Re: IBM's version of bind is obsolete.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 22/07/13 14:52, rob@xxxxxxxxx wrote:

Running IBM i 7.1.

From my new pmr:

Problem title TCP/IP bind is obsolete. . Problem description I am
using QualysGuard for security detection. I think IBM owns them
now. IBM is now telling me that IBM is obsolete and needs to fix
their bind level.

From their security report:

Expand all information gathered Collapse all information gathered
<ip number and name deleted from this email for security reasons>

OS/400 on AS/400 Vulnerabilities (1) Expand all vulnerabilities
Collapse all vulnerabilities

5 EOL/Obsolete Software: ISC BIND 9.1.x - 9.5.x Detected


QID: 105508 Category: Security Policy CVE ID: - Vendor Reference
BIND Software Status Bugtraq ID: - Service Modified: 06/27/2013
User Modified: - Edited: No PCI Vuln: Yes

THREAT: The host is running BIND. ISC BIND ended support for 9.1.x
- 9.5.x and provides no further support.

9.5.2-P4 Deprecated as of Sep 2010.

9.4-ESV-R5-P1 Deprecated as of Mar 2012.

9.4.0-9.4.3 Deprecated as of Dec 2009.

9.3.6-P1 Deprecated as of Jan 2009.

9.3.6 (and earlier) Deprecated as of Dec 2008.

9.2.9 (and earlier) Deprecated as of Sep 2007.

9.1.3 (and earlier) Deprecated as of Jul 2001. IMPACT: The system
is at high risk of exposure to security vulnerabilities. Since the
vendor no longer provides updates, obsolete software is more
vulnerable to attacks. SOLUTION: Update to a supported version of
BIND. Refer to BIND Software Status for further details.

Patch: Following are links for downloading patches to fix the
vulnerabilities:

BIND Software Status: BIND 9.5.2-P4

BIND Software Status: BIND 9.4-ESV-R5-P1

BIND Software Status: BIND 9.4.0-9.4.3

BIND Software Status: BIND 9.3.6-P1

BIND Software Status: BIND 9.3.6 (and earlier)

BIND Software Status: BIND 9.2.9 (and earlier)

BIND Software Status: BIND 9.1.3 (and earlier) COMPLIANCE: Not
Applicable EXPLOITABILITY: There is no exploitability information
for this vulnerability. ASSOCIATED MALWARE: There is no malware
information for this vulnerability. RESULTS:
9.4.3-P5.V7R1M09.4.3-P5.V7R1M0


Rob Berendt

It depends.

Such tools only give an indicator, and probably (I have to check)
there are known exploits for those versions.

Now you must apply your local risk mitigation strategy, taking into
account that IBM i is not always as vulnerable to common exploitation
techniques such as buffer overflows compared to the traditional
Unix/WinNT-like subsystems.

Most of the time when I encounter those tools, it is for ISO 27xxx
compliance reasons, and to be compliant, you don't need to solve all
the issues. You can also make mitigations (according to the documented
procedures), and if the risk is deemed 'acceptable', then you can
'ignore' that score.

Yvan


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJR7S6GAAoJEElyT3Tqk/McMVkIAJYAn4y0Zp8K6wMULBgBsQm0
VvTh9grl8IW1IDddEDABN0DQ7SNegvCeTCXkzOKiI/SEX40XyeSEyRr5MRqrvDUQ
JDs/tYfZo4jBipg1jcQUOugwcKBFAuWGtyZgvWHvQXgYwe5UY6aIrlXxexly7xTa
L25VjdNL911T9jnOdiAWo9FKcJwPBuowNeoZdSlzMSWSrr8nqHPGB+Wt9aN/yGyN
2TlPg8vHKlf58lv4HOSF0DYJNJgckXJbgDEF/N4a7t8r0pWRdknK/C4EyRtl8MHT
9G/QMxD4RO4E7mX16kyusMX4L/yfHL5h26hjbSU4qSUt8vS2x9ut4tJJAGH5I6s=
=OlHJ
-----END PGP SIGNATURE-----