BIND9, ISS and AUTHORS.BIND

Bill Larson wllarso at swcp.com
Thu Feb 9 04:47:30 UTC 2006


On Feb 7, 2006, at 12:26 PM, Paul Vixie wrote:

>> 	I have a 9.3.1 build of BIND running on a Red Hat Enterprise
>> Linux ES4 system. I *must* use the ISS scanner (http://www.iss.net/)  
>> to
>> discover and mitigate any vulnerabilities on the system before I can
>> connect it to the network. When I ran a scan of my box, I found the
>> below Medium vulnerability that I need to do something about.
>
> the ISS people are smoking the wrong drugs, in that case.

Or maybe the people that are saying that this computer cannot be  
connected to the network.

>> Vulnerability Details:
>> M BindHostnameDisclosure: BIND hostname disclosure BIND (the Berkeley
>> Internet Name Daemon) is the Domain Name Service for Unix systems.  
>> BIND
>> versions 9.0 and later could allow a remote attacker to obtain  
>> sensitive
>> information. By sending specially-crafted DNS query for the record
>> AUTHORS.BIND a remote attacker may learn the BIND software version and
>> the hostname of the DNS server. This information could be helpful in
>> launching further attacks.
>> Remedy:
>> No remedy available as of January 2005.
>
> the remedy is for them to remove this test from their suite.  fpdns  
> will
> tell anybody who wants to know, exactly what version of code you're  
> running.

At  
http://documents.iss.net/literature/InternetScanner/reports/ 
Line_Mgmt_Host_Vulnerability_Summary_Report.pdf, there is an example of  
the report that the ISS scanner produces.  In particular, the example  
given identifies "BIND servers can be remotely queried for their  
version", and the associated severity of this discovery is listed as  
"low" (not medium).  In fact, this same "low" severity is given to  
using traceroute to map the network topology.  This scan result also  
identifies NFS services with a "low" severity (which I would have some  
concerns about).

The implication that I am receiving is that even the ISS folks are  
saying that this isn't a real problem, but simply a warning.  I am  
wondering if the original poster is talking with his security people to  
understand what ISS is saying.  ISS should be identifying all network  
services that the system is providing, including DNS, and all network  
services involve some risk.  But, if you were to disable all network  
services that allow any risk then you would no longer have a network  
server.

Then again, maybe this person shouldn't be trying to provide any  
network services, including DNS services.  Remember that the original  
poster is working for a US Government organization.

Bill Larson



More information about the bind-users mailing list