Debians sikkerhedsbulletin

DSA-1603-1 bind9 -- DNS-cacheforgiftning

Rapporteret den:
8. jul 2008
Berørte pakker:
bind9
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2008-1447.
CERTs noter om sårbarheder, bulletiner og hændelser: VU#800113.
Yderligere oplysninger:

Dan Kaminsky opdagede at medfødte egenskaber i DNS-protokollen kunne føre til effektive DNS-cacheforgiftningsangreb. Blandt andre kunne succesrige angreb føre til fejldirigeret webtrafik og e-mail-omdirigering.

Denne opdatering ændrer Debians BIND 9-pakker for at implementere de anbefalede modforholdsregler: Randomnisering af UDP-forespørgselskildeport. Ændringen forøger størrelsen på det område, en angriber skal gætte værdier i, på en bagudkompatibel måde og gør succesrige angreb betydeligt sværere.

Bemærk at denne sikkerhedsopdatering ændrer BINDs netværksvirkemåde på en fundamental måde, og følgende trin anbefales for at sikre en problemfri opgradering.

1. Forvis dig om, at din netværksopsætning er kompatibel med kildeportsrandomnisering. Hvis du beskytter din DNS-opløser (resolver) med et stateless pakkefilter, kan det være nødvendigt for dig at sikre, at ingen ikke-DNS-tjenester lytter til UDP-portene mellem 1024 og 65535, samt at åbne for det i pakkefilteret. Pakkefiltre, der er eksempelvis er baseret på etchs Linux 2.6.18-kerne, understøtter kun stateless filtrering af IPv6-pakker, og er derfor ramt af dette ekstra problem. (Hvis du anvender IPv4 med iptables og ESTABLISHED-regler, vil netværksændringer formentlig ikke være nødvendige.)

2. Installér BIND 9-opgraderingen ved hjælp af apt-get update efterfulgt af apt-get install bind9. Kontroller at processen named er blevet genstartet og svarer på rekursive forespørgsler. (Hvis alle forespørgsler giver timeouts, er det en indikation af at netværksændringer er påkrævede; se trin et.)

3. Kontrollér at kildeportrandomnisering er aktiveret. Forvis dig om at filen /var/log/daemon.log ikke indeholder meddelelser med følgende udseende

named[6106]: /etc/bind/named.conf.options:28: using specific query-source port suppresses port randomization and can be insecure.

lige efter meddelelserne listening on IPv6 interface og listening on IPv4 interface, logget af BIND ved programstart. Hvis disse meddelelser er til stede, bør du fjerne den angivne linje fra opsætningen eller erstatte portnumre i dem med *-tegnet (udskift fx port 53 med port *).

For yderligere vished, brug tcpdump eller et andet netværksovervågningsværktøj for at undersøge om der er skiftende UDP-kildeporte. Hvis der er en NAT-enhed foran din DNS-opløser, skal du sikre dig at den ikke annullerer effekten af kildeportsrandomniseringen.

4. Hvis du ikke kan aktivere kildeportsrandomnisering, så overvej at opsætte BIND 9 til at sende forespørgsler videre til en DNS-opløser, der kan, eventuelt over en VPN så som OpenVPN, for at oprette det nødvendige betroede netværkslink. (Brug BIND's forward-only-tilstand i denne situation.)

Andre caching-opløsere, der distribueres af Debian (PowerDNS, MaraDNS, Unbound) anvender allerede kildeportsrandomnisering, og det er ikke nødvendigt at opdatere pakkerne. BIND 9.5 op til og med version 1:9.5.0.dfsg-4 implementerer kun en svag form for kildeportsrandomnisering og skal derfor også opdateres. For oplysninger om BIND 8 se DSA-1604-1, og for status på libcs stub-opløser se DSA-1605-1.

De opdaterede bind9-pakker indeholder ændringer oprindelig planlagt til den næste stabile punktopdatering, deriblandt den ændrede IP-adresse for L.ROOT-SERVERS.NET (Debian-fejl nummer 449148).

I den stabile distribution (etch), er dette problem rettet i version 9.3.4-2etch3.

I den ustabile distribution (sid), vil dette problem snart blive rettet.

Vi anbefaler at du opgraderer din bind9-pakke.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.dsc
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4.orig.tar.gz
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.diff.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.3.4-2etch3_all.deb
Alpha:
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.