The BlueCat Customer Care team is your single point of contact for technical expertise and best-in-class 24/7/365 product support. We listen. We understand. We care.

Security & Vulnerability Updates

BlueCat Networks understands the critical nature of DNS, DHCP and IPAM services and the impact of a security risk to these services. As part of BlueCat's initiative to provide customers with up-to-date information on potential security issues, we publicly track all known security issues related to our products. A description of each published security issue is listed below outlining the impact of each issue and how to mitigate against the attack.

2014   |   2013   |   2012   |   2011   |   2010   |   2009   |   2008

November 2014

Shellshock: Bash command shell contains a vulnerability that allows remote attackers to execute arbitrary code
CERT NUMBER: CVE-2014-6271 and CVE-2014-7169

Two vulnerabilities have been announced – CVE-2014-6271 and CVE-2014-7169 which affect the version of bash command shell used by both Address Manager (Proteus) and DNS/DHCP Server (Adonis)

Affected Versions:
All Address Manager (Proteus) and DNS/DHCP Server (Adonis) versions.

Short Description:
A vulnerability was discovered in the bash shell related to how bash processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment.

NOTE: Although both systems use a vulnerable version of the bash command shell, no remote exploits could be found. Although the systems are not exploitable remotely, BlueCat does recognize the visibility and attention associated with this security vulnerability and has released a patch to update all supported systems to a non-vulnerable version of the bash shell.

Please visit Care and review KB-7446 to download the patch and associated release notes.

April 2014

SSL contains a vulnerability that could disclose private information to an attacker
CERT NUMBER: CVE-2014-0160

A vulnerability has been announced - CVE-2014-0160 which affects the version of SSL used by BlueCat.

Affected Versions:
All Address Manager (Proteus) 4.x and DNS/DHCP Server (Adonis) 7.x versions.

Short Description:
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

OpenSSL contains a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

• Primary key material (secret keys)
• Secondary key material (user names and passwords used by vulnerable services)
• Protected content (sensitive data used by vulnerable services)
• Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Please visit Care and review KB-6745 to download the patch and associated release notes.

January 2014

A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
CERT NUMBER: CVE-2014-0591

A vulnerability has been announced by the ISC (Internet Systems Consortium) - CVE-2014-0591 which affects ISC BIND.

Affected Versions:
Authoritative name servers using DNSSEC with at least one NSEC3-signed zone.

Short Description:
A specially crafted query against an NSEC3-signed zone can crash DNS.

Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect an attacker deliberately constructing a query with the right properties could achieve denial of service against an authoritative nameserver serving NSEC3-signed zones.

Affected Adonis Versions:
BlueCat's assessment of CVE-2014-0591 has determined that all supported versions of Adonis are affected. A patch has been released to address the issue for these affected versions.

Please visit Care and review KB-6419 to download the patch and associated release notes.

IP Address Management, DNS and DHCP Solutions