The dnsmasq DNS resolver used a fixed source UDP port. This could have made DNS spoofing attacks easier. dnsmasq has been updated to use random UDP source ports, helping to make DNS spoofing attacks harder.
(CVE-2008-1447)

s700_800 11.23 Bind 9.2.0 components : 

A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to cause DNS cache poisoning.

The transaction id and the UDP source port used for DNS queries by the bind nameserver were predicatable. Attackers could potentially exploit that weakness to manipulate the DNS cache ('DNS cache poisoning', CVE-2008-1447).

I Security Issues

 a. Setting ActiveX kill bit

     Starting from this release, VMware has set the kill bit on its      ActiveX controls. Setting the kill bit ensures that ActiveX      controls cannot run in Internet Explorer (IE), and avoids      security issues involving ActiveX controls in IE. See the      Microsoft KB article 240797 and the related references on this      topic.

     Security vulnerabilities have been reported for ActiveX controls      provided by VMware when run in IE. Under specific circumstances,      exploitation of these ActiveX controls might result in denial-of-      service or can allow running of arbitrary code when the user      browses a malicious Web site or opens a malicious file in IE      browser. An attempt to run unsafe ActiveX controls in IE might      result in pop-up windows warning the user.
       Note: IE can be configured to run unsafe ActiveX controls without            prompting.  VMware recommends that you retain the default            settings in IE, which prompts when unsafe actions are            requested.

     Earlier, VMware had issued knowledge base articles, KB 5965318 and      KB 9078920 on security issues with ActiveX controls. To avoid      malicious scripts that exploit ActiveX controls, do not enable      unsafe ActiveX objects in your browser settings. As a best      practice, do not browse untrusted Web sites as an administrator      and do not click OK or Yes if prompted by IE to allow certain      actions.

     VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,      and Michal Bucko for reporting these issues to us.

     The Common Vulnerabilities and Exposures Project (cve.mitre.org)      has assigned the names CVE-2008-3691, CVE-2008-3692,      CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and      CVE-2008-3696 to the security issues with VMware ActiveX controls.

 b. VMware ISAPI Extension Denial of Service

     The Internet Server Application Programming Interface (ISAPI) is      an API that extends the functionality of Internet Information      Server (IIS). VMware uses ISAPI extensions in its Server product.

     One of the ISAPI extensions provided by VMware is vulnerable to a      remote denial of service. By sending a malformed request, IIS      might shut down. IIS 6.0 restarts automatically. However, IIS 5.0      does not restart automatically when its Startup Type is set to      Manual.

     VMware would like to thank the Juniper Networks J-Security      Security Research Team for reporting this issue to us.

     The Common Vulnerabilities and Exposures Project (cve.mitre.org)      has assigned the name CVE-2008-3697 to this issue.

 c. OpenProcess Local Privilege Escalation on Host System

     This release fixes a privilege escalation vulnerability in host      systems.  Exploitation of this vulnerability allows users to run      arbitrary code on the host system with elevated privileges.

     VMware would like to thank Sun Bing from McAfee, Inc. for      reporting this issue to us.

     The Common Vulnerabilities and Exposures Project (cve.mitre.org)      has assigned the name CVE-2008-3698 to this issue.

 d. Update to Freetype

     FreeType 2.3.6 resolves an integer overflow vulnerability and other      vulnerabilities that can allow malicious users to run arbitrary code      or might cause a denial-of-service after reading a maliciously      crafted file. This release updates FreeType to 2.3.7.

     The Common Vulnerabilities and Exposures Project (cve.mitre.com)      has assigned the names CVE-2008-1806, CVE-2008-1807, and      CVE-2008-1808 to the issues resolved in Freetype 2.3.6.

 e. Update to Cairo

     Cairo 1.4.12 resolves an integer overflow vulnerability that can      allow malicious users to run arbitrary code or might cause a      denial-of-service after reading a maliciously crafted PNG file.
     This release updates Cairo to 1.4.14.

     The Common Vulnerabilities and Exposures (cve.mitre.com) has      assigned the name CVE-2007-5503 to this issue.

  f. VMware Consolidated Backup (VCB) command-line utilities may expose      sensitive information

     VMware Consolidated Backup command-line utilities accept the user      password through the -p command-line option. Users logged into the      ESX service console or into the system that runs VCB could gain      access to the username and password used by VCB command-line utilities      when such commands are running.

     The ESX patch and the new version of VCB resolve this issue by      providing an alternative way of passing the password used by VCB      command-line utilities.

     VCB in ESX
     ----------      The following options are recommended for passing the password :

     1. The password is specified in /etc/backuptools.conf      (PASSWORD=xxxxx), and -p is not used in the command line.
     /etc/backuptools.conf file permissions are read/write only      for root.

     2. No password is specified in /etc/backuptools.conf and the
     -p option is not used in the command line. The user will be       prompted to enter a password.

     ESX is not affected unless you use VCB.

     Stand-alone VCB
     ---------------      The following options are recommended for passing the password :

     1. The password is specified in config.js (PASSWORD=xxxxx), and -p      is not used in the command line. The file permissions on config.js      are read/write only for the administrator. The config.js file is      located in folder 'config' of the VCB installation folder. For example,      C:\Program Files\Vmware\Vmware Consolidated Backup Framework\config.

     2. The password is specified in the registry, and is not specified in      config.js, and -p is not used in the command line. Access to the      registry key holding the password is allowed only to the administrator.
     The location of the registry key is :
     On Windows x86: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\                      VMware Consolidated Backup\Password      On Windows x64: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\                      VMware, Inc.\VMware Consolidated Backup\Password

     3. The password is not specified in the registry, and is not specified in      config.js, and -p is not used in the command line. The user will be      prompted to enter a password.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)      has assigned the name CVE-2008-2101 to this issue.

  g. Third-Party Library libpng Updated to 1.2.29

     Several flaws were discovered in the way third-party library      libpng handled various PNG image chunks. An attacker could      create a carefully crafted PNG image file in such a way that      it causes an application linked with libpng to crash when the      file is manipulated.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)      has assigned the name CVE-2007-5269 to this issue.

     NOTE: There are multiple patches required to remediate the issue.

II ESX Service Console rpm updates

  a. update to bind

     This update upgrades the service console rpms for bind-utils and      bind-lib to version 9.2.4-22.el3.

     Version 9.2.4.-22.el3 addresses the recently discovered      vulnerability in the BIND software used for Domain Name      resolution (DNS). VMware doesn't install all the BIND packages      on ESX Server and is not vulnerable by default to the reported      vulnerability. Of the BIND packages, VMware only ships bind-util      and bind-lib in the service console and these components by      themselves cannot be used to setup a DNS server. Bind-lib and      bind-util are used in client DNS applications like nsupdate,      nslookup, etc.

     VMware explicitly discourages installing applications like BIND      on the service console. In case the customer has installed BIND,      and the DNS server is configured to support recursive queries,      their ESX Server system is affected and they should replace BIND      with a patched version.

     Note: ESX Server will use the DNS server on the network it is      on, so it is important to patch that DNS server.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)      has assigned the name CVE-2008-1447 to this issue.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0021 for details.

The remote MiracleLinux 3 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2008-462:03 advisory.

    Dnsmasq consists of both lightweight and easy to configure DNS forwarder and DHCP server.
    It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local     machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows     machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or     in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network     booting of diskless machines.
    Fixed bugs:
    CVE-2008-1447:
    The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2)     Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations     allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to     conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction     IDs and source ports, aka DNS Insufficient Socket Entropy Vulnerability or the Kaminsky bug.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated bind packages that help mitigate DNS spoofing attacks are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

[Updated 10th July 2008] We have updated the Enterprise Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports.

ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols.

The DNS protocol protects against spoofing attacks by requiring an attacker to predict both the DNS transaction ID and UDP source port of a request. In recent years, a number of papers have found problems with DNS implementations which make it easier for an attacker to perform DNS cache-poisoning attacks.

Previous versions of BIND did not use randomized UDP source ports. If an attacker was able to predict the random DNS transaction ID, this could make DNS cache-poisoning attacks easier. In order to provide more resilience, BIND has been updated to use a range of random UDP source ports. (CVE-2008-1447)

Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4 and 5 to allow BIND to use random UDP source ports.

Users of BIND are advised to upgrade to these updated packages, which contain a backported patch to add this functionality.

Red Hat would like to thank Dan Kaminsky for reporting this issue.

The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-006 applied. 

This update contains security fixes for a number of programs.

Update to newer upstream version - 2.45. Version of dnsmasq previously shipped in Fedora 9 did not properly drop privileges, causing it to run as root instead of intended user nobody. Issue was caused by a bug in kernel-headers used in build environment of the original packages.
(#454415) New upstream version also adds DNS query source port randomization, mitigating DNS spoofing attacks. (CVE-2008-1447)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote DNS resolver does not use random ports when making queries to third-party DNS servers. An unauthenticated, remote attacker can exploit this to poison the remote DNS server, allowing the attacker to divert legitimate traffic to arbitrary sites.

9.5.0-P1 release which contains fix for CVE-2008-1447. This update also fixes parsing of inner ACLs.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
60462	Scientific Linux Security Update : dnsmasq on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	8/1/2012	1/14/2021	medium
33864	HP-UX PHNE_37865 : HP-UX Running BIND, Remote DNS Cache Poisoning (HPSBUX02351 SSRT080058 rev.6)	Nessus	HP-UX Local Security Checks	8/12/2008	1/11/2021	medium
39920	openSUSE Security Update : bind (bind-82)	Nessus	SuSE Local Security Checks	7/21/2009	1/14/2021	medium
40382	VMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.	Nessus	VMware ESX Local Security Checks	7/27/2009	1/6/2021	medium
137170	OracleVM 3.3 / 3.4 : bind (OVMSA-2020-0021)	Nessus	OracleVM Local Security Checks	6/5/2020	3/7/2024	medium
284225	MiracleLinux 3 : dnsmasq-2.45-1AXS3.1.1 (AXSA:2008-462:03)	Nessus	Miracle Linux Local Security Checks	1/14/2026	1/14/2026	medium
33462	RHEL 2.1 / 3 / 4 / 5 : bind (RHSA-2008:0533)	Nessus	Red Hat Local Security Checks	7/10/2008	1/14/2021	medium
34210	Mac OS X Multiple Vulnerabilities (Security Update 2008-006)	Nessus	MacOS X Local Security Checks	9/16/2008	5/28/2024	critical
35693	Fedora 9 : dnsmasq-2.45-1.fc9 (2009-1069)	Nessus	Fedora Local Security Checks	2/17/2009	1/11/2021	medium
33447	Multiple Vendor DNS Query ID Field Prediction Cache Poisoning	Nessus	DNS	7/9/2008	4/3/2024	medium
33470	Fedora 8 : bind-9.5.0-28.P1.fc8 (2008-6281)	Nessus	Fedora Local Security Checks	7/10/2008	1/11/2021	critical

Detections

Analytics

Plugins Search

medium

medium

medium

medium

medium

medium

medium

critical

medium

medium

critical