The BlueCat Customer Care team is your single point of contact for technical expertise and best-in-class 24/7/365 product support. We listen. We understand. We care.
The ISC (Internet Systems Consortium), developers of the BIND DNS server, has announced a vulnerability which affects the version of BIND running in versions 6.x of Adonis.
This is a potential security risk that only affects customers that allow recursive DNS queries and are performing DNSSEC validation.
BlueCat has a patch available for Adonis that will upgrade the underlying instance of ISC BIND to the relevant patched version of the software, now released by ISC, to mitigate this issue. This patch addresses the vulnerability by incorporating the ISC BIND patch which addresses CERT VU#418861.
For Adonis versions 6.x, click the link below to access the patch and installation instructions.
A vulnerability has been announced by the US-CERT (US Computer Emergency Readiness Team) – http://www.kb.cert.org/vuls/id/725188 - which affects the version of BIND running in versions 4.x, 5.x, and 6.x of Adonis.
US-CERT provides the following description:
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (http://www.isc.org/) (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136 (http://tools.ietf.org/html/rfc2136) . BIND 9 can crash when processing a specially-crafted dynamic update packet. ISC notes that this vulnerability affects all servers and is not limited to those that are configured to allow dynamic updates.
BlueCat is working diligently to release an update to Adonis that will upgrade the underlying the instance of ISC BIND to the relevant patched version of the software, now released by ISC, which will mitigate this issue. An announcement will be made as soon as this is available.
Note: If you have xHA (Crossover High Availability) enabled, the cluster will failover if attacked. This should somewhat prevent service interruption until a patch is made available.
Once receiving this announcement customers are strongly encouraged to patch their severs immediately, as there is no viable workaround for this issue.
On January 18, 2009, the SANS Internet Storm Center reported the first instances of what is now being described as a DNS DDOS (distributed denial of service) attack (see http://isc.sans.org/diary.html?storyid=5713).
The attack is simple: the attacker spoofs the victim's source address in a DNS query for '.' (dot) to a DNS server, which then generates a much larger response to be sent to the victim. This is also known as an amplification attack whereby the attacker's traffic is amplified 10-fold by the natural DNS response. The purpose of the attack is to generate as much traffic as possible to victim's system (the spoofed address used) or network.
It is also quite likely that the owner or administrators of the participating DNS server are completely unaware that their system is being used in this way. In fact, if the queries are successfully answered, then most logging levels will not report this activity at all.
The attack takes advantage of certain configurations on the part of the participating DNS server. This includes all BIND and Microsoft DNS servers.
For Adonis, the results are as follows:v5.5.0 and v5.5.1
With recursion enabled:
Check that "allow-query-cache" is not set to allow more than "allow-recursion". If they do not conflict, then the server will deny the request and defeat the attack.
With recursion not enabled:
Set additional-from-cache no; the server will deny the request and defeat the attack.v5.1
With recursion enabled:
The system will respond to these requests regardless of any other settings. We recommend disabling recursion on external facing Adonis systems.
With recursion disabled:
Set additional-from-cache no, set additional-from-auth no; the server will deny the request and defeat the attack.
You can also see various other mechanisms to detect and protect against this attack on the SAN site (see http://isc.sans.org/diary.html?storyid=5713).
Neither ISC nor CERT have issued any advisories, vulnerability or other notices, indicating that this is not considered a major problem. Reports on the incidence of attacks have been low in number.
© 2001-2013 BlueCat Networks - All Rights Reserved - Privacy