Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: BIND cache poisoning vulnerability details released - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BIND cache poisoning vulnerability details released

Amit Klein wrote about a paper he just released with details about a BIND 9 cache poisoning issue. This is one of the problems addressed by the latest version of BIND 9.

The very brief summary: BIND prior to version 9.4.1-P1 did not use a strong algorithm to create DNS transaction IDs. As a result, one can derive the next transaction ID BIND will use by knowning the last few transaction IDs. In this case, up to 15 queries are used.

Once the attacker knows the "state" of the targets BIND install, it is possible to forge a response. DNS uses UDP by default. Each query sent by the DNS server includes a random transaction ID. The server responding to the query will include this transaction ID so the querying DNS server knows what query is answered by this particular response. BIND always uses the same source port for its queries.

The attack appears to be quite feasible. Probably the main difficulty will be to get the spoofed packet routed. But unless the attackers network implements strict egress filtering, this is very much a feasible attack. Best to patch your BIND server soon.

CVE: CVE-2007-2926
Versions affected:   BIND 9.0 (all versions)
BIND 9.1 (all versions)
BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4
BIND 9.4.0, 9.4.1
BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5

Not vulnerable: BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6

For details, see link:

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Sep 6th 2007

Sign Up for Free or Log In to start participating in the conversation!