Bug 462751 (CVE-2008-4100)

Summary: CVE-2008-4100 adns: DNS spoofing flaw
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atkac
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4100
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 23:45:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 462752, 462753, 462754    
Bug Blocks:    

Description Josh Bressers 2008-09-18 18:40:17 UTC 
GNU adns 1.4 and earlier uses a fixed source port and sequential
transaction IDs for DNS requests, which makes it easier for remote
attackers to spoof DNS responses, a different vulnerability than
CVE-2008-1447. NOTE: the vendor reports that this is intended behavior
and is compatible with the product's intended role in a trusted
environment.

Reference: URL:http://www.milw0rm.com/exploits/6197
Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/11/1
Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/16/4
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492698
Comment 2 Vincent Danen 2010-12-23 23:45:59 UTC 
The upstream INSTALL document states:

SECURITY AND PERFORMANCE - AN IMPORTANT NOTE

  adns is not a `full-service resolver': it does no caching of responses
  at all, and has no defence against bad nameservers or fake packets
  which appear to come from your real nameservers.  It relies on the
  full-service resolvers listed in resolv.conf to handle these tasks.

  For secure and reasonable operation you MUST run a full-service
  nameserver on the same system as your adns applications, or on the
  same local, fully trusted network.  You MUST only list such
  nameservers in the adns configuration (eg resolv.conf).

  You MUST use a firewall or other means to block packets which appear
  to come from these nameservers, but which were actually sent by other,
  untrusted, entities.

  Furthermore, adns is not DNSSEC-aware in this version; it doesn't
  understand even how to ask a DNSSEC-aware nameserver to perform the
  DNSSEC cryptographic signature checking.

Therefore this is intended behaviour and not a security issue in and of itself.