var-201009-0232
Vulnerability from variot
Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and does not properly use DNS query fields to validate responses, which makes it easier for man-in-the-middle attackers to poison the internal DNS cache via a crafted response. DNS May be disguised. Traffic Server is an open source proxy server and web cache server developed by the Apache Software Foundation. The application implementation has security issues that allow malicious users to perform DNS cache poison attacks. Apache Traffic Server is prone to a remote DNS cache-poisoning vulnerability. An attacker can exploit this issue to divert data from a legitimate site to an attacker-specified site. Successful exploits will allow the attacker to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks. ----------------------------------------------------------------------
Windows Applications Insecure Library Loading
The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/
The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected.
TITLE: Apache Traffic Server DNS Cache Poisoning Vulnerability
SECUNIA ADVISORY ID: SA41356
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41356/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41356
RELEASE DATE: 2010-09-09
DISCUSS ADVISORY: http://secunia.com/advisories/41356/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/41356/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=41356
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: Tim Brown has reported a vulnerability in Apache Traffic Server, which can be exploited by malicious people to poison the DNS cache.
SOLUTION: Update to version 2.0.1.
PROVIDED AND/OR DISCOVERED BY: Tim Brown, Nth Dimension.
ORIGINAL ADVISORY: Apache: https://issues.apache.org/jira/browse/TS-425
Tim Brown: http://www.nth-dimension.org.uk/pub/NDSA20100830.txt.asc
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Nth Dimension Security Advisory (NDSA20100830) Date: 30th August 2010 Author: Tim Brown timb@nth-dimension.org.uk URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: Traffic Server 2.1.1, 2.0.0 http://trafficserver.apache.org/ Vendor: Apache Software Foundation http://www.apache.org/ / Yahoo! Inc Risk: Medium
Summary
This advisory comes in 3 related parts:
1) Traffic Server uses a static (per DNS server) source port for making outgoing DNS queries.
2) Traffic Server uses a sequential transaction ID when constructing asynchronous DNS queries. Moreover the algorithm used to select the intitial transation ID is not sufficiently random.
These vulnerabilities might significantly increase the chances of Traffic Server's internal DNS cache being poisoned.
After discussions with the vendor, CVE-2010-2952 was assigned to this vulnerability. The port is chosen at runtime using the DNSConnection::connect() method from iocore/dns/DNSConnection.cc:
struct sockaddr_in bind_sa; memset(&sa, 0, sizeof(bind_sa)); bind_sa.sin_family = AF_INET; bind_sa.sin_addr.s_addr = INADDR_ANY; int p = time(NULL) + offset; p = (p % (LAST_RANDOM_PORT - FIRST_RANDOM_PORT)) + FIRST_RANDOM_PORT; bind_sa.sin_port = htons(p); Debug("dns", "random port = %d\n", p); if ((res = socketManager.ink_bind(fd, (struct sockaddr *) &bind_sa, sizeof(bind_sa), Proto)) < 0) { offset += 101; continue; }
Note that since FIRST_RANDOM_PORT is set to 16000, LAST_RANDOM_PORT is defined as 32000 and since the underlying algorith is predictable, the source port may be guessed. The base number is set at runtime using the DNSProcessor::dns_init() method from iocore/dns/DNS.cc:
if (cval > 0) { dns_sequence_number = (unsigned int) (cval + DNS_SEQUENCE_NUMBER_RESTART_OFFSET); Debug("dns", "initial dns_sequence_number (cval) = %d\n", (u_short) dns_sequence_number); } else { // select a sequence number at random dns_sequence_number = (unsigned int) (ink_get_hrtime() / HRTIME_MSECOND); Debug("dns", "initial dns_sequence_number (time) = %d\n", (u_short) dns_sequence_number); }
and then incremented on each subsequent request as seen in the write_dns_event() function:
++dns_sequence_number; ... u_short i = (u_short) dns_sequence_number; ((HEADER *) (buffer))->id = htons(i);
3) When processing responses, Traffic Server walks a linked list which holds details of each attempted request and compares the incoming ID with its list to ascertain which request a given response relates. This can be seen in the dns_process() function from iocore/dns/DNS.cc:
DNSEntry e = get_dns(handler, (u_short) ntohs(h->id)); ... inline static DNSEntry * get_dns(DNSHandler * h, u_short id) { for (DNSEntry * e = h->entries.head; e; e = (DNSEntry ) e->link.next) { if (e->once_written_flag) for (int j = 0; j < MAX_DNS_RETRIES; j++) if (e->id[j] == id) return e; else if (e->id[j] < 0) goto Lnext; Lnext:; } return NULL; }
Solutions
Nth Dimension recommends that the vendor supplied patches should be applied.
History
On 20th August 2010, Nth Dimension contacted both Yahoo! Inc and the Apache Software Foundation's security teams to report the described vulnerabilities affecting Traffic Server. Yahoo's team responded immediately to confirm that that the report had been recieved and forwarded to the relevant people.
Following on from this, Nth Dimension and the Traffic Server developers opened a dialogue and the issue and potential remediations were discussed at length. After offering feedback on Leif Hedstrom's original analysis, Steve Jiang went away and produced a patch based on Nth Dimension's comments.
On the 27th August, the vulnerability was assigned CVE-1010-2952 and Lief distributed a proposed patch for feedback from other Traffic Server developers.
Current
As of the 30th August 2010, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by the upstream which it is believed successfully mitigates the final symptoms of this vulnerability. New releases of both 2.0.x and 2.1.x have also been created which incorporate this patch.
Thanks
Nth Dimension would like to thank the Apache Software Foundation for the way they worked to resolve the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJMh4S+AAoJEPJhpTVyySo7kwMP/0wIPmO4nNyOhoF0VuUWqLvj Q7JzQ5xqLeU932Yp+AlDGvHgWYtKZP64Oi5vrkNavhhCRNhSuWMWrbiFb7NgmTdv EFualmdRXjhZY8O5cLoS6MuCYelosjuO2qDncgrV0xFZ59HXf7FRr/QSc/22Kaum Mp/DHItk3E1pTZD0BaVX34waCo01q6bPbfsJW0qZyPGUagfk8av6DobgQOwuiPXJ 4bNh4kgaZIY8bgCnOB/TmZM+pz7Tgh6yF2tbjc+0Qx/jdKi4Y+T9Jpv8oKx8+scM eHpb2iTFXUI7n5uie8nA8F1+Y0InEUr/GfppvEUzk/bHnfNuv5RAH7AuCpabf/kK +wnYMyhIN2vTmuxDfU/OB8uyzZIrCn6YmH/CFToutzP03I6SssdpsUM6qZd3p8Q/ GM+BYyNcBGk9IC1ikcalCjswtjekHjITJfpmosKyMGR2oFUR3Lh3dWGoDaG+7mSC w0TxA6FYtqfpJZngfnoBGwU3TGOpIf8S3KOBc7pYPsLBn9VFNAShJtHMi+Tcd/CD 2W9GJ0qJxy4EETJE5MG+PWrBOLQUVGheOxPtAmojHDXnBcfufAKpvCQkUmvdleTG ASqE0AiHB5r+4gXr7LIvvhT6hQrbDk3EEEseAGV2e7bT+jjHKA0IlbBcB1XW1kOW Y5sKeOJfAHl1iFu41rT4 =8naX -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201009-0232",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "traffic server",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.1.0"
},
{
"model": "traffic server",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.1.1"
},
{
"model": "traffic server",
"scope": "lt",
"trust": 1.4,
"vendor": "apache",
"version": "2.0.1"
},
{
"model": "traffic server",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "2.0.0"
},
{
"model": "traffic server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.0.0"
},
{
"model": "traffic server",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.0"
},
{
"model": "traffic server",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "2.0.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1915"
},
{
"db": "BID",
"id": "43111"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"db": "NVD",
"id": "CVE-2010-2952"
},
{
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:traffic_server:2.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:traffic_server:2.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-2952"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Tim Brown",
"sources": [
{
"db": "PACKETSTORM",
"id": "93709"
},
{
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
],
"trust": 0.7
},
"cve": "CVE-2010-2952",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2010-2952",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2010-2952",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201009-105",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"db": "NVD",
"id": "CVE-2010-2952"
},
{
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and does not properly use DNS query fields to validate responses, which makes it easier for man-in-the-middle attackers to poison the internal DNS cache via a crafted response. DNS May be disguised. Traffic Server is an open source proxy server and web cache server developed by the Apache Software Foundation. The application implementation has security issues that allow malicious users to perform DNS cache poison attacks. Apache Traffic Server is prone to a remote DNS cache-poisoning vulnerability. \nAn attacker can exploit this issue to divert data from a legitimate site to an attacker-specified site. \nSuccessful exploits will allow the attacker to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks. ----------------------------------------------------------------------\n\n\nWindows Applications Insecure Library Loading\n\nThe Official, Verified Secunia List:\nhttp://secunia.com/advisories/windows_insecure_library_loading/\n\nThe list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. \n\n\n----------------------------------------------------------------------\n\nTITLE:\nApache Traffic Server DNS Cache Poisoning Vulnerability\n\nSECUNIA ADVISORY ID:\nSA41356\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/41356/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=41356\n\nRELEASE DATE:\n2010-09-09\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/41356/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/41356/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=41356\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nTim Brown has reported a vulnerability in Apache Traffic Server,\nwhich can be exploited by malicious people to poison the DNS cache. \n\nSOLUTION:\nUpdate to version 2.0.1. \n\nPROVIDED AND/OR DISCOVERED BY:\nTim Brown, Nth Dimension. \n\nORIGINAL ADVISORY:\nApache:\nhttps://issues.apache.org/jira/browse/TS-425\n\nTim Brown:\nhttp://www.nth-dimension.org.uk/pub/NDSA20100830.txt.asc\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nNth Dimension Security Advisory (NDSA20100830)\nDate: 30th August 2010\nAuthor: Tim Brown \u003cmailto:timb@nth-dimension.org.uk\u003e\nURL: \u003chttp://www.nth-dimension.org.uk/\u003e / \u003chttp://www.machine.org.uk/\u003e\nProduct: Traffic Server 2.1.1, 2.0.0 \u003chttp://trafficserver.apache.org/\u003e\nVendor: Apache Software Foundation \u003chttp://www.apache.org/\u003e / Yahoo! Inc\nRisk: Medium\n\nSummary\n\nThis advisory comes in 3 related parts:\n\n1) Traffic Server uses a static (per DNS server) source port for making\noutgoing DNS queries. \n\n2) Traffic Server uses a sequential transaction ID when constructing\nasynchronous DNS queries. Moreover the algorithm used to select the \nintitial transation ID is not sufficiently random. \n\nThese vulnerabilities might significantly increase the chances of \nTraffic Server\u0027s internal DNS cache being poisoned. \n\nAfter discussions with the vendor, CVE-2010-2952 was assigned to this \nvulnerability. The port is chosen at runtime using the\nDNSConnection::connect() method from iocore/dns/DNSConnection.cc:\n\nstruct sockaddr_in bind_sa;\nmemset(\u0026sa, 0, sizeof(bind_sa));\nbind_sa.sin_family = AF_INET;\nbind_sa.sin_addr.s_addr = INADDR_ANY;\nint p = time(NULL) + offset;\np = (p % (LAST_RANDOM_PORT - FIRST_RANDOM_PORT)) + FIRST_RANDOM_PORT;\nbind_sa.sin_port = htons(p);\nDebug(\"dns\", \"random port = %d\\n\", p);\nif ((res = socketManager.ink_bind(fd, (struct sockaddr *) \u0026bind_sa, sizeof(bind_sa), Proto)) \u003c 0) {\n\toffset += 101;\n\tcontinue;\n}\n\nNote that since FIRST_RANDOM_PORT is set to 16000, LAST_RANDOM_PORT is\ndefined as 32000 and since the underlying algorith is predictable,\nthe source port may be guessed. \nThe base number is set at runtime using the DNSProcessor::dns_init()\nmethod from iocore/dns/DNS.cc:\n\nif (cval \u003e 0) {\n\tdns_sequence_number = (unsigned int) (cval + DNS_SEQUENCE_NUMBER_RESTART_OFFSET);\n\tDebug(\"dns\", \"initial dns_sequence_number (cval) = %d\\n\", (u_short) dns_sequence_number);\n} else {\t\t\t\t\t// select a sequence number at random\n\tdns_sequence_number = (unsigned int) (ink_get_hrtime() / HRTIME_MSECOND);\n\tDebug(\"dns\", \"initial dns_sequence_number (time) = %d\\n\", (u_short) dns_sequence_number);\n}\n\nand then incremented on each subsequent request as seen in the \nwrite_dns_event() function:\n\n++dns_sequence_number;\n... \nu_short i = (u_short) dns_sequence_number;\n((HEADER *) (buffer))-\u003eid = htons(i);\n\n3) When processing responses, Traffic Server walks a linked list\nwhich holds details of each attempted request and compares the incoming\nID with its list to ascertain which request a given response relates. \nThis can be seen in the dns_process() function from iocore/dns/DNS.cc:\n\nDNSEntry *e = get_dns(handler, (u_short) ntohs(h-\u003eid));\n... \ninline static DNSEntry *\nget_dns(DNSHandler * h, u_short id)\n{\n\tfor (DNSEntry * e = h-\u003eentries.head; e; e = (DNSEntry *) e-\u003elink.next) {\n\t\tif (e-\u003eonce_written_flag)\n\tfor (int j = 0; j \u003c MAX_DNS_RETRIES; j++)\n\t\tif (e-\u003eid[j] == id)\n\t\t\treturn e;\n\t\telse if (e-\u003eid[j] \u003c 0)\n\t\t\tgoto Lnext;\n\t\tLnext:;\n\t}\n\treturn NULL;\n}\n\nSolutions\n\nNth Dimension recommends that the vendor supplied patches should be\napplied. \n\nHistory\n\nOn 20th August 2010, Nth Dimension contacted both Yahoo! Inc and the\nApache Software Foundation\u0027s security teams to report the described \nvulnerabilities affecting Traffic Server. Yahoo\u0027s team responded\nimmediately to confirm that that the report had been recieved and \nforwarded to the relevant people. \n\nFollowing on from this, Nth Dimension and the Traffic Server\ndevelopers opened a dialogue and the issue and potential remediations\nwere discussed at length. After offering feedback on Leif Hedstrom\u0027s\noriginal analysis, Steve Jiang went away and produced a patch based on\nNth Dimension\u0027s comments. \n\nOn the 27th August, the vulnerability was assigned CVE-1010-2952 \nand Lief distributed a proposed patch for feedback from other Traffic\nServer developers. \n\nCurrent\n\nAs of the 30th August 2010, the state of the vulnerabilities is believed to\nbe as follows. A patch has been supplied by the upstream which it is\nbelieved successfully mitigates the final symptoms of this vulnerability. \nNew releases of both 2.0.x and 2.1.x have also been created which\nincorporate this patch. \n\nThanks\n\nNth Dimension would like to thank the Apache Software Foundation for\nthe way they worked to resolve the issue. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niQIcBAEBCAAGBQJMh4S+AAoJEPJhpTVyySo7kwMP/0wIPmO4nNyOhoF0VuUWqLvj\nQ7JzQ5xqLeU932Yp+AlDGvHgWYtKZP64Oi5vrkNavhhCRNhSuWMWrbiFb7NgmTdv\nEFualmdRXjhZY8O5cLoS6MuCYelosjuO2qDncgrV0xFZ59HXf7FRr/QSc/22Kaum\nMp/DHItk3E1pTZD0BaVX34waCo01q6bPbfsJW0qZyPGUagfk8av6DobgQOwuiPXJ\n4bNh4kgaZIY8bgCnOB/TmZM+pz7Tgh6yF2tbjc+0Qx/jdKi4Y+T9Jpv8oKx8+scM\neHpb2iTFXUI7n5uie8nA8F1+Y0InEUr/GfppvEUzk/bHnfNuv5RAH7AuCpabf/kK\n+wnYMyhIN2vTmuxDfU/OB8uyzZIrCn6YmH/CFToutzP03I6SssdpsUM6qZd3p8Q/\nGM+BYyNcBGk9IC1ikcalCjswtjekHjITJfpmosKyMGR2oFUR3Lh3dWGoDaG+7mSC\nw0TxA6FYtqfpJZngfnoBGwU3TGOpIf8S3KOBc7pYPsLBn9VFNAShJtHMi+Tcd/CD\n2W9GJ0qJxy4EETJE5MG+PWrBOLQUVGheOxPtAmojHDXnBcfufAKpvCQkUmvdleTG\nASqE0AiHB5r+4gXr7LIvvhT6hQrbDk3EEEseAGV2e7bT+jjHKA0IlbBcB1XW1kOW\nY5sKeOJfAHl1iFu41rT4\n=8naX\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-2952"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"db": "CNVD",
"id": "CNVD-2010-1915"
},
{
"db": "BID",
"id": "43111"
},
{
"db": "PACKETSTORM",
"id": "93658"
},
{
"db": "PACKETSTORM",
"id": "93709"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-2952",
"trust": 3.4
},
{
"db": "BID",
"id": "43111",
"trust": 1.3
},
{
"db": "SECUNIA",
"id": "41356",
"trust": 1.1
},
{
"db": "SECTRACK",
"id": "1024417",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002988",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2010-1915",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "15731",
"trust": 0.6
},
{
"db": "HP",
"id": "SSRT090232",
"trust": 0.6
},
{
"db": "HP",
"id": "HPSBMA02516",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201009-105",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "93658",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "93709",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1915"
},
{
"db": "BID",
"id": "43111"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"db": "PACKETSTORM",
"id": "93658"
},
{
"db": "PACKETSTORM",
"id": "93709"
},
{
"db": "NVD",
"id": "CVE-2010-2952"
},
{
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
]
},
"id": "VAR-201009-0232",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1915"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1915"
}
]
},
"last_update_date": "2023-12-18T12:31:28.929000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "TS-425",
"trust": 0.8,
"url": "https://issues.apache.org/jira/browse/ts-425"
},
{
"title": "Apache Traffic Server Remote DNS Cache Poison Vulnerability Patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/967"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1915"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"db": "NVD",
"id": "CVE-2010-2952"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.4,
"url": "https://issues.apache.org/jira/browse/ts-425"
},
{
"trust": 1.4,
"url": "http://www.nth-dimension.org.uk/pub/ndsa20100830.txt.asc"
},
{
"trust": 1.2,
"url": "http://marc.info/?l=bugtraq\u0026m=128404562909349\u0026w=2"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/41356"
},
{
"trust": 1.0,
"url": "http://securitytracker.com/id?1024417"
},
{
"trust": 1.0,
"url": "http://trafficserver.apache.org/"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/513598/100/0/threaded"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/bid/43111"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61721"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2952"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2952"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/15731"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=41356"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/evm/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/41356/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/windows_insecure_library_loading/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/41356/#comments"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://trafficserver.apache.org/\u003e"
},
{
"trust": 0.1,
"url": "http://www.nth-dimension.org.uk/\u003e"
},
{
"trust": 0.1,
"url": "http://www.apache.org/\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-2952"
},
{
"trust": 0.1,
"url": "http://www.machine.org.uk/\u003e"
}
],
"sources": [
{
"db": "BID",
"id": "43111"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"db": "PACKETSTORM",
"id": "93658"
},
{
"db": "PACKETSTORM",
"id": "93709"
},
{
"db": "NVD",
"id": "CVE-2010-2952"
},
{
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2010-1915"
},
{
"db": "BID",
"id": "43111"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"db": "PACKETSTORM",
"id": "93658"
},
{
"db": "PACKETSTORM",
"id": "93709"
},
{
"db": "NVD",
"id": "CVE-2010-2952"
},
{
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-09-09T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-1915"
},
{
"date": "2010-09-09T00:00:00",
"db": "BID",
"id": "43111"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"date": "2010-09-09T14:29:31",
"db": "PACKETSTORM",
"id": "93658"
},
{
"date": "2010-09-11T17:30:19",
"db": "PACKETSTORM",
"id": "93709"
},
{
"date": "2010-09-13T21:00:28.790000",
"db": "NVD",
"id": "CVE-2010-2952"
},
{
"date": "2010-09-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-09-09T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-1915"
},
{
"date": "2010-09-09T00:00:00",
"db": "BID",
"id": "43111"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-002988"
},
{
"date": "2018-10-10T20:00:37.423000",
"db": "NVD",
"id": "CVE-2010-2952"
},
{
"date": "2010-09-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache Traffic Server Inside DNS Cash poisoning vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-002988"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201009-105"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.