|
|
|
|
| |
| AltaVista Firewall '97 on Digital UNIX is vulnerable to a well-known DNS attack directed at BIND (a common version of a DNS server) which can give administrator privileges on the Firewall machine to a remote attacker. |
| |
Credit:
The recomended workaround is to manually compile a BIND of a later version, which is not susceptible to this attack (for example, BIND 4.9.7) and manually replace the executable.
Another possibility is to upgrade to AltaVista Firewall '98, which is shipped with BIND 4.9.7
This vulnerability was first reported by: Jochen Thomas Bauer
Compaq issued a knowledge base article on this vulnerability in AltaVista firewall '97, and the recommended approach in fixing this: http://support.altavista-software.com/kb/solutions/firewall/general/259-042398.asp
|
| |
AltaVista firewall proxies name server requests in order to make a logical division of an "outside" name server (that gives information to hosts outside the local network) and an "internal" name server that usually gives extended information for the local network (for example, computer names on the local network which should not be seen from outside).
The firewall redirects requests to the DNS machines. If the DNS is running on the firewall machine, the request will be redirected to port 8053 or 8153.
However, if the DNS is running on the firewall machine, a DNS request can be made directly to ports 8053 or 8153. The name server will deny requests coming from unauthorized hosts (it will only answer requests made from 127.0.0.1 which is the loopback interface - this means the firewall is making the request). But despite that, it is still possible to launch attacks on the name server.
For example, the BIND version that comes with AltaVista Firewall '97 is BIND-4.9.3, which is vulnerable to a remote attack that can give administrator access to attackers (even though the name server will not accept the query request)
Patching BIND on the firewall machine is very difficult, because the BIND on the firewall machine is custom installed, and so the normal patches will not work.
|
|
|
|
|
