistia:/home/emgent# echo “nameserver 208.67.222.222” > /etc/resolv.conf
root@amnistia:/home/emgent# echo “nameserver 208.67.220.220” >> /etc/resolv.conf
root@amnistia:/home/emgent# exit
exit
emgent@amnistia:~$

Background on #ubuntu-quality:
[SNIP]
(04:36) ( emgent) hello
(04:37) ( LaserJock) hi emgent
(04:37) ( emgent) I’m plased to annunce that BIND9 exploit is now pubblic.
(04:37) ( emgent) s/plased/pleased/
(04:38) ( persia) It the solution also public, and distributed?
(04:38) ( emgent) sure. fixed some week ago in ubuntu.
(04:38)  * LaserJock wonders if he should clap or not
(04:39) ( emgent) but more ISP are vulnerale now..
(04:40) ( emgent) persia: you can check your dns on http://www.doxpara.com/ (right menu)
(04:42) ( emgent) s/vulnerale/vulnerable/
(04:44) ( Hobbsee) oh good!  telstra isn’t.
(04:45) ( emgent) nice, Telecom Italia now is vuln.
(04:45) ( persia) NTT is vulnerable, but that is bot unsurprising and unlikely to cause issues.
(04:45) ( emgent) I use Open DNS
(04:47) ( LaserJock) mine is vulnerable it says
(04:47) ( emgent) switch to open dns
(04:49) ( emgent) exploit was pubblished some hours ago.. and there is a big problem.. now all people can hack vuln DNS and redirect google.com to sarcazzo.com for example.
(04:50) ( emgent) i go to write a post in planet.
(04:50) ( LaserJock) interesting
[SNIP]

happy defending! :-)

Perchè questo sito usa Freesoftware? | contatti: emgent @ ubuntu.com | Skype My status

website counter