ISC BIND DNS Query ID Field Prediction Cache Poisoning (deprecated)

medium Nessus Network Monitor Plugin ID 4578

Synopsis

The remote DNS server is vulnerable to a cache-poisoning attack.

Description

The remote host is running a version of BIND DNS server which fails to randomize the UDP source port. This could allow an attacker to poison the DNS cache. A poisoned cache means that DNS clients can be directed to rogue sites and greatly simplifies phishing attacks.

Solution

Many vendors build their DNS solution on top of BIND. Contact your specific DNS vendor for a fix. While the only true fix is to use DNSSEC, ISC has released patched versions of BIND that make it harder for attackers to spoof DNS answers. This is accomplished by expanding the range of UDP ports from which queries are sent. The following versions of ISC BIND increase the range of utilized UDP ports: 9.5.0-P1, 9.5.1b1, 9.4.2-P1, 9.4.3b2, 9.3.5-P1

See Also

http://www.kb.cert.org/vuls/id/800113

Plugin Details

Severity: Medium

ID: 4578

Family: DNS Servers

Published: 8/18/2004

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:isc:bind

Reference Information

CVE: CVE-2008-1447

BID: 30131