GEN:SID | 1:314 |
Message | DNS EXPLOIT named tsig overflow attempt |
Summary | This event is generated when a specific inverse query is performed against your DNS server as a precursor to a possible TSIG (transaction signature) buffer overflow attack.
|
Impact | Intelligence gathering. This event generates as a result of an inverse query of the DNS server in an attempt to gain access to information required for the TSIG exploit. An attacker will usually attempt a buffer overflow exploit if there is a response to the inverse query.
|
Detailed Information | This is an attempt to perform a specific DNS inverse query against your DNS server. While this specific action is not harmful itself, it signals a precusor to a possible buffer overflow attack for a TSIG vulernability. The inverse query is performed as a reconnaissance for the TSIG attack.
|
Affected Systems | BIND Versions 4 and Versions 8 through 8.2 are susceptible to the inverse query information leak.
|
Attack Scenarios | If a DNS server responds to the inverse query and leaks information required for the actual attack, the attacker exploitsthe TSIG buffer overflow vulnerability. If this is successful, the attacker gains access to the DNS server at the privilege of the "named" daemon.
|
Ease of Attack | Easy. Code is available to exploit the vulnerability.
|
Corrective Action | Update to BIND versions greater than 8.2 to prevent the information leak.
|
Additional References | Bugtraq: http://www.securityfocus.com/bid/2302
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010
Arachnids: http://www.whitehats.com/info/IDS482
|
Rule References | bugtraq: 2303
cve: 2001-0010
|