Home page logo
/

cert logo CERT mailing list archives

CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND
From: CERT Advisory <cert-advisory () cert org>
Date: Thu, 14 Nov 2002 02:43:22 -0500



-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND

   Original release date: November 14, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Systems running various versions of BIND 4 and BIND 8

       Because  the  normal  operation  of  most services on the Internet
       depends  on  the  proper  operation of DNS servers, other services
       could be affected if these vulnerabilities are exploited.

Overview

   Multiple vulnerabilities with varying impacts have been found in BIND,
   the  popular  domain  name  server and client library software package
   from the Internet Software Consortium (ISC).

   Some  of  these  vulnerabilities may allow remote attackers to execute
   arbitrary  code  with  the  privileges  of  the  user  running  named,
   (typically   root),  or  with  the  privileges  of  vulnerable  client
   applications. The other vulnerabilities will allow remote attackers to
   disrupt  the  normal  operation  of DNS name service running on victim
   servers.

I. Description

   Multiple  vulnerabilities  have  been found in BIND (Berkeley Internet
   Name Domain). Some of these vulnerabilities (VU#852283, VU#844360) may
   allow  remote  attackers to execute arbitrary code with the privileges
   of  the  user running named, typically root. The other vulnerabilities
   (VU#229595,  VU#581682)  will  allow  remote  attackers to disrupt the
   normal operation of your name server, possibly causing a crash.

BIND DNS Server Vulnerabilities

VU#852283 - Cached malformed SIG record buffer overflow

   This  vulnerability  is  a buffer overflow in named. It can occur when
   responses   are  constructed  using  previously-cached  malformed  SIG
   records.  (SIG records are typically associated with cryptographically
   signed  DNS  data.)  Exploitation  of  the  vulnerability  can lead to
   arbitrary code execution as the named uid, typically root.

   The following versions of BIND are affected:

   - BIND versions 4.9.5 to 4.9.10
   - BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3

VU#229595 - Overly large OPT record assertion

   ISC  BIND  8  fails  to  properly  handle DNS lookups for non-existent
   sub-domains  when  overly large OPT resource records are appended to a
   query.  When  a non-existent domain (NXDOMAIN) response is constructed
   by  a  victim  nameserver, an assertion may be triggered if the client
   passes  a large UDP buffer size. This assertion will cause the running
   named to exit.

   The following versions of BIND are affected:
   
    - BIND versions 8.3.0 to 8.3.3

VU#581682 - ISC BIND 8 fails to properly de-reference cache SIG RR elements
with invalid expiry times from the internal database

   ISC's description of this vulnerability states:

   It  is  possible  to de-reference a NULL pointer for certain signature
   expire values. 

   The following versions of BIND are affected:

   - BIND versions 8.2 to 8.2.6
   - BIND versions 8.3.0 to 8.3.3.

BIND DNS Resolver Vulnerabilities

VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to
buffer overflows via network name or address lookups

   An  attacker  could  execute arbitrary code with the privileges of the
   application  that  made  the request or cause a denial of service. The
   attacker would need to control the contents of DNS responses, possibly
   by spoofing responses or gaining control of a DNS server.

   These  vulnerabilities  are  distinct  from  the  issues  discussed in
   CA-2002-19.  The following DNS stub resolver libraries are known to be
   affected:

   - BIND 4.9.2 through 4.9.10

   The status of other resolver libraries derived from BIND 4 such as BSD
   libc,  GNU glibc, and those used by System V UNIX systems is currently
   unknown. Additionally, these issues are mapped to CVE as follows.

   VU#852283 - CAN-2002-1219
   VU#229595 - CAN-2002-1220
   VU#581682 - CAN-2002-1221
   VU#844360 - CAN-2002-0029

II. Impact

VU#852283 - Cached malformed SIG record buffer overflow

   A  remote attacker could execute arbitrary code on the nameserver with
   the privileges of the named uid, typically root.

VU#229595 - Overly large OPT record assertion

   A  remote  attacker  can  disrupt  the  normal  operation of your name
   server, possibly causing a crash.

VU#581682 - ISC BIND 8 fails to properly de-reference cache SIG RR elements
with invalid expiry times from the internal database

   A  remote  attacker  can  disrupt  the  normal  operation of your name
   server, possibly causing a crash.

VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to
buffer overflows via network name or address lookups

   An  attacker  could  execute arbitrary code with the privileges of the
   application  that  made  the request or cause a denial of service. The
   attacker would need to control the contents of DNS responses, possibly
   by spoofing responses or gaining control of a DNS server.

III. Solution

Apply a patch from your vendor.

   Appendix A contains information provided by vendors for this advisory.
   As  vendors report new information to the CERT/CC, we will update this
   section  and note the changes in our revision history. If a particular
   vendor  is  not  listed  below,  we  have not received their comments.
   Please contact your vendor directly.

   If  a vendor patch is not available, you may wish to consider applying
   the patches ISC has produced:

   BIND 8.3.3 - http://www.isc.org/products/BIND/patches/bind833.diff

   BIND 8.2.6 - http://www.isc.org/products/BIND/patches/bind826.diff

   BIND 4.9.10 - http://www.isc.org/products/BIND/patches/bind4910.diff

   For  VU#844360, the BIND 4 libresolv buffer overflows, an upgrade to a
   corrected version of the DNS resolver libraries will be required.

   Note  that DNS resolver libraries can be used by multiple applications
   on  most  systems.  It  may  be necessary to upgrade or apply multiple
   patches and then recompile statically linked applications.

   Applications  that  are  statically  linked  must  be recompiled using
   patched  resolver  libraries. Applications that are dynamically linked
   do  not  need  to  be recompiled; however, running services need to be
   restarted in order to use the patched resolver libraries.

   System  administrators  should  consider  the  following  process when
   addressing this issue:

    1. Patch or obtain updated resolver libraries.
    2. Restart  any  dynamically  linked  services  that use the resolver
       libraries.
    3. Recompile  any statically linked applications using the patched or
       updated resolver libraries.

    Workarounds

      VU#852283 - Cached malformed SIG record buffer overflow

      VU#229595 - Overly large OPT record assertion

      VU#581682 - ISC BIND 8 fails to properly dereference cache SIG RR
      elements with invalid expiry times from the internal database

   One  potential  workaround to limit exposure to the vulnerabilities in
   named  is  to  disable  recursion  on any nameserver responding to DNS
   requests  made  by  untrusted  systems.  As  mentioned in "Securing an
   Internet Name Server":

     Disabling  recursion  puts  your  name servers into a passive mode,
     telling  them never to send queries on behalf of other name servers
     or resolvers. A totally non-recursive name server is protected from
     cache  poisoning, since it will only answer queries directed to it.
     It  doesn't  send  queries,  and  hence  doesn't  cache  any  data.
     Disabling recursion can also prevent attackers from bouncing denial
     of  services  attacks off your name server by querying for external
     zones.

   Non-recursive   nameservers   should   be   much   more  resistant  to
   exploitation of the server vulnerabilites listed above.

    Additional Countermeasures

   ISC  recommends upgrading to BIND version 9.2.1. BIND version 9.2.1 is
   available from: http://www.isc.org/products/BIND/bind9.html.

   Note  that  the  upgrade  from  previous  versions of BIND may require
   additional site reconfiguration.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

    Conectiva

   Conectiva  Linux  6.0  is  affected  by  this.  Updated  packages  are
   available at our ftp server:

 ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.6-1U60_2cl.i386.rpm
 ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.6-1U60_2cl.i386.rpm
 ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.6-1U60_2cl.i386.rpm
 ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.6-1U60_2cl.i386.rpm
 ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.6-1U60_2cl.i386.rpm
 ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.6-1U60_2cl.i386.rpm

   An  advisory about this vulnerability is pending and should be sent to
   our security mailing list and published in our web site during the day
   (Nov 14th).

    FreeBSD

   Please see FreeBSD-SA-02:43.bind.

    Hewlett-Packard Company

   SOURCE: Hewlett-Packard Company Software Security Response team x-ref:
   SSRT2408

   At  the  time  of  writing this document, Hewlett Packard is currently
   investigating  the  potential impact to HP's released Operating System
   software  products.  As  further information becomes available HP will
   provide  notice  of  the availability of any necessary patches through
   standard  security  bulletin  announcements and be available from your
   normal HP Services support channel.

    MontaVista Software

   MontaVista ships BIND 9, thus is not vulnerable to these advisories.

    Nominum, Inc.

   Nominum  "Foundation"  Authoritative Name Server (ANS) is not affected
   by  this vulnerability. Also, Nominum "Foundation" Caching Name Server
   (CNS)  is not affected by this vulnerability. Nominum's commercial DNS
   server  products,  which  are  part of Nominum "Foundation" IP Address
   Suite,  are not based on BIND and do not contain any BIND code, and so
   are not affected by vulnerabilities discovered in any version of BIND.

    Openwall Project

   BIND  4.9.10-OW2  includes  the patch provided by ISC and thus has the
   two  vulnerabilities affecting BIND 4 fixed. Previous versions of BIND
   4.9.x-OW  patches,  if used properly, significantly reduced the impact
   of the "named" vulnerability. The patches are available at their usual
   location:

   http://www.openwall.com/bind/

   A  patch  against  BIND  4.9.11 will appear as soon as this version is
   officially  released,  although it will likely be effectively the same
   as the currently available 4.9.10-OW2. It hasn't been fully researched
   whether  the  resolver  code  in  glibc, and in particular on Openwall
   GNU/*/Linux,  shares  any  of  the  newly  discovered  BIND 4 resolver
   library vulnerabilities. Analysis is in progress.

    Red Hat Inc.

   Older  releases  (6.2,  7.0) of Red Hat Linux shipped with versions of
   BIND  which  may  be  vulnerable  to  these  issues  however a Red Hat
   security   advisory   in   July   2002   upgraded  all  our  supported
   distributions to BIND 9.2.1 which is not vulnerable to these issues.

   All  users who have BIND installed should ensure that they are running
   these updated versions of BIND.

   http://rhn.redhat.com/errata/RHSA-2002-133.html Red Hat Linux
   http://rhn.redhat.com/errata/RHSA-2002-119.html Advanced Server 2.1

Appendix B. - References

    1. "Securing an Internet Name Server" -
       http://www.cert.org/archive/pdf/dns.pdf
    2. "Internet  Security  Systems  Security  Advisory - Multiple Remote
       Vulnerabilities in BIND4 and BIND8" -
       http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=
       21469
     "BIND Vulnerabilities" -
       http://www.isc.org/products/BIND/bind-security.html
     "RFC2671    -    Extension    Mechanisms    for   DNS   (EDNS0)"   -
       ftp://ftp.isi.edu/in-notes/rfc2671.txt
     _________________________________________________________________

   Internet  Security  Systems  publicly  reported  the  following issues
   VU#852283, VU#229595, and VU#581682.

   We thank ISC for their cooperation.
     _________________________________________________________________

   Author: Ian A. Finlay.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2002-31.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert () cert org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

    Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo () cert org  Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History

November 14, 2002:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPdNOWWjtSoHZUTs5AQE4mAQAh6sFUqi/31ddeUc249b/oqXuHve7WThj
NAYXdX34QBKg9iwVrxTGzkH/0AAzDdD9JnLXPCwfalb8w46BOm8ejR954kClrvx+
T9FjNS1srRz+/8LMLaZ4orY12SvCXXTRSoS1+Ai+U5Z1FvZrQpZtNBetRVOS7CN8
Yobf5hqgXd8=
=YlT7
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND CERT Advisory (Nov 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]