Synopsis
The remote Debian host is missing a security-related update.
Description
Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS spoofing and cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.
Solution
At this time, it is not possible to implement the recommended countermeasures in the GNU libc stub resolver. The following workarounds are available :
1. Install a local BIND 9 resolver on the host, possibly in forward-only mode. BIND 9 will then use source port randomization when sending queries over the network.
(Other caching resolvers can be used instead.)
2. Rely on IP address spoofing protection if available. Successful attacks must spoof the address of one of the resolvers, which may not be possible if the network is guarded properly against IP spoofing attacks (both from internal and external sources).
This DSA will be updated when patches for hardening the stub resolver are available.
Plugin Details
File Name: debian_DSA-1605.nasl
Agent: unix
Supported Sensors: Continuous Assessment, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P
Vulnerability Information
CPE: cpe:/o:debian:debian_linux
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Reference Information
CVE: CVE-2008-1447
CERT: 800113
DSA: 1605
IAVA: 2008-A-0045
OSVDB: 47232, 47916, 47926, 47927, 48245