ID CVE-2008-4194
Summary The p_exec_query function in src/dns_query.c in pdnsd before 1.2.7-par allows remote attackers to cause a denial of service (daemon crash) via a long DNS reply with many entries in the answer section, related to a "dangling pointer bug."
References
Vulnerable Configurations
  • cpe:2.3:a:pdnsd:pdnsd:1.2.1_par
    cpe:2.3:a:pdnsd:pdnsd:1.2.1_par
  • cpe:2.3:a:pdnsd:pdnsd:1.2-par
    cpe:2.3:a:pdnsd:pdnsd:1.2-par
  • cpe:2.3:a:pdnsd:pdnsd:1.2.4-par
    cpe:2.3:a:pdnsd:pdnsd:1.2.4-par
  • cpe:2.3:a:pdnsd:pdnsd:1.2.5-par
    cpe:2.3:a:pdnsd:pdnsd:1.2.5-par
  • cpe:2.3:a:pdnsd:pdnsd:1.2.6-par
    cpe:2.3:a:pdnsd:pdnsd:1.2.6-par
  • cpe:2.3:a:pdnsd:pdnsd:1.1.11a-par
    cpe:2.3:a:pdnsd:pdnsd:1.1.11a-par
  • cpe:2.3:a:pdnsd:pdnsd:1.1.11-par
    cpe:2.3:a:pdnsd:pdnsd:1.1.11-par
  • cpe:2.3:a:pdnsd:pdnsd:1.1.10-par
    cpe:2.3:a:pdnsd:pdnsd:1.1.10-par
  • cpe:2.3:a:pdnsd:pdnsd:1.1.9-par
    cpe:2.3:a:pdnsd:pdnsd:1.1.9-par
  • cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par8
    cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par8
  • cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par7
    cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par7
  • cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par6
    cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par6
  • cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par5
    cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par5
  • cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par4
    cpe:2.3:a:pdnsd:pdnsd:1.1.8b1-par4
  • cpe:2.3:a:pdnsd:pdnsd:1.1.7a
    cpe:2.3:a:pdnsd:pdnsd:1.1.7a
  • cpe:2.3:a:pdnsd:pdnsd:1.1.7
    cpe:2.3:a:pdnsd:pdnsd:1.1.7
CVSS
Base: 5.0 (as of 25-09-2008 - 08:22)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
exploit-db via4
  • description BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c). CVE-2008-1447,CVE-2008-4194. Remote exploits for multiple platform
    file exploits/multiple/remote/6130.c
    id EDB-ID:6130
    last seen 2016-01-31
    modified 2008-07-25
    platform multiple
    port
    published 2008-07-25
    reporter Marc Bevand
    source https://www.exploit-db.com/download/6130/
    title BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit c
    type remote
  • description BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py). CVE-2008-1447,CVE-2008-4194. Remote exploits for multiple platform
    file exploits/multiple/remote/6123.py
    id EDB-ID:6123
    last seen 2016-02-01
    modified 2008-07-24
    platform multiple
    port
    published 2008-07-24
    reporter Julien Desfossez
    source https://www.exploit-db.com/download/6123/
    title BIND 9.x - Remote DNS Cache Poisoning Flaw Exploit py
    type remote
  • description BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (meta). CVE-2008-1447,CVE-2008-4194. Remote exploits for multiple platform
    file exploits/multiple/remote/6122.rb
    id EDB-ID:6122
    last seen 2016-02-01
    modified 2008-07-23
    platform multiple
    port
    published 2008-07-23
    reporter I)ruid
    source https://www.exploit-db.com/download/6122/
    title BIND 9.4.1-9.4.2 - Remote DNS Cache Poisoning Flaw Exploit meta
    type remote
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1623.NASL
    description Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian's dnsmasq packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult. This update also switches the random number generator to Dan Bernstein's SURF.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 33772
    published 2008-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33772
    title Debian DSA-1623-1 : dnsmasq - DNS cache poisoning
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_X86_109327.NASL
    description SunOS 5.8_x86: libresolv.so.2, in.named an. Date this patch was last updated by Sun : Mar/09/09
    last seen 2018-09-02
    modified 2016-12-12
    plugin id 13429
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13429
    title Solaris 8 (x86) : 109327-24
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_109326.NASL
    description SunOS 5.8: libresolv.so.2, in.named and BI. Date this patch was last updated by Sun : Mar/09/09
    last seen 2018-09-01
    modified 2016-12-12
    plugin id 13321
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13321
    title Solaris 8 (sparc) : 109326-24
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_112837.NASL
    description SunOS 5.9: in.dhcpd libresolv and BIND9 pa. Date this patch was last updated by Sun : Jul/21/11
    last seen 2018-09-02
    modified 2016-12-12
    plugin id 26165
    published 2007-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26165
    title Solaris 9 (sparc) : 112837-24
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1603.NASL
    description Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult. Note that this security update changes BIND network behavior in a fundamental way, and the following steps are recommended to ensure a smooth upgrade. 1. Make sure that your network configuration is compatible with source port randomization. If you guard your resolver with a stateless packet filter, you may need to make sure that no non-DNS services listen on the 1024--65535 UDP port range and open it at the packet filter. For instance, packet filters based on etch's Linux 2.6.18 kernel only support stateless filtering of IPv6 packets, and therefore pose this additional difficulty. (If you use IPv4 with iptables and ESTABLISHED rules, networking changes are likely not required.) 2. Install the BIND 9 upgrade, using 'apt-get update' followed by 'apt-get install bind9'. Verify that the named process has been restarted and answers recursive queries. (If all queries result in timeouts, this indicates that networking changes are necessary; see the first step.) 3. Verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following form named[6106]: /etc/bind/named.conf.options:28: using specific query-source port suppresses port randomization and can be insecure. right after the 'listening on IPv6 interface' and 'listening on IPv4 interface' messages logged by BIND upon startup. If these messages are present, you should remove the indicated lines from the configuration, or replace the port numbers contained within them with '*' sign (e.g., replace 'port 53' with 'port *'). For additional certainty, use tcpdump or some other network monitoring tool to check for varying UDP source ports. If there is a NAT device in front of your resolver, make sure that it does not defeat the effect of source port randomization. 4. If you cannot activate source port randomization, consider configuring BIND 9 to forward queries to a resolver which can, possibly over a VPN such as OpenVPN to create the necessary trusted network link. (Use BIND's forward-only mode in this case.) Other caching resolvers distributed by Debian (PowerDNS, MaraDNS, Unbound) already employ source port randomization, and no updated packages are needed. BIND 9.5 up to and including version 1:9.5.0.dfsg-4 only implements a weak form of source port randomization and needs to be updated as well. For information on BIND 8, see DSA-1604-1, and for the status of the libc stub resolver, see DSA-1605-1. The updated bind9 packages contain changes originally scheduled for the next stable point release, including the changed IP address of L.ROOT-SERVERS.NET (Debian bug # 449148).
    last seen 2019-01-16
    modified 2018-12-18
    plugin id 33450
    published 2008-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33450
    title Debian DSA-1603-1 : bind9 - DNS cache poisoning
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200901-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-200901-03 (pdnsd: Denial of Service and cache poisoning) Two issues have been reported in pdnsd: The p_exec_query() function in src/dns_query.c does not properly handle many entries in the answer section of a DNS reply, related to a 'dangling pointer bug' (CVE-2008-4194). The default value for query_port_start was set to 0, disabling UDP source port randomization for outgoing queries (CVE-2008-1447). Impact : An attacker could exploit the second weakness to poison the cache of pdnsd and thus spoof DNS traffic, which could e.g. lead to the redirection of web or mail traffic to malicious sites. The first issue can be exploited by enticing pdnsd to send a query to a malicious DNS server, or using the port randomization weakness, and might lead to a Denial of Service. Workaround : Port randomization can be enabled by setting the 'query_port_start' option to 1024 which would resolve the CVE-2008-1447 issue.
    last seen 2019-01-16
    modified 2018-07-11
    plugin id 35347
    published 2009-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35347
    title GLSA-200901-03 : pdnsd: Denial of Service and cache poisoning
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1619.NASL
    description Multiple weaknesses have been identified in PyDNS, a DNS client implementation for the Python language. Dan Kaminsky identified a practical vector of DNS response spoofing and cache poisoning, exploiting the limited entropy in a DNS transaction ID and lack of UDP source port randomization in many DNS implementations. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery. The Common Vulnerabilities and Exposures project identifies this class of weakness as CVE-2008-1447 and this specific instance in PyDNS as CVE-2008-4099.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 33739
    published 2008-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33739
    title Debian DSA-1619-1 : python-dns - DNS response spoofing
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2008-0014.NASL
    description I Security Issues a. Setting ActiveX kill bit Starting from this release, VMware has set the kill bit on its ActiveX controls. Setting the kill bit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the Microsoft KB article 240797 and the related references on this topic. Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of- service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user. Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested. Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls. To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions. VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai, and Michal Bucko for reporting these issues to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls. b. VMware ISAPI Extension Denial of Service The Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product. One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual. VMware would like to thank the Juniper Networks J-Security Security Research Team for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3697 to this issue. c. OpenProcess Local Privilege Escalation on Host System This release fixes a privilege escalation vulnerability in host systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges. VMware would like to thank Sun Bing from McAfee, Inc. for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3698 to this issue. d. Update to Freetype FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to 2.3.7. The Common Vulnerabilities and Exposures Project (cve.mitre.com) has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6. e. Update to Cairo Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to 1.4.14. The Common Vulnerabilities and Exposures (cve.mitre.com) has assigned the name CVE-2007-5503 to this issue. f. VMware Consolidated Backup (VCB) command-line utilities may expose sensitive information VMware Consolidated Backup command-line utilities accept the user password through the -p command-line option. Users logged into the ESX service console or into the system that runs VCB could gain access to the username and password used by VCB command-line utilities when such commands are running. The ESX patch and the new version of VCB resolve this issue by providing an alternative way of passing the password used by VCB command-line utilities. VCB in ESX ---------- The following options are recommended for passing the password : 1. The password is specified in /etc/backuptools.conf (PASSWORD=xxxxx), and -p is not used in the command line. /etc/backuptools.conf file permissions are read/write only for root. 2. No password is specified in /etc/backuptools.conf and the -p option is not used in the command line. The user will be prompted to enter a password. ESX is not affected unless you use VCB. Stand-alone VCB --------------- The following options are recommended for passing the password : 1. The password is specified in config.js (PASSWORD=xxxxx), and -p is not used in the command line. The file permissions on config.js are read/write only for the administrator. The config.js file is located in folder 'config' of the VCB installation folder. For example, C:\Program Files\Vmware\Vmware Consolidated Backup Framework\config. 2. The password is specified in the registry, and is not specified in config.js, and -p is not used in the command line. Access to the registry key holding the password is allowed only to the administrator. The location of the registry key is : On Windows x86: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\ VMware Consolidated Backup\Password On Windows x64: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ VMware, Inc.\VMware Consolidated Backup\Password 3. The password is not specified in the registry, and is not specified in config.js, and -p is not used in the command line. The user will be prompted to enter a password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2101 to this issue. g. Third-Party Library libpng Updated to 1.2.29 Several flaws were discovered in the way third-party library libpng handled various PNG image chunks. An attacker could create a carefully crafted PNG image file in such a way that it causes an application linked with libpng to crash when the file is manipulated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5269 to this issue. NOTE: There are multiple patches required to remediate the issue. II ESX Service Console rpm updates a. update to bind This update upgrades the service console rpms for bind-utils and bind-lib to version 9.2.4-22.el3. Version 9.2.4.-22.el3 addresses the recently discovered vulnerability in the BIND software used for Domain Name resolution (DNS). VMware doesn't install all the BIND packages on ESX Server and is not vulnerable by default to the reported vulnerability. Of the BIND packages, VMware only ships bind-util and bind-lib in the service console and these components by themselves cannot be used to setup a DNS server. Bind-lib and bind-util are used in client DNS applications like nsupdate, nslookup, etc. VMware explicitly discourages installing applications like BIND on the service console. In case the customer has installed BIND, and the DNS server is configured to support recursive queries, their ESX Server system is affected and they should replace BIND with a patched version. Note: ESX Server will use the DNS server on the network it is on, so it is important to patch that DNS server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1447 to this issue.
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 40382
    published 2009-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40382
    title VMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-622-1.NASL
    description Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Bind. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 33464
    published 2008-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33464
    title Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : bind9 vulnerability (USN-622-1)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_114265.NASL
    description SunOS 5.9_x86: in.dhcpd libresolv and BIND. Date this patch was last updated by Sun : Jul/21/11
    last seen 2018-09-01
    modified 2016-12-12
    plugin id 27094
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27094
    title Solaris 9 (x86) : 114265-23
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-139.NASL
    description A weakness was found in the DNS protocol by Dan Kaminsky. A remote attacker could exploit this weakness to spoof DNS entries and poison DNS caches. This could be used to misdirect users and services; i.e. for web and email traffic (CVE-2008-1447). This update provides the latest stable BIND releases for all platforms except Corporate Server/Desktop 3.0 and MNF2, which have been patched to correct the issue.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 36526
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36526
    title Mandriva Linux Security Advisory : bind (MDVSA-2008:139)
refmap via4
confirm
vupen ADV-2008-2582
xf pdnsd-pexecquery-dos(45594)
Last major update 07-03-2011 - 22:12
Published 24-09-2008 - 07:42
Last modified 07-08-2017 - 21:32
Back to Top