Serious vulnerability ratifies end of BIND8 DNS server
The discovery of a significant vulnerability in its random number generator has prompted the vendor, ISC, to announce that support for Version 8 of the popular BIND nameserver will be finally discontinued. As described by security specialist Amit Klein in a paper, the transaction IDs in BIND8 can be so exactly predicted, that attackers can "poison" the cache of a vulnerable DNS server with manipulated IP addresses with almost complete success. Such "cache poisioning" is primarily exploited by phishers and pharmers to lure flocks of Internet users to manipulated websites.
Although the ISC provides a patch to Version 8.4.7-P1 that supposedly eliminates the immediate problems with the random number generator, developers have acknowledged that BIND8 is struggling with fundamental architectural problems. The upgrade recommendation to all server operators is quite clear: The workarounds available are 'turn off DNS service' or 'upgrade to BIND 9'."
In the meantime, a US-CERT advisory has also issued a warning about the vulnerability. In all probability, since the majority of nameserver operators already rely on BIND9, the effect of the vulnerabilities on the DNS system and therefore on Internet users, will be marginal.
Only a month or so ago, Klein created some turmoil when he published a paper about a similar vulnerability in the random number generator of BIND9. This, however, functioned completely differently: it could only be exploited with ten per cent probability and with greater technical effort than the bug in version 8.
- BIND8 DNS Cache Poisoning, paper from Amit Klein with details on BIND8 vulnerability
- Vulnerability Note VU#927905: BIND version 8 generates cryptographically weak DNS query identifiers, security advisory from US-CERT
- Statement and recommendations by BIND vendor ISC
- Hole in Bind name server might affect whole Internet, report by heise Security
- Exploit released for vulnerability in BIND9 nameserver, report by heise Security