The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of BIND: incorrect usage of OpenSSL DSA_verify

Synthesis of the vulnerability 

The BIND server incorrectly uses the DSA_verify() function of OpenSSL, which can be used by an attacker to bypass the signature check.
Vulnerable systems: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, AIX, BIND, Mandriva Linux, Mandriva NF, NetBSD, NLD, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, RHEL, Slackware, SLES, TurboLinux, ESX.
Severity of this threat: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/01/2009.
Revision date: 08/01/2009.
Références of this weakness: 250846, 6791029, BID-33151, CERTA-2011-AVI-616, CVE-2009-0025, CVE-2009-0265, DSA-1703-1, FEDORA-2009-0350, FEDORA-2009-0451, FreeBSD-SA-09:04.bind, IV09491, IV09978, IV10049, IV11742, IV11743, IV11744, MDVSA-2009:002, MDVSA-2009:037, ocert-2008-016, RHSA-2009:0020-01, SOL11503, SSA:2009-014-02, SSA:2009-015-01, SUSE-SA:2009:005, TLSA-2009-4, VIGILANCE-VUL-8372, VMSA-2009-0004, VMSA-2009-0004.1, VMSA-2009-0004.2, VMSA-2009-0004.3.

Description of the vulnerability 

The BIND server can use the DNSSEC protocol to authenticate DNS packets. In this case, BIND is compiled with OpenSSL.

The DSA_verify() function returns:
 - either +1 if the signature is valid
 - either 0 if the signature is invalid
 - either -1 if an unexpected error occurred

However, instead of using:
  if (DSA_verify(...) <= 0) error;
BIND uses:
  if (!DSA_verify(...)) error;
Unexpected errors are thus handled as valid signatures.

An attacker can therefore setup a malicious DNS server using an invalid signature.

This vulnerability has the CVE-2009-0025 identifier and is similar to VIGILANCE-VUL-8371.

When solutions to this vulnerability require a compiling and were applied without previously applying VIGILANCE-SOL-16759, the CVE-2009-0265 vulnerability appears due to a bad link with OpenSSL.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity note impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, AIX, BIND, Mandriva Linux, Mandriva NF, NetBSD, NLD, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, RHEL, Slackware, SLES, TurboLinux, ESX.

Our Vigil@nce team determined that the severity of this computer weakness announce is important.

The trust level is of type confirmed by the editor, with an origin of internet server.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity vulnerability.

Solutions for this threat 

BIND: version 9.6.0-P1.
Version 9.6.0-P1 is corrected:
  https://www.isc.org/downloadables/11
The VIGILANCE-SOL-16759 has to be applied before.

BIND: version 9.5.2.
Version 9.5.2 is corrected:
  ftp://ftp.isc.org/isc/bind9/9.5.2/bind-9.5.2.tar.gz

BIND: version 9.5.1-P1.
Version 9.5.1-P1 is corrected:
  https://www.isc.org/downloadables/11
The VIGILANCE-SOL-16759 has to be applied before.

BIND: version 9.4.3-P1.
Version 9.4.3-P1 is corrected:
  https://www.isc.org/downloadables/11
The VIGILANCE-SOL-16759 has to be applied before.

BIND: version 9.3.6-P1.
Version 9.3.6-P1 is corrected:
  https://www.isc.org/downloadables/11
The VIGILANCE-SOL-16759 has to be applied before.

BIG-IP: versions 10.0.1, 10.1.x, 10.2.x.
Versions 10.0.1, 10.1.x and 10.2.x are corrected:
  http://downloads.f5.com/

AIX: APAR for BIND.
An APAR is available:
  AIX 5.3 : IV09491
  AIX 6.1 : IV09978

AIX: patch for BIND.
A patch is available:
  http://aix.software.ibm.com/aix/efixes/security/bind9_ifix3.tar

Debian: new bind9 packages.
New packages are available:
  http://security.debian.org/pool/updates/main/b/bind9/*_9.3.4-2etch4_*.deb

Fedora: new bind packages.
New packages are available:
  bind-9.5.1-1.P1.fc9
  bind-9.5.1-1.P1.fc10

FreeBSD: patch for bind.
A patch is available:
  fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch
  fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch.asc

Mandriva: new bind packages.
New packages are available:
  Mandriva Linux 2008.0: bind-9.4.2-1.3mdv2008.0
  Mandriva Linux 2008.1: bind-9.5.0-3.3mdv2008.1
  Mandriva Linux 2009.0: bind-9.5.0-6.3mdv2009.0
  Corporate 3.0: bind-9.2.3-6.7.C30mdk
  Corporate 4.0: bind-9.3.5-0.6.20060mlcs4
  Multi Network Firewall 2.0: bind-9.2.3-6.7.C30mdk

NetBSD: version 5.0.2.
Version 5.0.2 is corrected:
  http://www.NetBSD.org/mirrors/

OpenBSD: patch for bind.
A patch is available:
OpenBSD 4.3:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/008_bind.patch
OpenBSD 4.4:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/008_bind.patch

RHEL: new bind packages.
New packages are available:
Red Hat Enterprise Linux version 2.1 : bind-9.2.1-11.el2
Red Hat Enterprise Linux version 3: bind-9.2.4-23.el3
Red Hat Enterprise Linux version 4: bind-9.2.4-30.el4_7.1
Red Hat Enterprise Linux version 5: bind-9.3.4-6.0.3.P1.el5_2

Slackware: new bind packages.
New packages are available:
Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/bind-9.3.6_P1-i386-1_slack8.1.tgz
Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/bind-9.3.6_P1-i386-1_slack9.0.tgz
Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/bind-9.3.6_P1-i486-1_slack9.1.tgz
Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/bind-9.3.6_P1-i486-1_slack10.0.tgz
Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/bind-9.3.6_P1-i486-1_slack10.1.tgz
Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/bind-9.3.6_P1-i486-2_slack10.2.tgz
Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/bind-9.3.6_P1-i486-2_slack11.0.tgz
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/bind-9.4.3_P1-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.4.3_P1-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/bind-9.4.3_P1-i486-1_slack12.2.tgz

Solaris: patch for named.
A patch is available:
  SPARC Platform
    Solaris 9 : patch 112837-17
    Solaris 10 : patch 119783-09
    OpenSolaris : build snv_107
  x86 Platform
    Solaris 9 : patch 114265-16
    Solaris 10 : patch 119784-09
    OpenSolaris : build snv_107
A workaround is to disable DSA in named.conf:
  disable-algorithms . { DSA; };

SUSE: new bind packages.
New packages are available.

Turbolinux: new bind packages.
New packages are available.

VMware: new openssl, bind, vim packages.
New packages are available:
  ESX 4.0 ESX400-200912402-SG (openssl)
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-181-20091231-153046/ESX400-200912001.zip
  md5sum: 78c6cf139b7941dc736c9d3a41deae77
  sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59
  http://kb.vmware.com/kb/1016292
  ESX 3.5 ESX350-200904408-SG (openssl)
  http://download3.vmware.com/software/vi/ESX350-200904408-SG.zip
  md5sum: 3af12e08ec0e5f84b1b2646cb1ad0225
  http://kb.vmware.com/kb/1010133
  ESX 3.5 ESX350-200904407-SG (bind)
  http://download3.vmware.com/software/vi/ESX350-200904407-SG.zip
  md5sum: a1b9dbb410e76e2fd410d6766b1df210
  http://kb.vmware.com/kb/1010132
  ESX 3.5 ESX350-200904406-SG (vim)
  http://download3.vmware.com/software/vi/ESX350-200904406-SG.zip
  md5sum: a416ecc6e97fa484873026b8110672e7
  http://kb.vmware.com/kb/1010131
  ESX 3.0.3 ESX303-200903406-SG (openssl)
  http://download3.vmware.com/software/vi/ESX303-200903406-SG.zip
  md5sum: 45a2d32f9267deb5e743366c38652c92
  http://kb.vmware.com/kb/1008416
  ESX 3.0.3 ESX303-200903405-SG (bind)
  http://download3.vmware.com/software/vi/ESX303-200903405-SG.zip
  md5sum: 34d00fd9cca7f3e08c0857b4cc254710
  http://kb.vmware.com/kb/1008415
  ESX 3.0.3 ESX303-200903403-SG (vim)
  http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip
  md5sum: 9790c9512aef18beaf0d1c7d405bed1a
  http://kb.vmware.com/kb/1008413
  ESX 3.0.2 ESX-1008409 (openssl)
  http://download3.vmware.com/software/vi/ESX-1008409.tgz
  md5sum: cb25fd47bc0713b968d8778c033bc846
  http://kb.vmware.com/kb/1008409
  ESX 3.0.2 ESX-1008408 (bind)
  http://download3.vmware.com/software/vi/ESX-1008408.tgz
  md5sum: b6bd9193892a9c89b9b7a1e0456d2a9a
  http://kb.vmware.com/kb/1008408
  ESX 3.0.2 ESX-1008406 (vim)
  http://download3.vmware.com/software/vi/ESX-1008406.tgz
  md5sum: f069daa58190b39e431cedbd26ce25ef
  http://kb.vmware.com/kb/1008406
  ESX 2.5.5 Upgrade Patch 13
  http://www.vmware.com/support/esx25/doc/esx-255-200905-patch.html
  http://download3.vmware.com/software/esx/esx-2.5.5-161312-upgrade.tar.gz
  md5sum: a477b7819f5a0d4cbd38b98432a48c88
  sha1sum: cceb38898108e48cc5b7e3298a03a369aa783699
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides applications vulnerabilities analysis. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.