What is Security Supplement p534997, the BIND 9.4.2-P1 Update for UnixWare 7.1.4? KEYWORDS: unixware 7.1.4 714 security bind 9.4.2 update supplement p534997 fz534997 CVE-2008-1447 dns domain name server randomization Insufficient Socket Entropy Vulnerability Kaminsky bug SCOSA-2009.2 RELEASE: SCO Unixware Release 7.1.4 PROBLEM: What is Security Supplement p534997, the BIND 9.4.2-P1 Update for UnixWare 7.1.4? SOLUTION: The DNS protocol, as implemented in BIND 8 and 9 before 9.5.0-P1 allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." p534997 fixes this vulnerability. What follows is the Security Advisory for this fix: ______________________________________________________________________________ SCO Security Advisory Subject: BIND 9.4.2-P1 Update for UnixWare 7.1.4 Advisory number: SCOSA-2009.2 Issue date: 30th April 2009 Cross reference: fz534997 CVE-2008-1447 VU#800113 ______________________________________________________________________________ 1. Problem Description The DNS implementation when making remote queries does not randomize UDP ports. The query id by itself does not provide sufficient randomization to thwart an attacker from a cache-poisoning attack where the cache may contain data from an unauthorized DNS server. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- UnixWare 7.1.4 uw714mp4 3. Solution The proper solution is to install the relevant package below. 4. UnixWare 7.1.4 This patch should only be installed on UnixWare 7.1.4 systems with Maintenance Pack 4 installed. 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/unixware7/714/security/p534997/ 4.2 Verification MD5 (p534997.image) = 54a6437ac9be4bb44876df4881ae5c5b md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installation Instructions 1. Download the p534997.image file to the /tmp directory on your machine. 2. As root, add the package to your system using these commands: $ su - Password: # pkgadd -d /tmp/p534997.image Alternatively, this package may be installed in quiet mode, that is, without displaying the release notes and asking for confirmation. To do this, use these commands: $ su - Password: # pkgadd -qd /tmp/p534997.image all 3. There is no need to reboot the system after installing this package. However, if your system is running any libraries or commands that are contained in this package, then these programs will continue to run with the old versions of these libraries or commands until the system is rebooted. Note that when all necessary patches have been installed, it is good practice to reboot the system at the earliest opportunity. This will ensure that no programs continue to run with the old libraries or commands. 4.4 Removal Instructions 1. As root, remove the package using these commands: $ su - Password: # pkgrm p534997 2. Reboot the system after removing this package. 6. References SCO security resources: http://www.sco.com/support/download.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents fz534997. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 7. Disclaimers SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgments SCO would like to thank Dan Kaminsky for reporting this issue.