Security & Vulnerability Updates
BlueCat Networks understands the critical nature of DNS, DHCP and IPAM services and the impact of a security risk to these services. As part of BlueCat's initiative to provide customers with up-to-date information on potential security issues, we publicly track all known security issues related to our products. A description of each published security issue is listed below outlining the impact of each issue and how to mitigate against the attack.
Ghost Domain Names: Revoked Yet Still Resolvable
CERT NUMBER: CVE-2012-1033
Summary
ISC has been notified by Haixin Duan (a professor at Tsinghua University in Beijing China, who is currently visiting the International Computer Science Institute (ICSI) at the University of California, Berkeley) about a DNS resolver vulnerability. This vulnerability allows a miscreant to keep a domain name in the cache even after it has been deleted from registration. ISC is evaluating the risk of this vulnerability, but the published paper shows how this was done live across the Internet. It lists several DNS implementations and open resolver deployments as vulnerable.
Short Description:
Tsinghua University researchers discovered " a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers." The issue, which is in all versions of BIND 9 to our knowledge, "exploits a vulnerability in DNS cache update policy, which prevents effective domain name revocation. Attackers could cause a malicious domain name to be continuously resolvable even after the delegated data has been deleted from the domain registry and after the TTL associated with entry supposedly expires." (quoted sections are from the Tsinghua University research document)
Workarounds: :
Workarounds are under investigation
BlueCat Networks assessment of the CVE-2012-1033 security advisory has demonstrated that Adonis appliances running v4.x, v5.x and v6.x may be subject to this vulnerability. BlueCat Networks is committed to ensuring the security of its DDI solution. We are working closely with ISC to assess the risk of this vulnerability and publish patches within the shortest possible timeframe. In the mean time, we will continue to provide updates both through direct communication and via our public website. Thank you for your continuing partnership and cooperation.
An Error in DDNS Processing of DHCPv6 Leases Can Cause a Crash in ISC dhcpd
CERT NUMBER: CVE-2011-4868
Summary
A vulnerability has been announced by the ISC (Internet Systems Consortium) — CVE-2011-4868 which affects ISC DHCP.
Short Description:
Due to improper handling of a DHCPv6 lease structure, ISC DHCP servers that are serving IPv6 address pools AND using Dynamic DNS can encounter a segmentation fault error while updating lease status under certain conditions. The potential exists for this condition to be intentionally triggered, resulting in effective denial of service to clients expecting service from the affected server. Users of affected versions who use DHCPv6 and Dynamic DNS should upgrade to version 4.2.3-P2.
BlueCat Networks assessment of the CVE-2011-4868 security advisory has demonstrated that Adonis appliances, whether physical or virtual, running v4.x, v5.x or v6.x, are not subject to this vulnerability. BlueCat Networks Adonis appliances currently use a version of ISC DHCP that is not affected. There is therefore no need for BlueCat Networks customers to patch their Adonis appliances to address CVE-2011-4868.
For more information on Adonis appliances, please contact us via Care care.bluecatnetworks.com and we'll be happy to assist you.
Thank you for your continuing partnership and cooperation.