Multiple Vendor DNS Spoofing Vulnerability (MS08-037)

Text Box: Terms and Conditions Copyright® 2008 SecPod, All rights reserved. info@secpod.com

SecPod ID: 10109

Multiple Vendor DNS Spoofing Vulnerability

Status: Public Report

Release Date: 07-09-2008

Updated: 07-10-2008

Severity: High

CVSS Base Score: 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)

CVSS Temporal Score = 6.2

Affected Software/OS/Device:

Implementation of all DNS Client and DNS Server modules including Microsoft Windows, ISC BIND.

Impact Level: System

Snort Signature ID:

Vulnerability Insight:

Overview:

The hosts installed with DNS server or client is prone to DNS Cache Poisoning Vulnerability due to inefficient

randomization of Transaction ID and Source Port entries.

Description:

The vulnerabilities are due to,
- DNS client and DNS server does not provide enough randomization for Transaction ID and Source Port

parameters.
- Under certain conditions the DNS server accepts records from a response that is outside the remote

server’s authority.

Impact :

An attacker could poison the cache directing the traffic to a different location than intended.

CVSS Score Report:

    ACCESS_VECTOR = NETWORK
    ACCESS_COMPLEXITY = LOW
    AUTHENTICATION = NOT_REQUIRED
    CONFIDENTIALITY_IMPACT = PARTIAL
    INTEGRITY_IMPACT = PARTIAL
    AVAILABILITY_IMPACT = PARTIAL
    EXPLOITABILITY = FUNCTIONAL
    REMEDIATION_LEVEL = OFFICIAL_FIX
    REPORT_CONFIDENCE = CONFIRMED

CVSS Base Score = 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
CVSS Temporal Score = 6.2

Fix:

Apply the patch released by vendors,
MS08-037 - http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
ISC BIND - http://www.isc.org/index.pl?/sw/bind/index.php
Cisco IOS - http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
Sun DNS - http://sunsolve.sun.com/search/document.do?assetkey=1-21-119783-05-1

RedHat - http://rhn.redhat.com/errata/RHSA-2008-0533.html

Ubuntu - http://www.ubuntu.com/usn/usn-622-1

Debian - http://lists.debian.org/debian-security-announce/2008/msg00185.html

Issues Found:

Loss of Internet connection for ZoneAlarm users after applying MS08-037 patch from Microsoft

http://news.cnet.com/8301-10789_3-9986625-57.html?part=rss&subj=news&tag=2547-1009_3-0-10

References:
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://xforce.iss.net/xforce/xfdb/43334
http://www.us-cert.gov/cas/techalerts/TA08-190B.html
http://securitytracker.com/alerts/2008/Jul/1020440.html
http://securitytracker.com/alerts/2008/Jul/1020438.html

Home Corporate Resources Report Security Bug Diary