<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.3790.4237" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
color=#0000ff size=2>It looks like this vulnerability is rather
serious:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
color=#0000ff size=2><A
href="http://securosis.com/2008/07/09/more-on-the-dns-vulnerability/"><U><FONT
color=#0000ff
size=2>http://securosis.com/2008/07/09/more-on-the-dns-vulnerability/</U></FONT></A></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left>RedHat has released updated packages for RedHat
5.x:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
color=#0000ff size=2><A
href="http://rhn.redhat.com/errata/RHSA-2008-0533.html">http://rhn.redhat.com/errata/RHSA-2008-0533.html</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
size=2>"[Updated 10th July 2008]<BR>We have updated the Enterprise Linux 5
packages in this advisory. The<BR>default and sample caching-nameserver
configuration files have been updated<BR>so that they do not specify a fixed
query-source port. Administrators<BR>wishing to take advantage of randomized UDP
source ports should check their<BR>configuration file to ensure they have not
specified fixed query-source ports."</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
color=#0000ff size=2>Hooray!</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=138343822-10072008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=138343822-10072008>I've posted comments on Dan Kaminsky's blog and
elsewhere drawing people's attention to the need to check BIND config
files.</SPAN></FONT></FONT></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=138343822-10072008></SPAN></FONT></FONT></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=138343822-10072008>Cheers,</SPAN></FONT></FONT></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=138343822-10072008></SPAN></FONT></FONT></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=138343822-10072008>Phil</SPAN></FONT></FONT></FONT></DIV><FONT face=Arial
color=#0000ff size=2></FONT><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of </B>Randal,
Phil<BR><B>Sent:</B> 10 July 2008 13:21<BR><B>To:</B> MailScanner
discussion<BR><B>Subject:</B> RE: Watch it: Multiple DNS
implementationsvulnerableto cachepoisoning<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=095351712-10072008><FONT color=#0000ff><FONT
face=Arial><FONT size=2>query-source <FONT color=#000000><FONT
color=#0000ff>defines the IP address (IPv4 or IPv6) and optional port to be used
as the source for <STRONG>outgoing</STRONG> queries from the
server</FONT>.</FONT></FONT></FONT></FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff size=2>The
default is a random unprivileged port.</FONT></SPAN></DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff size=2>There
may, of course, be over-zealous firewall rules (or SELinux policies) which
mistakenly insist that the source and destination ports are both 53, but that's
plain wrong.</FONT></SPAN></DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff size=2>And
dangerous.</FONT></SPAN></DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff
size=2>Cheers,</FONT></SPAN></DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=095351712-10072008><FONT face=Arial color=#0000ff
size=2>Phil</FONT></SPAN></DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-gb><FONT face=Arial size=2>--</FONT></SPAN> <BR><SPAN
lang=en-gb><FONT face=Arial size=2>Phil Randal</FONT></SPAN> <BR><SPAN
lang=en-gb><FONT face=Arial size=2>Networks Engineer</FONT></SPAN> <BR><SPAN
lang=en-gb><FONT face=Arial size=2>Herefordshire Council</FONT></SPAN> <BR><SPAN
lang=en-gb><FONT face=Arial size=2>Hereford, UK</FONT></SPAN> </P>
<DIV> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of </B>Peter
Farrow<BR><B>Sent:</B> 10 July 2008 13:07<BR><B>To:</B> MailScanner
discussion<BR><B>Subject:</B> Re: Watch it: Multiple DNS implementations
vulnerableto cachepoisoning<BR></FONT><BR></DIV>
<DIV></DIV>If you're running a public DNS server or a DNS server for your LAN
clients then these lines are an extremely good
idea...<BR><BR>P.<BR><BR><BR>Randal, Phil wrote:
<BLOCKQUOTE
cite=mid:7EF0EE5CB3B263488C8C18823239BEBA0430DC31@HC-MBX02.herefordshire.gov.uk
type="cite"><PRE wrap="">Have you made sure that in named.conf there are no
query-source port 53;
query-source-v6 port 53;
lines?
Cheers,
Phil
--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK
-----Original Message-----
From: <A class=moz-txt-link-abbreviated href="mailto:mailscanner-bounces@lists.mailscanner.info">mailscanner-bounces@lists.mailscanner.info</A>
[<A class=moz-txt-link-freetext href="mailto:mailscanner-bounces@lists.mailscanner.info">mailto:mailscanner-bounces@lists.mailscanner.info</A>] On Behalf Of Jason
Ede
Sent: 10 July 2008 11:15
To: MailScanner discussion
Subject: RE: Watch it: Multiple DNS implementations vulnerable to
cachepoisoning
I've patched some servers and they're showing good, but on one behind a
firewall its still showing as poor despite the update being run... Its
running Centos5.1
Jason
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">-----Original Message-----
From: <A class=moz-txt-link-abbreviated href="mailto:mailscanner-bounces@lists.mailscanner.info">mailscanner-bounces@lists.mailscanner.info</A> [<A class=moz-txt-link-freetext href="mailto:mailscanner">mailto:mailscanner</A>-
<A class=moz-txt-link-abbreviated href="mailto:bounces@lists.mailscanner.info">bounces@lists.mailscanner.info</A>] On Behalf Of shuttlebox
Sent: 10 July 2008 09:42
To: MailScanner discussion
Subject: Re: Watch it: Multiple DNS implementations vulnerable to
cache poisoning
On Thu, Jul 10, 2008 at 3:54 AM, Ken A <A class=moz-txt-link-rfc2396E href="mailto:ka@pacific.net"><ka@pacific.net></A> wrote:
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">They are probably not random enough. You can look at them with
</PRE></BLOCKQUOTE><PRE wrap="">netstat or
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">lsof -i
</PRE></BLOCKQUOTE><PRE wrap="">OK, it's the standard deviation that is key to the result. Unique
ports but all in a row for example is of course not good.
I have now patched one server and it shows GOOD with a high std dev.
/peter
--
Robert Benchley - "Drawing on my fine command of the English
language, I said nothing."
--
MailScanner mailing list
<A class=moz-txt-link-abbreviated href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</A>
<A class=moz-txt-link-freetext href="http://lists.mailscanner.info/mailman/listinfo/mailscanner">http://lists.mailscanner.info/mailman/listinfo/mailscanner</A>
Before posting, read <A class=moz-txt-link-freetext href="http://wiki.mailscanner.info/posting">http://wiki.mailscanner.info/posting</A>
Support MailScanner development - buy the book off the website!
</PRE></BLOCKQUOTE><PRE wrap=""><!---->--
MailScanner mailing list
<A class=moz-txt-link-abbreviated href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</A>
<A class=moz-txt-link-freetext href="http://lists.mailscanner.info/mailman/listinfo/mailscanner">http://lists.mailscanner.info/mailman/listinfo/mailscanner</A>
Before posting, read <A class=moz-txt-link-freetext href="http://wiki.mailscanner.info/posting">http://wiki.mailscanner.info/posting</A>
Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
<A class=moz-txt-link-abbreviated href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</A>
<A class=moz-txt-link-freetext href="http://lists.mailscanner.info/mailman/listinfo/mailscanner">http://lists.mailscanner.info/mailman/listinfo/mailscanner</A>
Before posting, read <A class=moz-txt-link-freetext href="http://wiki.mailscanner.info/posting">http://wiki.mailscanner.info/posting</A>
Support MailScanner development - buy the book off the website!
</PRE></BLOCKQUOTE><BR>-- <BR>This message has been scanned for viruses and
<BR>dangerous content by the <A
href="http://www.inexcom.co.uk/"><B>Inexcom</B></A> system scanner, <BR>and is
believed to be clean. <BR>Advanced heuristic mail scanning server [-].
</BODY></HTML>