The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance Vulnerability Found (BIND 9.3.4)

Discussion in 'Bind / DNS / Nameserver Issues' started by josesan311, Jul 12, 2008.

  1. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Hello Guys,

    Im currently using PCI compliance on one of my sites.
    I have received one mail today from them saying that they found a vulnerability on my DNS server.

    This is what it says,
    --------------------------
    Description:
    Multiple Dns Implementations Vulnerable To Cache Poisoning

    The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; and other implementations allow remote attackers to spoof DNS traffic via certain cache poisoning techniques against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability."

    General Solution:

    upgrade to latest bind version.
    --------------------------

    The thing is i have tried a 'yum upgrade bind' but it seems my system is using the latest available release (9.3.4), i have tried using dag repositories to see if i could find any other update, no luck on this neither.

    Is there any way i can fix this or some place where i can find an up to date bind RPM?
    Im currently using CentOS 5.2 i686.

    Any suggestion will be really appreciated!

    Best Regards.

    Jose.
     
  2. ffeingol

    ffeingol Well-Known Member
    PartnerNOC

    Joined:
    Nov 9, 2001
    Messages:
    215
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    You'll have to read through the notes for the latest bind update but your are "prob." ok (don't take my word for it however). Red Hat generally backports the latest patches but does not necessary change the version number.
     
  3. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Ok, thank you for your reply.
    I have told them to re-issue a scan to see if my server got updated but it did not.
    Is there any way i can upgrade the mentioned BIND DNS Server to the one they are requesting?

    Any help will be appreciate it.

    Thank you.
     
  4. John Musbach

    John Musbach Registered

    Joined:
    Nov 20, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    #4 John Musbach, Jul 15, 2008
    Last edited: Jul 15, 2008
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Since you use CentOS, you should subscribe to their Announcement mailing list, that way you can keep abreast of fixes such as for this BIND issue. For example:

    http://lists.centos.org/pipermail/centos-announce/2008-July/015077.html
     
  6. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Thank you guys for suggestion on how to fix this, i really appreciate it.
     
  7. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6

    Thank you for the link keneth.
    Im a bit confused right now. I checked the mailing list and, according to what it says, looks the latest(and patched) bind releases are:

    bind-9.3.4-6.0.1.P1.el5_2.i386.rpm
    bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm
    bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm
    bind-utils-9.3.4-6.0.1.P1.el5_2.i386.rpm

    I just issued a rpm -qa | grep bind and i got:

    # rpm -qa | grep -i bind
    bind-9.3.4-6.0.2.P1.el5_2
    ypbind-1.19-8.el5
    bind-libs-9.3.4-6.0.2.P1.el5_2
    bind-devel-9.3.4-6.0.2.P1.el5_2
    bind-utils-9.3.4-6.0.2.P1.el5_2


    So, am i running the updated/patched bind right now? (I did not upgrade or did something yet so hence my confusion)


    Thank you for all the help guys.
     
  8. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    I wasn't able to get the yum to update bind at all past the 9.2.4 version.

    I even ran a "yum remove bind" and then "yum install bind" but it still wants the same version.

    I checked yum.repos.d/CentOS-Base.repo file and made sure the UPDATE area was set right (from what I could tell:

    #released updates
    [update]
    name=CentOS-$releasever - Updates
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
    #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
    priority=1
    protect=1


    Anyone have any suggestions on what I'm doing wrong on this one?
     
  9. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    RedHat back ports patches. Hence, on RHEL/CentOS 4 you will have these RPMs for bind:

    Code:
    root@mundane [~]# rpm -qa | grep bind
    bind-libs-9.2.4-28.0.1.el4
    bind-utils-9.2.4-28.0.1.el4
    bind-devel-9.2.4-28.0.1.el4
    bind-9.2.4-28.0.1.el4
    
    It doesn't matter that the bind version is only 9.2.4 as the security fixes were back-ported and applied to that version.

    For RHEL/CentOS 5, the proper RPMs are:

    Code:
    dtest ~ # rpm -qa | grep bind
    bind-libbind-devel-9.3.4-6.0.2.P1.el5_2
    bind-utils-9.3.4-6.0.2.P1.el5_2
    bind-devel-9.3.4-6.0.2.P1.el5_2
    bind-libs-9.3.4-6.0.2.P1.el5_2
    bind-9.3.4-6.0.2.P1.el5_2
    
     
  10. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Can someone please confirm im running the patched bind?

    I will really appreciate it.

    Thank you.
     
  11. rrwh

    rrwh Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    On your server you can test it using the following command

    dig +short porttest.dns-oarc.net TXT @127.0.0.1

    Of course - take a look at www.dns-oarc.net as well for further info.

    It is much better to actually test if your server is vunerable than rely on inconsistent version numbers.
     
  12. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    It's too bad that these PCI places only look at the version number rather than doing the test :(

    We've done the upgrades etc, but since it still has the older version number, they're still crying. Maybe I'll have to manually upgrade just to get them off my back.

    Thanks for the feedback Kenneth, it's appreciated.
     
  13. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    You can edit named.conf so the version doesn't show. That's recommended for security purposes, anyway. Under the 'options' section:

    Code:
    version " ";
    HTH :)
     
  14. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The PCI Specification also allows for you, the company owner, to provide written verification obtained from the Operating System, or software, vendor that the application in question is indeed fully patched.
     
  15. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Yeah, McAfee dont' like us when we set the version information empty. We have told them on a number of ocassions in the past with other notices that we were compliant and updated, and all is fine for a while, then they flag the client again and the whole process must be repeated. Sometimes they're more headache than they're worth!

    Oh well - such is life I guess.
     

Share This Page