The BlueCat Customer Care team is your single point of contact for technical expertise and best-in-class 24/7/365 product support. We listen. We understand. We care.

Security & Vulnerability Updates

BlueCat Networks understands the critical nature of DNS, DHCP and IPAM services and the impact of a security risk to these services. As part of BlueCat's initiative to provide customers with up-to-date information on potential security issues, we publicly track all known security issues related to our products. A description of each published security issue is listed below outlining the impact of each issue and how to mitigate against the attack.

2014   |   2013   |   2012   |   2011   |   2010   |   2009   |   2008

April 2014

SSL contains a vulnerability that could disclose private information to an attacker
CERT NUMBER: CVE-2014-0160

A vulnerability has been announced - CVE-2014-0160 which affects the version of SSL used by BlueCat.

Affected Versions:
All Address Manager (Proteus) 4.x and DNS/DHCP Server (Adonis) 7.x versions.

Short Description:
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

OpenSSL contains a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

• Primary key material (secret keys)
• Secondary key material (user names and passwords used by vulnerable services)
• Protected content (sensitive data used by vulnerable services)
• Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Please visit Care and review KB-6745 to download the patch and associated release notes.

January 2014

A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
CERT NUMBER: CVE-2014-0591

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2014-0591 which affects ISC BIND.

Affected Versions:
Authoritative name servers using DNSSEC with at least one NSEC3-signed zone.

Short Description:
A specially crafted query against an NSEC3-signed zone can crash DNS.

Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect an attacker deliberately constructing a query with the right properties could achieve denial of service against an authoritative nameserver serving NSEC3-signed zones.

Affected Adonis Versions:
BlueCat's assessment of CVE-2014-0591 has determined that all supported versions of Adonis are affected. A patch has been released to address the issue for these affected versions.

Please visit Care and review KB-6419 to download the patch and associated release notes.

IP Address Management, DNS and DHCP Solutions