Date: Tue, 8 Jul 2008 22:09:23 +0000 (UTC) From: security curmudgeon <jericho@...rition.org> To: oss-security@...ts.openwall.com Subject: Major DNS vulnerability announced [CVE Question] Since this is about to make VDB life complicated.. Microsoft has: DNS Insufficient Socket Entropy Vulnerability - CVE-2008-1447 DNS Cache Poisoning Vulnerability - CVE-2008-1454 Cisco has: CVE-2008-1447 Question: Is CVE going to keep those two identifiers for the fundamental issues, and load them up with affected vendors? ---------- Forwarded message ---------- http://www.kb.cert.org/vuls/id/800113 Vulnerability Note VU#800113 Multiple DNS implementations vulnerable to cache poisoning Overview Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. I. Description The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. DNS cache poisoning is not a new concept; in fact, there are published articles that describe a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning. The following are examples of these deficiencies and defects: < - > II. Impact An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control. < - >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.