Bug 248851 (CVE-2007-2926)

Summary: CVE-2007-2926 bind cryptographically weak query ids
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atkac, jhutar, kreilly, kvolny, mkoci, osoukup, rbiba
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-14 16:24:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 248866, 248867, 248868, 248869, 248870, 248871, 248872, 248873, 248874    
Bug Blocks:    

Description Mark J. Cox 2007-07-19 08:09:44 UTC 
Internet Systems Consortium Security Advisory.

                BIND 9: cryptographically weak query ids.

                              17 July 2007

Versions affected:

    BIND 9.0 (all versions)
    BIND 9.1 (all versions)
    BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8
    BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4
    BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5

Severity: Medium.

Description:

    The DNS query id generation is vulnerable to cryptographic
    analysis which provides a 1 in 8 chance of guessing the next
    query id for 50% of the query ids.  This can be used to perform
    cache poisoning by an attacker.

    This bug only affects outgoing queries, generated by BIND 9 to
    answer questions as a resolver, or when it is looking up data
    for internal uses, such as when sending NOTIFYs to slave name
    servers.

    All users are encouraged to upgrade.

Workaround:

    None.

Fix:

    Upgrade to BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or
    BIND 9.5.0a6.

    Questions should be addressed to bind9-bugs.

CVE:    CVE-2007-2926   (CERT-US VU#553201)

*** Embargo set to 23 July 2007 ***
Comment 1 Mark J. Cox 2007-07-19 11:07:32 UTC 
patch is http://bugzilla.redhat.com/bugzilla/attachment.cgi?id=159581
Comment 4 Josh Bressers 2007-07-24 11:21:18 UTC 
This flaw is now public according to the ISC web site:
http://www.isc.org/index.pl?/sw/bind/

Current Release
  BIND 9.4.1-P1

Maintenance Releases
  BIND 9.3.4-P1
  BIND 9.2.8-P1 (end of life August 2007)
  BIND 8.4.7
Comment 5 Red Hat Product Security 2008-01-14 16:24:56 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0740.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-1247