The p_exec_query function in src/dns_query.c in pdnsd before 1.2.7-par allows remote attackers to cause a denial of service (daemon crash) via a long DNS reply with many entries in the answer section, related to a "dangling pointer bug."

I Security Issues

 a. Setting ActiveX kill bit

     Starting from this release, VMware has set the kill bit on its      ActiveX controls. Setting the kill bit ensures that ActiveX      controls cannot run in Internet Explorer (IE), and avoids      security issues involving ActiveX controls in IE. See the      Microsoft KB article 240797 and the related references on this      topic.

     Security vulnerabilities have been reported for ActiveX controls      provided by VMware when run in IE. Under specific circumstances,      exploitation of these ActiveX controls might result in denial-of-      service or can allow running of arbitrary code when the user      browses a malicious Web site or opens a malicious file in IE      browser. An attempt to run unsafe ActiveX controls in IE might      result in pop-up windows warning the user.
       Note: IE can be configured to run unsafe ActiveX controls without            prompting.  VMware recommends that you retain the default            settings in IE, which prompts when unsafe actions are            requested.

     Earlier, VMware had issued knowledge base articles, KB 5965318 and      KB 9078920 on security issues with ActiveX controls. To avoid      malicious scripts that exploit ActiveX controls, do not enable      unsafe ActiveX objects in your browser settings. As a best      practice, do not browse untrusted Web sites as an administrator      and do not click OK or Yes if prompted by IE to allow certain      actions.

     VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,      and Michal Bucko for reporting these issues to us.

     The Common Vulnerabilities and Exposures Project (cve.mitre.org)      has assigned the names CVE-2008-3691, CVE-2008-3692,      CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and      CVE-2008-3696 to the security issues with VMware ActiveX controls.

 b. VMware ISAPI Extension Denial of Service

     The Internet Server Application Programming Interface (ISAPI) is      an API that extends the functionality of Internet Information      Server (IIS). VMware uses ISAPI extensions in its Server product.

     One of the ISAPI extensions provided by VMware is vulnerable to a      remote denial of service. By sending a malformed request, IIS      might shut down. IIS 6.0 restarts automatically. However, IIS 5.0      does not restart automatically when its Startup Type is set to      Manual.

     VMware would like to thank the Juniper Networks J-Security      Security Research Team for reporting this issue to us.

     The Common Vulnerabilities and Exposures Project (cve.mitre.org)      has assigned the name CVE-2008-3697 to this issue.

 c. OpenProcess Local Privilege Escalation on Host System

     This release fixes a privilege escalation vulnerability in host      systems.  Exploitation of this vulnerability allows users to run      arbitrary code on the host system with elevated privileges.

     VMware would like to thank Sun Bing from McAfee, Inc. for      reporting this issue to us.

     The Common Vulnerabilities and Exposures Project (cve.mitre.org)      has assigned the name CVE-2008-3698 to this issue.

 d. Update to Freetype

     FreeType 2.3.6 resolves an integer overflow vulnerability and other      vulnerabilities that can allow malicious users to run arbitrary code      or might cause a denial-of-service after reading a maliciously      crafted file. This release updates FreeType to 2.3.7.

     The Common Vulnerabilities and Exposures Project (cve.mitre.com)      has assigned the names CVE-2008-1806, CVE-2008-1807, and      CVE-2008-1808 to the issues resolved in Freetype 2.3.6.

 e. Update to Cairo

     Cairo 1.4.12 resolves an integer overflow vulnerability that can      allow malicious users to run arbitrary code or might cause a      denial-of-service after reading a maliciously crafted PNG file.
     This release updates Cairo to 1.4.14.

     The Common Vulnerabilities and Exposures (cve.mitre.com) has      assigned the name CVE-2007-5503 to this issue.

  f. VMware Consolidated Backup (VCB) command-line utilities may expose      sensitive information

     VMware Consolidated Backup command-line utilities accept the user      password through the -p command-line option. Users logged into the      ESX service console or into the system that runs VCB could gain      access to the username and password used by VCB command-line utilities      when such commands are running.

     The ESX patch and the new version of VCB resolve this issue by      providing an alternative way of passing the password used by VCB      command-line utilities.

     VCB in ESX
     ----------      The following options are recommended for passing the password :

     1. The password is specified in /etc/backuptools.conf      (PASSWORD=xxxxx), and -p is not used in the command line.
     /etc/backuptools.conf file permissions are read/write only      for root.

     2. No password is specified in /etc/backuptools.conf and the
     -p option is not used in the command line. The user will be       prompted to enter a password.

     ESX is not affected unless you use VCB.

     Stand-alone VCB
     ---------------      The following options are recommended for passing the password :

     1. The password is specified in config.js (PASSWORD=xxxxx), and -p      is not used in the command line. The file permissions on config.js      are read/write only for the administrator. The config.js file is      located in folder 'config' of the VCB installation folder. For example,      C:\Program Files\Vmware\Vmware Consolidated Backup Framework\config.

     2. The password is specified in the registry, and is not specified in      config.js, and -p is not used in the command line. Access to the      registry key holding the password is allowed only to the administrator.
     The location of the registry key is :
     On Windows x86: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\                      VMware Consolidated Backup\Password      On Windows x64: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\                      VMware, Inc.\VMware Consolidated Backup\Password

     3. The password is not specified in the registry, and is not specified in      config.js, and -p is not used in the command line. The user will be      prompted to enter a password.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)      has assigned the name CVE-2008-2101 to this issue.

  g. Third-Party Library libpng Updated to 1.2.29

     Several flaws were discovered in the way third-party library      libpng handled various PNG image chunks. An attacker could      create a carefully crafted PNG image file in such a way that      it causes an application linked with libpng to crash when the      file is manipulated.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)      has assigned the name CVE-2007-5269 to this issue.

     NOTE: There are multiple patches required to remediate the issue.

II ESX Service Console rpm updates

  a. update to bind

     This update upgrades the service console rpms for bind-utils and      bind-lib to version 9.2.4-22.el3.

     Version 9.2.4.-22.el3 addresses the recently discovered      vulnerability in the BIND software used for Domain Name      resolution (DNS). VMware doesn't install all the BIND packages      on ESX Server and is not vulnerable by default to the reported      vulnerability. Of the BIND packages, VMware only ships bind-util      and bind-lib in the service console and these components by      themselves cannot be used to setup a DNS server. Bind-lib and      bind-util are used in client DNS applications like nsupdate,      nslookup, etc.

     VMware explicitly discourages installing applications like BIND      on the service console. In case the customer has installed BIND,      and the DNS server is configured to support recursive queries,      their ESX Server system is affected and they should replace BIND      with a patched version.

     Note: ESX Server will use the DNS server on the network it is      on, so it is important to patch that DNS server.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)      has assigned the name CVE-2008-1447 to this issue.

A weakness was found in the DNS protocol by Dan Kaminsky. A remote attacker could exploit this weakness to spoof DNS entries and poison DNS caches. This could be used to misdirect users and services; i.e.
for web and email traffic (CVE-2008-1447).

This update provides the latest stable BIND releases for all platforms except Corporate Server/Desktop 3.0 and MNF2, which have been patched to correct the issue.

The remote host is affected by the vulnerability described in GLSA-200901-03 (pdnsd: Denial of Service and cache poisoning)

    Two issues have been reported in pdnsd:
    The p_exec_query() function in src/dns_query.c does not properly handle     many entries in the answer section of a DNS reply, related to a     'dangling pointer bug' (CVE-2008-4194).
    The default value for query_port_start was set to 0, disabling UDP     source port randomization for outgoing queries (CVE-2008-1447).
  Impact :

    An attacker could exploit the second weakness to poison the cache of     pdnsd and thus spoof DNS traffic, which could e.g. lead to the     redirection of web or mail traffic to malicious sites. The first issue     can be exploited by enticing pdnsd to send a query to a malicious DNS     server, or using the port randomization weakness, and might lead to a     Denial of Service.
  Workaround :

    Port randomization can be enabled by setting the 'query_port_start'     option to 1024 which would resolve the CVE-2008-1447 issue.

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

This update changes Debian's dnsmasq packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult.

This update also switches the random number generator to Dan Bernstein's SURF.

Multiple weaknesses have been identified in PyDNS, a DNS client implementation for the Python language. Dan Kaminsky identified a practical vector of DNS response spoofing and cache poisoning, exploiting the limited entropy in a DNS transaction ID and lack of UDP source port randomization in many DNS implementations. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery.

The Common Vulnerabilities and Exposures project identifies this class of weakness as CVE-2008-1447 and this specific instance in PyDNS as CVE-2008-4099.

Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Bind. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult.

Note that this security update changes BIND network behavior in a fundamental way, and the following steps are recommended to ensure a smooth upgrade.

1. Make sure that your network configuration is compatible with source port randomization. If you guard your resolver with a stateless packet filter, you may need to make sure that no non-DNS services listen on the 1024--65535 UDP port range and open it at the packet filter. For instance, packet filters based on etch's Linux 2.6.18 kernel only support stateless filtering of IPv6 packets, and therefore pose this additional difficulty. (If you use IPv4 with iptables and ESTABLISHED rules, networking changes are likely not required.)

2. Install the BIND 9 upgrade, using 'apt-get update' followed by 'apt-get install bind9'. Verify that the named process has been restarted and answers recursive queries. (If all queries result in timeouts, this indicates that networking changes are necessary; see the first step.)

3. Verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following form

named[6106]: /etc/bind/named.conf.options:28: using specific query-source port suppresses port randomization and can be insecure.

right after the 'listening on IPv6 interface' and 'listening on IPv4 interface' messages logged by BIND upon startup. If these messages are present, you should remove the indicated lines from the configuration, or replace the port numbers contained within them with '*' sign (e.g., replace 'port 53' with 'port *').

For additional certainty, use tcpdump or some other network monitoring tool to check for varying UDP source ports. If there is a NAT device in front of your resolver, make sure that it does not defeat the effect of source port randomization.

4. If you cannot activate source port randomization, consider configuring BIND 9 to forward queries to a resolver which can, possibly over a VPN such as OpenVPN to create the necessary trusted network link. (Use BIND's forward-only mode in this case.)

Other caching resolvers distributed by Debian (PowerDNS, MaraDNS, Unbound) already employ source port randomization, and no updated packages are needed. BIND 9.5 up to and including version 1:9.5.0.dfsg-4 only implements a weak form of source port randomization and needs to be updated as well. For information on BIND 8, see DSA-1604-1, and for the status of the libc stub resolver, see DSA-1605-1.

The updated bind9 packages contain changes originally scheduled for the next stable point release, including the changed IP address of L.ROOT-SERVERS.NET (Debian bug # 449148).

SunOS 5.9_x86: in.dhcpd libresolv and BIND.
Date this patch was last updated by Sun : Jul/21/11

SunOS 5.9: in.dhcpd libresolv and BIND9 pa.
Date this patch was last updated by Sun : Jul/21/11

SunOS 5.8_x86: libresolv.so.2, in.named an.
Date this patch was last updated by Sun : Mar/09/09

SunOS 5.8: libresolv.so.2, in.named and BI.
Date this patch was last updated by Sun : Mar/09/09

ID	Name	Product	Family	Severity
40382	VMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.	Nessus	VMware ESX Local Security Checks	medium
36526	Mandriva Linux Security Advisory : bind (MDVSA-2008:139)	Nessus	Mandriva Local Security Checks	medium
35347	GLSA-200901-03 : pdnsd: Denial of Service and cache poisoning	Nessus	Gentoo Local Security Checks	medium
33772	Debian DSA-1623-1 : dnsmasq - DNS cache poisoning	Nessus	Debian Local Security Checks	medium
33739	Debian DSA-1619-1 : python-dns - DNS response spoofing	Nessus	Debian Local Security Checks	medium
33464	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : bind9 vulnerability (USN-622-1)	Nessus	Ubuntu Local Security Checks	medium
33450	Debian DSA-1603-1 : bind9 - DNS cache poisoning	Nessus	Debian Local Security Checks	medium
27094	Solaris 9 (x86) : 114265-23	Nessus	Solaris Local Security Checks	medium
26165	Solaris 9 (sparc) : 112837-24	Nessus	Solaris Local Security Checks	medium
13429	Solaris 8 (x86) : 109327-24	Nessus	Solaris Local Security Checks	critical
13321	Solaris 8 (sparc) : 109326-24	Nessus	Solaris Local Security Checks	critical

Detections

Analytics

CVE-2008-4194

high

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

critical

critical