AIX named8 & CVE-2008-1447 / VU#800113

[Kevin Darcy]

Mark van Huijstee wrote:
> Hi,
>
> As implementing the IBM provided fix for CVE-2008-1447/VU#800113 would mean 
> a lot of affort, I would like to find out if it is really needed.
> Our scenario :
>
> As the AIX resolver does not do any caching, we setup a caching only 
> nameserver (named8) with the following configuration :
>
> options {
>        forward only;
>        forwarders { <IP DNS server1>;<IP DNS server2>; };
>        listen-on { 127.0.0.1; };
> };
>
> The /etc/resolf.conf only point to the loopback address.
>
>
> The way I see it, is that in order to poison the cache the user needs to 
> have access to the system and run some kind of tool to perform the
> poisoning.
> As the named does not provide services to other hosts (it only listens to 
> the loopback address), the risk is very slim.
>
>
> My task is to do a risk analysis and have the correct actions performed in 
> this matter (if needed).
> I did open a service request with IBM, but I'm not sure if the reply will be 
> satisfying.
>
> Maybe some of the bind guru's can give me some further insights/suggestions 
> in this matter!
> Thanks a lot!
>
>   
If the attacker can a) force your client to look up more-or-less 
arbitrary names, through carefully-crafted URLs/HTML pages, mail 
addresses, etc. and b) generate a significant number of DNS response 
packets, aimed at your IP address and appearing to originate from your 
ISP's resolver's address(es), then you're still at risk.

You may have bought yourself some time, but you should still patch. I'm 
sorry that IBM makes this so painful.

                                                                         
                     - Kevin