Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0814 -- [Win][UNIX/Linux] BIND 9: OpenSSL Vulnerabilities 8 November 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Bind 9 Publisher: Internet Systems Consortium Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2006-2940 CVE-2006-2937 CAN-2006-4339 Ref: AL-2006.0074 AL-2006.0084 - --------------------------BEGIN INCLUDED TEXT-------------------- Internet Systems Consortium Security Advisory. BIND 9: OpenSSL Vulnerabilities. 31 October 2006 Versions affected: BIND 9.0.x (all versions of BIND 9.0) BIND 9.1.x (all versions of BIND 9.1) BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.6-P1, 9.2.7b1, 9.2.7rc1 and 9.2.7rc2 BIND 9.3.0, 9.3.1, 9.3.2, 9.3.2-P1, 9.3.3b1, 9.3.3rc1 and 9.3.3rc2 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1 and 9.4.0b2 Severity: Moderate (see below) Exploitable: Remotely Description: Because of OpenSSL's recently announced vulnerabilities (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named, we are announcing this workaround and releasing patches. A proof of concept attack on OpenSSL has been demonstrated for CAN-2006-4339. OpenSSL is required to use DNSSEC with BIND. ISC had included the OpenSSL library in the BIND distribution, and in more recent versions, the OpenSSL library was required, but no longer a part of the distribution. Workaround: Recompile named with a known good version of OpenSSL. OpenSSL 0.9.8d and 0.9.7l or greater are known to be good versions. For both KEY and DNSKEY resource record types, Generate RSASHA1 and RSAMD5 keys using the -e option to dnssec-keygen if the current keys were generated using the default exponent of 3. You can determine if a key is vulnerable by looking at the algorithm (1 or 5) and the first three characters of the base64 encoded RSA key. RSASHA1 (5) and RSAMD5 (1) keys that start with AQM, AQN, AQO or AQP are vulnerable. For example, this RSASHA1 (5) key is vulnerable and needs to be replaced as the base64 encoded RSA key starts with AQP. DNSKEY 256 3 5 ( AQPGP80zt8pQS5xVaaaD054XBet8sCKaYZ9WrnYyuznqNX kS91j6qqHuw7Y9kKAVsFoWfNw0CpahdIJIhUPFM1JRJtXh Ny1cg9Ok3kBnN+fwCe2LY3qOtweFbL9bSjgolQWr42AlFO jZnJVW1cECgVBfinKHBIEIIwIdHGGuLyIQaQ== ) Note: the use of RSAMD5 (1) is no longer recommended. Once you have generated new keys, use the key rollover process of your choice to put them into production. We expect your normal (non-emergency) processes to be adequate, however, you should do your own risk analysis against the costs of exploitation of weak keys and proceed accordingly. Fix: Upgrade to BIND 9.2.6-P2, BIND 9.3.2-P2, BIND 9.2.7rc3, BIND 9.3.3rc3 or BIND 9.4.0b3 then generate new RSASHA1 and RSAMD5 keys for all old keys using the old default exponent and perform a key rollover to these new keys. See above for how to determine if you are using the old default exponent. These new versions of named check that the OpenSSL version meet the mininum revision levels at configure time -- for Windows, compile time. These versions also change the default RSA exponent to be 65537 which is not vulnerable to the attacks described in CAN-2006-4339. Revision History: 20061102: Corrected fixed version number from BIND 9.2.3-P2 to BIND 9.3.2-P2. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRVFkXyh9+71yA2DNAQLP6AP/Z4hP7F+kuinZP7WF1Opgtre1Ybsr/cYj 35s24snqr09/g6PqwGX0iyf9Cace/zh9tHzPOz6fH12Jfi3g739niYOz/G+35cuL mSNHsAvjAI9dAxs/tw9/YeEVFZImBVwdzU7Ho92XTuzhD567Ceb8vY5AEdlYvKGT RR/TZJTbEqA= =6Vny -----END PGP SIGNATURE-----