Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
575
VMScore

CVE-2008-1447

Published: 08/07/2008 Updated: 24/03/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 6.8 | Impact Score: 4 | Exploitability Score: 2.2
VMScore: 575
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Ubuntu Linux

Vulnerability Summary

The DNS protocol, as implemented in (1) BIND 8 and 9 prior to 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote malicious users to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

isc bind 4

isc bind 8

isc bind 9.2.9

Vendor Advisories

Debian CVElist Bug Report Logs: python-dns vulnerable to CVE-2008-1447 DNS source port guessable
Debian Bug report logs - #490217 python-dns vulnerable to CVE-2008-1447 DNS source port guessable Package: python-dns; Maintainer for python-dns is Scott Kitterman <scott@kittermancom>; Source for python-dns is src:python-dns (PTS, buildd, popcon) Reported by: Joe Malicki <jmalicki@metacartacom> Date: Thu, 10 Jul 2 ...
Debian CVElist Bug Report Logs: dnsmasq: appears to be vulnerable to cache poisoning attack CVE-2008-1447
Debian Bug report logs - #490123 dnsmasq: appears to be vulnerable to cache poisoning attack CVE-2008-1447 Package: dnsmasq; Maintainer for dnsmasq is Simon Kelley <simon@thekelleysorguk>; Source for dnsmasq is src:dnsmasq (PTS, buildd, popcon) Reported by: Hamish Moffatt <hamish@debianorg> Date: Thu, 10 Jul 2008 ...
Debian CVElist Bug Report Logs: appears to be vulnerable to cache poisoning attack CVE-2008-1447
Debian Bug report logs - #492698 appears to be vulnerable to cache poisoning attack CVE-2008-1447 Package: adns; Maintainer for adns is Ian Jackson <ijackson@chiarkgreenendorguk>; Reported by: Thijs Kinkhorst <thijs@debianorg> Date: Mon, 28 Jul 2008 09:48:19 UTC Severity: serious Tags: security Found in version ...
Ubuntu Security Notice: ruby1.8 vulnerabilities
Akira Tagoh discovered a vulnerability in Ruby which lead to an integer overflow If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program (CVE-2008-2376) ...
Ubuntu Security Notice: dnsmasq vulnerability
Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Dnsmasq A remote attacker could exploit this to spoof DNS entries and poison DNS caches Among other things, this could lead to misdirected email and web traffic ...
Ubuntu Security Notice: bind9 vulnerability
Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Bind A remote attacker could exploit this to spoof DNS entries and poison DNS caches Among other things, this could lead to misdirected email and web traffic ...
Debian Security Advisories: DSA-1603-1 bind9 -- DNS cache poisoning
Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks Among other things, successful attacks can lead to misdirected web traffic and email rerouting This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization This change ...
Debian Security Advisories: DSA-1617-1 refpolicy -- incompatible policy
In DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447) The fix, while correct, was incompatible with the version of SELinux Reference Policy shipp ...
Debian Security Advisories: DSA-1605-1 glibc -- DNS cache poisoning
Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS spoofing and cache poisoning attacks Among other things, successful attacks can lead to misdirected web traffic and email rerouting At this time, it is not possible to implement the recommended countermeasures in the GNU libc stub resolver The following wo ...

Exploits

Exploit DB: BIND 9.x - Remote DNS Cache Poisoning (Python)
from scapy import * import random # Copyright (C) 2008 Julien Desfossez <ju@klipixorg> # wwwsolisprojectnet/ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your o ...
Exploit DB: BIND 9.x - Remote DNS Cache Poisoning
/* * Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack * * Compilation: * $ gcc -o kaminsky-attack kaminsky-attackc `dnet-config --libs` -lm * * Dependency: libdnet (aka libdumbnet-dev under Ubuntu) * * Author: marcbevand at rapid7 dot com */ #define _BSD_SOURCE #include <sys/typesh> #include <errh> #include ...
Exploit DB: BIND 9.4.1 < 9.4.2 - Remote DNS Cache Poisoning (Metasploit)
____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ ...
Exploit DB: bind9x-poison.txt
BIND 9x remote DNS cache poisoning flaw exploit using the vulnerability discovered by Dan Kaminsky ...
Exploit DB: bailiwicked_domain.rb.txt
This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver This exploit caches a single malicious nameserver entry into the target nameserver which replaces the legitimate nameservers for the target domain By causing the target nameserver to query ...
Exploit DB: bailiwicked_host.rb.txt
This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver This exploit caches a single malicious host entry into the target nameserver By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a r ...

Nmap Scripts

dns-random-srcport

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

nmap -sU -p 53 --script=dns-random-srcport <target>

PORT   STATE SERVICE REASON
53/udp open  domain  udp-response
|_dns-random-srcport: X.X.X.X is GREAT: 26 queries in 1.2 seconds from 26 ports with std dev 17905
dns-random-txid

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

nmap -sU -p 53 --script=dns-random-txid <target>

PORT   STATE SERVICE REASON
53/udp open  domain  udp-response
|_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509
dns-random-srcport

Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

nmap -sU -p 53 --script=dns-random-srcport <target>

PORT   STATE SERVICE REASON
53/udp open  domain  udp-response
|_dns-random-srcport: X.X.X.X is GREAT: 26 queries in 1.2 seconds from 26 ports with std dev 17905
dns-random-txid

Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).

nmap -sU -p 53 --script=dns-random-txid <target>

PORT   STATE SERVICE REASON
53/udp open  domain  udp-response
|_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509

Github Repositories

https://github.com/Liger0898/DNS-BailiWicked-Host-Attack

DNS-BailiWicked-Host-Attack Name: DNS BailiWicked Host Attack Module: auxiliary/spoof/dns/bailiwicked_host License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2008-07-21 Provided by: I)ruid druid@caughqorg hdm x@hdmio Check supported: Yes Basic options: Name Current Setting Required Descripti

References

CWE-331http://www.debian.org/security/2008/dsa-1603http://www.debian.org/security/2008/dsa-1604http://www.debian.org/security/2008/dsa-1605http://www.ubuntu.com/usn/usn-622-1http://www.us-cert.gov/cas/techalerts/TA08-190B.htmlhttp://www.kb.cert.org/vuls/id/800113http://www.securitytracker.com/id?1020438http://www.securitytracker.com/id?1020440http://www.securitytracker.com/id?1020437http://secunia.com/advisories/31207http://sunsolve.sun.com/search/document.do?assetkey=1-26-239392-1http://rhn.redhat.com/errata/RHSA-2008-0533.htmlhttp://secunia.com/advisories/31237http://www.ibm.com/support/docview.wss?uid=isg1IZ26668http://www.ibm.com/support/docview.wss?uid=isg1IZ26669ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-009.txt.aschttp://www.doxpara.com/DMK_BO2K8.ppthttp://secunia.com/advisories/30989https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00458.htmlhttp://secunia.com/advisories/31094http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.htmlhttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0231http://www.nominum.com/asset_upload_file741_2661.pdfhttp://secunia.com/advisories/31197http://secunia.com/advisories/31137http://secunia.com/advisories/31254http://www.securitytracker.com/id?1020561http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401http://www.vmware.com/security/advisories/VMSA-2008-0014.htmlhttp://marc.info/?l=bugtraq&m=121630706004256&w=2http://www.debian.org/security/2008/dsa-1619http://secunia.com/advisories/30988http://secunia.com/advisories/31033http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/VU800113.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2008-August/064118.htmlhttp://www.bluecoat.com/support/security-advisories/dns_cache_poisoninghttp://www.securitytracker.com/id?1020578http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.htmlhttp://www.doxpara.com/?p=1176http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/http://secunia.com/advisories/31052http://support.citrix.com/article/CTX117991http://secunia.com/advisories/31169http://up2date.astaro.com/2008/08/up2date_7202_released.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:139http://www.openbsd.org/errata43.html#004_bindhttp://www.ibm.com/support/docview.wss?uid=isg1IZ26667http://secunia.com/advisories/31152http://www.securitytracker.com/id?1020560http://secunia.com/advisories/31221http://secunia.com/advisories/30925http://secunia.com/advisories/31093http://secunia.com/advisories/30973http://secunia.com/advisories/31354http://www.securitytracker.com/id?1020577http://www.ipcop.org/index.php?name=News&file=article&sid=40http://secunia.com/advisories/31151http://secunia.com/advisories/31019http://lists.apple.com/archives/security-announce//2008/Sep/msg00003.htmlhttp://www.isc.org/index.pl?/sw/bind/bind-security.phphttp://secunia.com/advisories/31143http://www.kb.cert.org/vuls/id/MIMG-7DWR4Jhttp://secunia.com/advisories/30980http://www.caughq.org/exploits/CAU-EX-2008-0003.txthttp://secunia.com/advisories/30977http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00003.htmlhttp://www.securitytracker.com/id?1020575http://www.securitytracker.com/id?1020802http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=762152http://secunia.com/advisories/31451https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00402.htmlhttp://secunia.com/advisories/31031http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.452680http://www.securityfocus.com/bid/30131http://www.ibm.com/support/docview.wss?uid=isg1IZ26672http://secunia.com/advisories/31212http://secunia.com/advisories/31236http://www.ibm.com/support/docview.wss?uid=isg1IZ26671http://secunia.com/advisories/31209http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.htmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-240048-1http://security.gentoo.org/glsa/glsa-200807-08.xmlhttp://secunia.com/advisories/31011http://www.securitytracker.com/id?1020576http://secunia.com/advisories/31326http://www.openbsd.org/errata42.html#013_bindhttp://www.us-cert.gov/cas/techalerts/TA08-190A.htmlhttp://www.securitytracker.com/id?1020558http://secunia.com/advisories/31014http://www.debian.org/security/2008/dsa-1623http://secunia.com/advisories/31199http://www.securitytracker.com/id?1020579http://secunia.com/advisories/31204http://secunia.com/advisories/31072http://secunia.com/advisories/30979http://secunia.com/advisories/30998http://secunia.com/advisories/31213http://secunia.com/advisories/31153http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.aschttp://www.ibm.com/support/docview.wss?uid=isg1IZ26670http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htmlhttp://secunia.com/advisories/31687http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.htmlhttp://lists.apple.com/archives/security-announce//2008/Sep/msg00004.htmlhttp://support.apple.com/kb/HT3129http://secunia.com/advisories/31588http://secunia.com/advisories/31900http://secunia.com/advisories/31882http://secunia.com/advisories/31823http://www.phys.uu.nl/~rombouts/pdnsd.htmlhttp://www.phys.uu.nl/~rombouts/pdnsd/ChangeLoghttp://www.securitytracker.com/id?1020653http://www.securitytracker.com/id?1020651http://secunia.com/advisories/31422http://www.redhat.com/support/errata/RHSA-2008-0789.htmlhttp://www.securitytracker.com/id?1020548http://support.citrix.com/article/CTX118183http://secunia.com/advisories/31030http://www.securitytracker.com/id?1020448http://secunia.com/advisories/31012http://www.securitytracker.com/id?1020702http://support.apple.com/kb/HT3026http://secunia.com/advisories/31022http://www.caughq.org/exploits/CAU-EX-2008-0002.txthttp://www.securitytracker.com/id?1020804http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.539239http://www.kb.cert.org/vuls/id/MIMG-7ECL8Qhttp://secunia.com/advisories/31065http://www.us-cert.gov/cas/techalerts/TA08-260A.htmlhttp://www.novell.com/support/viewContent.do?externalId=7000912http://www.securitytracker.com/id?1020449http://security.gentoo.org/glsa/glsa-200812-17.xmlhttp://secunia.com/advisories/33178http://secunia.com/advisories/31482http://marc.info/?l=bugtraq&m=121866517322103&w=2http://secunia.com/advisories/31430http://secunia.com/advisories/31495http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01523520http://marc.info/?l=bugtraq&m=123324863916385&w=2http://secunia.com/advisories/33714http://secunia.com/advisories/33786http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01662368http://www.vupen.com/english/advisories/2010/0622http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018http://www.vupen.com/english/advisories/2008/2195/referenceshttp://www.vupen.com/english/advisories/2008/2019/referenceshttp://www.vupen.com/english/advisories/2008/2558http://www.vupen.com/english/advisories/2008/2092/referenceshttp://www.vupen.com/english/advisories/2008/2123/referenceshttp://www.vupen.com/english/advisories/2008/2113/referenceshttp://www.vupen.com/english/advisories/2008/2025/referenceshttp://www.vupen.com/english/advisories/2008/2139/referenceshttp://www.vupen.com/english/advisories/2008/2029/referenceshttp://www.vupen.com/english/advisories/2008/2549http://www.vupen.com/english/advisories/2008/2334http://www.vupen.com/english/advisories/2008/2467http://www.vupen.com/english/advisories/2008/2030/referenceshttp://www.vupen.com/english/advisories/2008/2384http://www.vupen.com/english/advisories/2008/2482http://www.vupen.com/english/advisories/2008/2377http://www.vupen.com/english/advisories/2008/2342http://www.vupen.com/english/advisories/2009/0297http://www.vupen.com/english/advisories/2008/2166/referenceshttp://www.vupen.com/english/advisories/2008/2466http://www.vupen.com/english/advisories/2008/2055/referenceshttp://www.vupen.com/english/advisories/2009/0311http://www.vupen.com/english/advisories/2008/2383http://www.vupen.com/english/advisories/2008/2196/referenceshttp://www.vupen.com/english/advisories/2008/2197/referenceshttp://www.vupen.com/english/advisories/2008/2050/referenceshttp://www.vupen.com/english/advisories/2008/2023/referenceshttp://www.vupen.com/english/advisories/2008/2114/referenceshttp://www.vupen.com/english/advisories/2008/2051/referenceshttp://www.vupen.com/english/advisories/2008/2291http://www.vupen.com/english/advisories/2008/2525http://www.vupen.com/english/advisories/2008/2584http://www.vupen.com/english/advisories/2008/2268http://www.vupen.com/english/advisories/2008/2582http://www.vupen.com/english/advisories/2008/2052/referenceshttp://www.ubuntu.com/usn/usn-627-1http://security.gentoo.org/glsa/glsa-201209-25.xmlhttp://marc.info/?l=bugtraq&m=141879471518471&w=2http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/43637https://exchange.xforce.ibmcloud.com/vulnerabilities/43334https://www.exploit-db.com/exploits/6130https://www.exploit-db.com/exploits/6123https://www.exploit-db.com/exploits/6122https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9627https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5917https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5761https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5725https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12117http://www.securityfocus.com/archive/1/495869/100/0/threadedhttp://www.securityfocus.com/archive/1/495289/100/0/threadedhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-037https://nvd.nist.govhttps://github.com/Liger0898/DNS-BailiWicked-Host-Attackhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217https://usn.ubuntu.com/651-1/https://www.exploit-db.com/exploits/6123/https://www.kb.cert.org/vuls/id/800113
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
race conditionCVE-2024-4249CVE-2024-4244CVE-2023-20198TCPCVE-2022-48648CVE-2022-48636CVE-2024-21345SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook