DNS Server Source Port 53 Query Usage

Medium Nessus Network Monitor Plugin ID 4601

Synopsis

The remote DNS server is vulnerable to a cache-poisoning attack.

Description

The remote host is running a DNS server that is configured to use port 53 as its source port for queries. This is extremely dangerous as an attacker only needs to spoof a 16-bit transaction ID in order to poison the DNS cache. A poisoned cache means that DNS clients can be directed to rogue sites and greatly simplifies phishing attacks.

Solution

Ensure that the DNS server is fully patched and can utilize a wide range of UDP source port numbers. For ISC servers, ensure that the following line does not exist within the configuration file: "query-source address * port 53;"

See Also

http://www.kb.cert.org/vuls/id/800113

Plugin Details

Severity: Medium

ID: 4601

File Name: 4601.prm

Family: DNS Servers

Published: 2008/07/22

Modified: 2017/02/02

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 6.4

Temporal Score: 5.9

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Reference Information

CVE: CVE-2008-1447

BID: 30131

IAVA: 2008-A-0045