July 24, 2008 - Current Activity

DNS Cache Poisoning Public Exploit Code Available

US-CERT is aware of publicly available exploit code for a cache poisoning vulnerability in common DNS implementations. Exploitation of this vulnerability may allow an attacker to cause a nameserver's clients to contact the incorrect, and possibly malicious hosts for particular services. As a result, web traffic, email and other important network data could be redirected to systems under the attacker's control.

US-CERT strongly urges administrators to patch affected systems immediately. Please review the following US-CERT documents for further details:

• Current Activity - DNS Implementations Vulnerable to Cache Poisoning
• Current Activity - NAT/PAT Affects DNS Cache Poisoning Mitigation
• Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
• Technical Cyber Security Alert TA08-190B - Multiple DNS implementations vulnerable to cache poisoning

NAT/PAT Affects DNS Cache Poisoning Mitigation

US-CERT released a Current Activity entry and a Vulnerability Note on July 8, 2008 regarding deficiencies in DNS implementations. These deficiencies could leave an affected system vulnerable to cache poisoning. Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch systems or apply workarounds immediately.

A number of patches implement source port randomization in the name server as a way to reduce the practicality of cache poisoning attacks. Administrators should be aware that in infrastructures where nameservers exist behind Network Address Translation (NAT) and Port Address Translation (PAT) devices, port randomization in the nameserver may be overwritten by the NAT/PAT device and a sequential port address could be allocated. This may weaken the protection offered by source port randomization in the nameserver.

US-CERT encourages users to consider one of the following workarounds:

• Place the nameserver outside of the NAT/PAT device in the network infrastructure.
• Configure the NAT/PAT device to perform source port randomization.
• Configure the NAT/PAT device to preserve the source port assigned by the nameserver.

DNS Implementations Vulnerable to Cache Poisoning

US-CERT is aware of deficiencies in the DNS protocol. Implementations of this protocol may leave the affected system vulnerable to DNS cache poisoning attacks. If an attacker can successfully conduct a cache poisoning attack, they may be able to cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. This may allow an attacker to obtain sensitive information or mislead users into believing they are visiting a legitimate website.

UPDATE: Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately.

US-CERT encourages users to review "VU#800113 - Multiple DNS implementations vulnerable to cache poisoning" and apply any necessary solutions listed in that document to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

BlackBerry Security Advisory

Research In Motion has released a Security Advisory to address a vulnerability in the BlackBerry Enterprise Server. This vulnerability is due to the improper processing of PDF files within the distiller component of the BlackBerry Attachment Service. By convincing a user to open a maliciously crafted PDF attachment on a BlackBerry smartphone, an attacker may be able to execute arbitrary code on the system running the BlackBerry Attachment Service.

US-CERT encourages users to review BlackBerry Security Advisory KB15766 and apply the resolution or implement the workarounds listed in the document to help mitigate the risk.

US-CERT will provide additional information as it becomes available.

Mozilla Releases Firefox 3.0.1

Mozilla has released Firefox 3.0.1 to address three vulnerabilities. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. One of these vulnerabilities may also affect Thunderbird and SeaMonkey. Two of these vulnerabilities were previously fixed in Firefox 2.0.0.16 as well; please see the US-CERT Current Activity entry Mozilla Releases Firefox 2.0.0.16 for additional information.

US-CERT encourages users to review the following Mozilla Foundation Security Advisories and upgrade to Firefox 3.0.1 or implement the workarounds provided in the documents to help mitigate the risks:

• MFSA 2008-34 : Remote code execution by overflowing CSS reference counter
• MFSA 2008-35 : Command-line URLs launch multiple tabs when Firefox not running
• MFSA 2008-36 : Crash with malformed GIF file on Mac OS X

WordPress Releases Version 2.6

WordPress has released version 2.6 to address approximately 194 bugs, some of which may be security related.

US-CERT encourages users to review the WordPress Blog entry related to the release of version 2.6 and upgrade to WordPress version 2.6 to help mitigate any risks.

Mozilla Releases Firefox 2.0.0.16

Mozilla has released Firefox 2.0.0.16 to address two vulnerabilities. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. One of these vulnerabilities may also affect Thunderbird and SeaMonkey.

US-CERT encourages users to review the following Mozilla Foundation Security Advisories and upgrade to a fixed version or implement the workarounds listed in the documents to help mitigate the risks.

MFSA 2008-34 : Remote code execution by overflowing CSS reference counter
MFSA 2008-35 : Command-line URLs launch multiple tabs when Firefox not running

Oracle Releases Critical Patch Update for July 2008

Oracle has released their Critical Patch Update for July 2008 to address 45 vulnerabilities across several products. This update contains the following security fixes:

• 11 updates for Oracle Database
• 3 updates for Times Ten In-Memory Database
• 9 updates for Oracle Application Server
• 6 updates for Oracle E-Business Suite and Applications
• 2 updates for Oracle Enterprise Manager
• 7 updates for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
• 7 updates for BEA Product Suite

Zone Alarm Releases Security Advisory

Zone Alarm has released a Security Advisory indicating that version 7.0.483.0 has been released to address an issue in the way Microsoft Security Bulletin MS08-037 affects Zone Alarm.

US-CERT encourages users to review the Security Advisory and apply the Recommended Actions listed in the document.

Apple Releases Security Updates for iPhone and iPod touch

Apple has released iPhone v2.0 and iPod touch v2.0 to address multiple vulnerabilities. These vulnerabilities affect CFNetwork, Kernel, Safari, and WebKit. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, spoof websites, conduct cross-site scripting attacks or cause a denial-of-service condition.

US-CERT encourages users to review Apple Article HT2351 and apply any necessary updates.