oss-sec mailing list archives
Major DNS vulnerability announced [CVE Question]
From: security curmudgeon <jericho () attrition org>
Date: Tue, 8 Jul 2008 22:09:23 +0000 (UTC)
Since this is about to make VDB life complicated.. Microsoft has: DNS Insufficient Socket Entropy Vulnerability - CVE-2008-1447 DNS Cache Poisoning Vulnerability - CVE-2008-1454 Cisco has: CVE-2008-1447Question: Is CVE going to keep those two identifiers for the fundamental issues, and load them up with affected vendors?
---------- Forwarded message ---------- http://www.kb.cert.org/vuls/id/800113 Vulnerability Note VU#800113 Multiple DNS implementations vulnerable to cache poisoning OverviewDeficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks.
I. DescriptionThe Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. DNS cache poisoning is not a new concept; in fact, there are published articles that describe a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning. The following are examples of these deficiencies and defects:
< - > II. ImpactAn attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control.
< - >
Current thread:
- Major DNS vulnerability announced [CVE Question] security curmudgeon (Jul 08)
- Re: Major DNS vulnerability announced [CVE Question] Steven M. Christey (Jul 08)
- Re: Major DNS vulnerability announced [CVE Question] Jonathan Smith (Jul 08)
- Re: Major DNS vulnerability announced [CVE Question] The Fungi (Jul 08)
- Re: Major DNS vulnerability announced [CVE Question] Matthias Andree (Jul 09)
- Re: Major DNS vulnerability announced [CVE Question] Florian Weimer (Jul 09)
- Re: Major DNS vulnerability announced [CVE Question] Jonathan Smith (Jul 08)
- Re: Major DNS vulnerability announced [CVE Question] Steven M. Christey (Jul 08)