DNS doozy, is there a 6.5.22m fix for this?

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
porter
Posts: 2917
Joined: Wed Nov 01, 2006 10:37 pm
Location: NZ

DNS doozy, is there a 6.5.22m fix for this?

Unread postby porter » Tue Jul 08, 2008 7:17 pm

Bigger than Ben Hur, bigger than Debian's ssh keys,

http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/

Is there a 6.5.22m fix for this?
Land of the Long White Cloud and no Software Patents.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby nekonoko » Tue Jul 08, 2008 7:38 pm

I updated BIND9 in Nekoware with the fix.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
porter
Posts: 2917
Joined: Wed Nov 01, 2006 10:37 pm
Location: NZ

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby porter » Tue Jul 08, 2008 8:21 pm

Does that replace standard the client resolver library? Or is it a server only fix?
Land of the Long White Cloud and no Software Patents.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby nekonoko » Tue Jul 08, 2008 8:35 pm

It's the standard BIND server package with the required patch.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
porter
Posts: 2917
Joined: Wed Nov 01, 2006 10:37 pm
Location: NZ

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby porter » Tue Jul 08, 2008 9:44 pm

nekonoko wrote:It's the standard BIND server package with the required patch.


Sorry to be pedantic, but is this a "neko_bind" or does this actually replace the resolver used by SGI compiled programs?
Land of the Long White Cloud and no Software Patents.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby nekonoko » Tue Jul 08, 2008 9:53 pm

It's neko_bind of course, but my understanding is that by running a local caching nameserver, the local resolver won't need to reach out to a malicious source. At least that was my interpretation of:

Run a local DNS cache

In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems, in conjunction with the network segmentation and filtering strategies mentioned above.


http://www.kb.cert.org/vuls/id/800113

This is, of course, what I do here.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

mgtremaine
Posts: 303
Joined: Wed Feb 22, 2006 1:58 pm
Location: San Diego, Ca
Contact:

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby mgtremaine » Thu Jul 10, 2008 9:20 am

I saw this test floating around another list it is worth having.

https://www.dns-oarc.net/


dig +short porttest.dns-oarc.net TXT

In windows you can use nslookup
> nslookup
> set type=txt
> porttest.dns-oarc.net

All the linux boxes I patched are fine [yeah!] but the Solaris 10 box I did yesterday is still poor [it did ask for reboot so as soon as I do that I hope it fixes up.] You can try the nslookup under IRIX to see if your server/workstation is ok.

-Mike

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby nekonoko » Thu Jul 10, 2008 9:29 am

Cool, my IRIX systems came back with GOOD on that test :)
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

SAQ
Posts: 5871
Joined: Wed Jul 19, 2006 8:37 am
Location: Renton, WA

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby SAQ » Mon Aug 04, 2008 10:18 pm

It's coming up on a month - any news of a SGI patch for any IRIX version?
"Brakes??? What Brakes???"

"I am O SH-- the Great and Powerful"

:Indigo: :Octane: :Indigo2: :Indigo2IMP: :Indy: :PI: :O3x0: :ChallengeL: :O2000R: (single-CM)

mgtremaine
Posts: 303
Joined: Wed Feb 22, 2006 1:58 pm
Location: San Diego, Ca
Contact:

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby mgtremaine » Tue Aug 05, 2008 7:37 am

"IRIX? Never heard of it." Says the SGI salesman. :)

-Mike

SAQ
Posts: 5871
Joined: Wed Jul 19, 2006 8:37 am
Location: Renton, WA

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby SAQ » Tue Aug 05, 2008 7:56 am

I suppose that technically you're unlikely to run into any future issues if you install the Nekoware BIND and run links to the IRIX BIND - after all the future upgrades potential of IRIX is limited, but there's a part of me that wants to keep it as original as possible.
"Brakes??? What Brakes???"

"I am O SH-- the Great and Powerful"

:Indigo: :Octane: :Indigo2: :Indigo2IMP: :Indy: :PI: :O3x0: :ChallengeL: :O2000R: (single-CM)

User avatar
porter
Posts: 2917
Joined: Wed Nov 01, 2006 10:37 pm
Location: NZ

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby porter » Tue Aug 05, 2008 11:18 am

I was under the impression this also required a client fix (so that the magic number in the DNS packet sent was randomized rather than incremented) so that would need a change to libc.so and/or libnsl.so.
Land of the Long White Cloud and no Software Patents.

User avatar
josehill
Moderator
Moderator
Posts: 3333
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby josehill » Tue Aug 05, 2008 5:27 pm

Might be worth it if a Nekochanner with a service contract opens a case just to get the scoop on when/whether there will be an official fix or a workaround. Unfortunately, I let my contract lapse a little while ago...

User avatar
josehill
Moderator
Moderator
Posts: 3333
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby josehill » Wed Aug 06, 2008 1:07 pm

porter wrote:I was under the impression this also required a client fix (so that the magic number in the DNS packet sent was randomized rather than incremented) so that would need a change to libc.so and/or libnsl.so.

Brief discussion of this in the OS X Leopard context at http://db.tidbits.com/article/9721 , presumably IRIX could be similar.

User avatar
hamei
Posts: 10435
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Re: DNS doozy, is there a 6.5.22m fix for this?

Unread postby hamei » Mon Sep 29, 2008 2:42 am

nekonoko wrote:Cool, my IRIX systems came back with GOOD on that test :)

Heh heh

Code: Select all

text = "208.67.219.13 is GREAT: 26 queries in 0.1 seconds from 26 ports with std dev 18595"


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest