Re: SNI-12: BIND Vulnerabilities and Solutions

David Wagner (daw@CS.BERKELEY.EDU)
Tue, 22 Apr 1997 18:11:23 -0700

In article <Pine.BSI.3.95.970422043557.16266A-100000@silence.secnet.com>,
Oliver Friedrichs <oliver@SECNET.COM> wrote:
> This advisory contains descriptions and solutions for two vulnerabilities
> present in current BIND distributions. These vulnerabilities are actively
> being exploited on the Internet.
>
> I. The usage of predictable IDs in queries and recursed queries allows for
> remote cache corruption. This allows malicious users to alter domain
> name server caches to change the addresses and hostnames of hosts on the
> internet.

Thanks for carefully describing the serious security vulnerability.

However, I think your patch won't fix the problem.

It attempts to make the query ID unpredictable, but fails -- the "random"
numbers it generates are still predictable (after a trivial 2^16 offline
trials). And the seeding is terrible -- two years ago Netscape used
timeofday and pid to seed their PRNG, too, and look what happened to them.

Tell me I'm missing something.