PCI Compliance Vulnerability Found (BIND 9.3.4)

[josesan311]

Hello Guys,

Im currently using PCI compliance on one of my sites.
I have received one mail today from them saying that they found a vulnerability on my DNS server.

This is what it says,
--------------------------
Description:
Multiple Dns Implementations Vulnerable To Cache Poisoning

The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; and other implementations allow remote attackers to spoof DNS traffic via certain cache poisoning techniques against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability."

General Solution:

upgrade to latest bind version.
--------------------------

The thing is i have tried a 'yum upgrade bind' but it seems my system is using the latest available release (9.3.4), i have tried using dag repositories to see if i could find any other update, no luck on this neither.

Is there any way i can fix this or some place where i can find an up to date bind RPM?
Im currently using CentOS 5.2 i686.

Any suggestion will be really appreciated!

Best Regards.

Jose.

[ffeingol]

You'll have to read through the notes for the latest bind update but your are "prob." ok (don't take my word for it however). Red Hat generally backports the latest patches but does not necessary change the version number.

[josesan311]

Ok, thank you for your reply.
I have told them to re-issue a scan to see if my server got updated but it did not.
Is there any way i can upgrade the mentioned BIND DNS Server to the one they are requesting?

Any help will be appreciate it.

Thank you.

[John Musbach]

Download the source tarball: http://www.isc.org/sw/dl?pkg=bind9/9....0-P1%20Source and follow these instructions: http://www.isc.org/sw/bind/view/?rel....0-P1#BUILDING . The issue you were warned about is a critical one and it is recommended that you do not wait for a binary to be deposited in your repo and that you instead proceed with a compilation of the latest sources which resolves this critical exploit.

[cPanelKenneth]

Ok, thank you for your reply.
I have told them to re-issue a scan to see if my server got updated but it did not.
Is there any way i can upgrade the mentioned BIND DNS Server to the one they are requesting?

Any help will be appreciate it.

Thank you.

Since you use CentOS, you should subscribe to their Announcement mailing list, that way you can keep abreast of fixes such as for this BIND issue. For example:

http://lists.centos.org/pipermail/ce...ly/015077.html

[josesan311]

Thank you guys for suggestion on how to fix this, i really appreciate it.

[josesan311]

Since you use CentOS, you should subscribe to their Announcement mailing list, that way you can keep abreast of fixes such as for this BIND issue. For example:

http://lists.centos.org/pipermail/ce...ly/015077.html

Thank you for the link keneth.
Im a bit confused right now. I checked the mailing list and, according to what it says, looks the latest(and patched) bind releases are:

bind-9.3.4-6.0.1.P1.el5_2.i386.rpm
bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm
bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm
bind-utils-9.3.4-6.0.1.P1.el5_2.i386.rpm

I just issued a rpm -qa | grep bind and i got:

# rpm -qa | grep -i bind
bind-9.3.4-6.0.2.P1.el5_2
ypbind-1.19-8.el5
bind-libs-9.3.4-6.0.2.P1.el5_2
bind-devel-9.3.4-6.0.2.P1.el5_2
bind-utils-9.3.4-6.0.2.P1.el5_2


So, am i running the updated/patched bind right now? (I did not upgrade or did something yet so hence my confusion)


Thank you for all the help guys.

[handsonhosting]

I wasn't able to get the yum to update bind at all past the 9.2.4 version.

I even ran a "yum remove bind" and then "yum install bind" but it still wants the same version.

I checked yum.repos.d/CentOS-Base.repo file and made sure the UPDATE area was set right (from what I could tell:

#released updates
[update]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
priority=1
protect=1


Anyone have any suggestions on what I'm doing wrong on this one?

[cPanelKenneth]

I wasn't able to get the yum to update bind at all past the 9.2.4 version.

I even ran a "yum remove bind" and then "yum install bind" but it still wants the same version.

I checked yum.repos.d/CentOS-Base.repo file and made sure the UPDATE area was set right (from what I could tell:

#released updates
[update]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
priority=1
protect=1


Anyone have any suggestions on what I'm doing wrong on this one?

RedHat back ports patches. Hence, on RHEL/CentOS 4 you will have these RPMs for bind:

Code:

root@mundane [~]# rpm -qa | grep bind
bind-libs-9.2.4-28.0.1.el4
bind-utils-9.2.4-28.0.1.el4
bind-devel-9.2.4-28.0.1.el4
bind-9.2.4-28.0.1.el4

It doesn't matter that the bind version is only 9.2.4 as the security fixes were back-ported and applied to that version.

For RHEL/CentOS 5, the proper RPMs are:

Code:

dtest ~ # rpm -qa | grep bind
bind-libbind-devel-9.3.4-6.0.2.P1.el5_2
bind-utils-9.3.4-6.0.2.P1.el5_2
bind-devel-9.3.4-6.0.2.P1.el5_2
bind-libs-9.3.4-6.0.2.P1.el5_2
bind-9.3.4-6.0.2.P1.el5_2

[josesan311]

Can someone please confirm im running the patched bind?

I will really appreciate it.

Thank you.

[rrwh]

On your server you can test it using the following command

dig +short porttest.dns-oarc.net TXT @127.0.0.1

Of course - take a look at www.dns-oarc.net as well for further info.

It is much better to actually test if your server is vunerable than rely on inconsistent version numbers.

[handsonhosting]

It's too bad that these PCI places only look at the version number rather than doing the test

We've done the upgrades etc, but since it still has the older version number, they're still crying. Maybe I'll have to manually upgrade just to get them off my back.

Thanks for the feedback Kenneth, it's appreciated.

[MaraBlue]

It's too bad that these PCI places only look at the version number rather than doing the test

We've done the upgrades etc, but since it still has the older version number, they're still crying. Maybe I'll have to manually upgrade just to get them off my back.

Thanks for the feedback Kenneth, it's appreciated.

You can edit named.conf so the version doesn't show. That's recommended for security purposes, anyway. Under the 'options' section:

Code:

version " ";

HTH

[cPanelKenneth]

It's too bad that these PCI places only look at the version number rather than doing the test

We've done the upgrades etc, but since it still has the older version number, they're still crying. Maybe I'll have to manually upgrade just to get them off my back.

Thanks for the feedback Kenneth, it's appreciated.

The PCI Specification also allows for you, the company owner, to provide written verification obtained from the Operating System, or software, vendor that the application in question is indeed fully patched.

[handsonhosting]

Yeah, McAfee dont' like us when we set the version information empty. We have told them on a number of ocassions in the past with other notices that we were compliant and updated, and all is fine for a while, then they flag the client again and the whole process must be repeated. Sometimes they're more headache than they're worth!

Oh well - such is life I guess.