In association with heise online

31 August 2007, 14:35

Serious vulnerability ratifies end of BIND8 DNS server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The discovery of a significant vulnerability in its random number generator has prompted the vendor, ISC, to announce that support for Version 8 of the popular BIND nameserver will be finally discontinued. As described by security specialist Amit Klein in a paper, the transaction IDs in BIND8 can be so exactly predicted, that attackers can "poison" the cache of a vulnerable DNS server with manipulated IP addresses with almost complete success. Such "cache poisioning" is primarily exploited by phishers and pharmers to lure flocks of Internet users to manipulated websites.

Although the ISC provides a patch to Version 8.4.7-P1 that supposedly eliminates the immediate problems with the random number generator, developers have acknowledged that BIND8 is struggling with fundamental architectural problems. The upgrade recommendation to all server operators is quite clear: The workarounds available are 'turn off DNS service' or 'upgrade to BIND 9'."

In the meantime, a US-CERT advisory has also issued a warning about the vulnerability. In all probability, since the majority of nameserver operators already rely on BIND9, the effect of the vulnerabilities on the DNS system and therefore on Internet users, will be marginal.

Only a month or so ago, Klein created some turmoil when he published a paper about a similar vulnerability in the random number generator of BIND9. This, however, functioned completely differently: it could only be exploited with ten per cent probability and with greater technical effort than the bug in version 8.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit