BIND9, ISS and AUTHORS.BIND
Bill Larson
wllarso at swcp.com
Thu Feb 9 04:47:30 UTC 2006
On Feb 7, 2006, at 12:26 PM, Paul Vixie wrote:
>> I have a 9.3.1 build of BIND running on a Red Hat Enterprise
>> Linux ES4 system. I *must* use the ISS scanner (http://www.iss.net/)
>> to
>> discover and mitigate any vulnerabilities on the system before I can
>> connect it to the network. When I ran a scan of my box, I found the
>> below Medium vulnerability that I need to do something about.
>
> the ISS people are smoking the wrong drugs, in that case.
Or maybe the people that are saying that this computer cannot be
connected to the network.
>> Vulnerability Details:
>> M BindHostnameDisclosure: BIND hostname disclosure BIND (the Berkeley
>> Internet Name Daemon) is the Domain Name Service for Unix systems.
>> BIND
>> versions 9.0 and later could allow a remote attacker to obtain
>> sensitive
>> information. By sending specially-crafted DNS query for the record
>> AUTHORS.BIND a remote attacker may learn the BIND software version and
>> the hostname of the DNS server. This information could be helpful in
>> launching further attacks.
>> Remedy:
>> No remedy available as of January 2005.
>
> the remedy is for them to remove this test from their suite. fpdns
> will
> tell anybody who wants to know, exactly what version of code you're
> running.
At
http://documents.iss.net/literature/InternetScanner/reports/
Line_Mgmt_Host_Vulnerability_Summary_Report.pdf, there is an example of
the report that the ISS scanner produces. In particular, the example
given identifies "BIND servers can be remotely queried for their
version", and the associated severity of this discovery is listed as
"low" (not medium). In fact, this same "low" severity is given to
using traceroute to map the network topology. This scan result also
identifies NFS services with a "low" severity (which I would have some
concerns about).
The implication that I am receiving is that even the ISS folks are
saying that this isn't a real problem, but simply a warning. I am
wondering if the original poster is talking with his security people to
understand what ISS is saying. ISS should be identifying all network
services that the system is providing, including DNS, and all network
services involve some risk. But, if you were to disable all network
services that allow any risk then you would no longer have a network
server.
Then again, maybe this person shouldn't be trying to provide any
network services, including DNS services. Remember that the original
poster is working for a US Government organization.
Bill Larson
More information about the bind-users
mailing list