Hi all,
there is an updated Bind9 RPM on the CentOS + BlueQuartz YUM repository.
Anyone who is running a DNS server on his BlueQuartz should urgently run "yum
update" and install the updated Bind 9 RPM - if your server hasn't already
fetched it automatically last night.
The updated and therefore fixed Bind 9 RPMs have the following version
numbers:
bind-utils-9.2.4-27.0.1.el4
bind-libs-9.2.4-27.0.1.el4
bind-9.2.4-27.0.1.el4
bind-chroot-9.2.4-27.0.1.el4
More information on the problem:
http://isc.sans.org/diary.html?storyid=3181
The problem with the vulnerable Bind 9 is quite severe. Basically an attacker
can poison your DNS cache quite easily and can therefore redirect traffic to
other hosts than the ones you (or your users) intended to go to. Turning off
DNS caching prevents this, but for many users this isn't an option.
Poisoning should usually be very difficult, because it should be next to
impossible to guess or interpolate the correct 16-bit transaction ID, as
there are more than 65000 different combinations possible.
However, the Bind programmers screwed up and an attacker just has to do one
query, check the transaction ID and interpolate three of the 16 bits to guess
the next valid transaction ID. Three bits boils down to 10 possible
combinations, so it can be brute-forced easily.
--
With best regards,
Michael Stauber
http://www.solarspeed.net