Last revised: August 07, 2001
Source: CERT/CC
A complete revision history can be found at the end of this file.
Domain Name System (DNS) Servers running various versions of ISC
BIND (including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3;
9.x is not affected) and derivatives. Because the normal operation of
most services on the Internet depends on the proper operation of DNS
servers, other services could be impacted if these vulnerabilities are
exploited.
The CERT/CC has recently learned of four vulnerabilities spanning
multiple versions of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain
(BIND) server. BIND is an implementation of the Domain Name System
(DNS) that is maintained by the ISC. Because the majority of name
servers in operation today run BIND, these vulnerabilities present a
serious threat to the Internet infrastructure.
Three of these vulnerabilities (VU#196945, VU#572183, and VU#868916) were
discovered by the COVERT Labs at
PGP Security, who have posted an advisory regarding these issues at
The fourth vulnerability (VU#325431) was
discovered by Claudio Musmarra.
The Internet Software Consortium has posted information about all
four vulnerabilities at
VU#196945 - ISC
BIND 8 contains buffer overflow in transaction signature (TSIG)
handling code
During the processing of a transaction signature (TSIG), BIND 8
checks for the presence of TSIGs that fail to include a valid key. If
such a TSIG is found, BIND skips normal processing of the request and
jumps directly to code designed to send an error response. Because
the error-handling code initializes variables differently than in
normal processing, it invalidates the assumptions that later function
calls make about the size of the request buffer.
Once these assumptions are invalidated, the code that adds a new
(valid) signature to the responses may overflow the request buffer and
overwrite adjacent memory on the stack or the heap. When combined
with other buffer overflow exploitation techniques, an attacker can
gain unauthorized privileged access to the system, allowing the
execution of arbitrary code.
VU#572183 - ISC
BIND 4 contains buffer overflow in
nslookupComplain()
The vulnerable buffer is a locally defined character array used to
build an error message intended for syslog. Attackers attempting to
exploit this vulnerability could do so by sending a specially
formatted DNS query to affected BIND 4 servers. If properly
constructed, this query could be used to disrupt the normal operation
of the DNS server process, resulting in either denial of service or
the execution of arbitrary code.
VU#868916 - ISC
BIND 4 contains input validation error in
nslookupComplain()
The vulnerable buffer is a locally defined character array used to
build an error message intended for syslog. Attackers attempting to
exploit this vulnerability could do so by sending a specially
formatted DNS query to affected BIND 4 servers. If properly
constructed, this query could be used to disrupt the normal operation
of the DNS server process, resulting in the execution of arbitrary code.
This vulnerability was patched by the ISC in an earlier version of BIND 4,
most likely BIND 4.9.5-P1. However, there is strong evidence to suggest
that some third party vendors who redistribute BIND 4 have not included
these changes in their BIND packages. Therefore, the CERT/CC recommends
that all users of BIND 4 or its derivatives base their distributions on
BIND 4.9.8.
VU#325431 -
Queries to ISC BIND servers may disclose environment variables
This vulnerability is an information leak in the query processing
code of both BIND 4 and BIND 8 that allows a remote attacker to access
the program stack, possibly exposing program and/or environment
variables. This vulnerability is triggered by sending a specially
formatted query to vulnerable BIND servers.
NOTE: Frequently asked questions regarding these vulnerabilities
can be found in Appendix B.
VU#196945 - ISC
BIND 8 contains buffer overflow in transaction signature (TSIG)
handling code
This vulnerability may allow an attacker to execute code with the
same privileges as the BIND server. Because BIND is typically run by
a superuser account, the execution would occur with superuser
privileges.
VU#572183 - ISC
BIND 4 contains buffer overflow in
nslookupComplain()
This vulnerability can disrupt the proper operation of the BIND
server and may allow an attacker to execute code with the privileges
of the BIND server. Because BIND is typically run by a superuser
account, the execution would occur with superuser privileges.
VU#868916 - ISC
BIND 4 contains input validation error in
nslookupComplain()
This vulnerability may allow an attacker to execute code with the
privileges of the BIND server. Because BIND is typically run by a
superuser account, the execution would occur with superuser
privileges.
VU#325431 -
Queries to ISC BIND servers may disclose environment variables
This vulnerability may allow attackers to read information from the
program stack, possibly exposing environment variables. In addition,
the information obtained by exploiting this vulnerability may aid in
the development of exploits for VU#572183 and VU#868916.
Since 1997, the CERT/CC has published twelve
documents describing vulnerabilities or exploitation of
vulnerabilities in BIND with information and advice on upgrading and
preventing compromises. Unfortunately, many system and network
administrators still have not upgraded their versions of BIND, making
them susceptible to a number of vulnerabilities. Prior
vulnerabilities in BIND have been widely exploited by intruders.
For example, on November 10, 1999, the CERT/CC published
CA-1999-14, which detailed multiple vulnerabilities in BIND. The
CERT/CC continued to receive reports of compromises based on those
vulnerabilities through December 2000. On April 8, 1998, the
CERT/CC published CA-1998-05; reports of compromises based on the
vulnerabilities described therein continued through November of 1998.
The following graph shows the number of incidents reported to the
CERT/CC regarding BIND NXT record (VU#16532) exploits
after the publication of CA-1999-14:
Based on this past experience, the CERT/CC expects that intruders will quickly
begin developing and using intruder tools to compromise machines. It is
important for IT and security managers to ensure that their organizations are
properly protected before the expected wide-spread exploitation happens.
The vulnerabilities described in VU#196945, VU#572183, and VU#868916 have been
successfully exploited by COVERT Labs in a laboratory environment. To
the best of our knowledge, these vulnerabilities have not been
publicly exploited.
The ISC has released BIND versions 4.9.8 and 8.2.3 to address these
security issues. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x
upgrade to BIND 4.9.8, BIND 8.2.3, or BIND 9.1.
Because BIND 4 is no longer actively maintained, the ISC recommends
that users affected by this vulnerability upgrade to either BIND 8.2.3
or BIND 9.1. Upgrading to one of these versions will also provide
functionality enhancements that are not related to security.
The BIND 4.9.8 and 8.2.3 distributions can be downloaded from
The BIND 9.1 distribution can be downloaded from
Appendix A contains information supplied by ISC and distributors of
BIND. Depending on your local processes, procedures, and expertise,
you may wish to obtain updates from the ISC or from an operating
system vendor who redistributes BIND. Services and transactions that rely exclusively on the DNS system for
authentication are inherently weak. We encourage organizations to use
strong cryptography to authenticate services and transactions where
possible. One common use of strong cryptography is the use of SSL in
authenticating and encrypting electronic commerce transactions over the
web. In addition to this use, we encourage organizations to use SSL, PGP,
S/MIME, SSH, and other forms of strong cryptography to distribute
executable content, secure electronic mail, distribute important
information, and protect the confidentiality of all kinds of data
traversing the Internet.
It may also be possible to minimize the impact of the exploitation of
these vulnerabilities by configuring your DNS environment to separate
DNS servers used for the public dissemination of information about your
hosts from the DNS servers used by your internal hosts to connect to
other hosts on the Internet. Frequently, different security polices
can be applied to these servers such that even if one server is
compromised the other server will continue to function normally.
Split horizon DNS configuration may also have other security benefits.
To read more about the vulnerabilities described in this document,
please visit the CERT/CC Vulnerability Notes Database:
To cross-reference CERT/CC VU numbers with other vendor documents
via CVE, please visit
For information on historical issues involving BIND vulnerabilities
and compromises, please visit
Rob Thomas has published the "Secure BIND Template Version 2.0," a
document providing guidelines to help network and system
administrators build and maintain secure BIND configurations. For
more information, please visit
For more information on transaction signatures, please visit
This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
a particular vendor is not listed below, we have not received their
comments. OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable.
Update packages will be provided at
djbdns has none of these bugs, has never used any BIND-derived
code, and is covered by a security guarantee. See http://cr.yp.to/djbdns.html.
No supported version of FreeBSD contains BIND 4.x, so this does not
affect us. We current ship betas of 8.2.3 in the FreeBSD 4.x release
branch, and will be upgrading to 8.2.3 once it is released.
[CERT/CC Addendum: FreeBSD has published an advisory regarding this
issue at ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc]
Patches are available, see HP Security Bulletin #144.
[CERT/CC Addendum: To locate this HP Security Bulletin online, please
visit http://itrc.hp.com and search for
"HPSBUX0102-144". Please note that registration may be required to access
this document.]
IBM has posted an emergency fix for all four of the vulnerabilities
described in this Advisory.
This fix can be downloaded from ftp://ftp.software.ibm.com/aix/efixes/security.
The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation
instructions and other important information are given in the README
file that is included in the tarball.
The official fix for the four BIND4 and BIND8 vulnerabilities will
be in APAR #IY16182.
AIX Security Response Team
Microsoft's implementation of DNS is not based on BIND, and is not
affected by this vulnerability.
Please see NetBSD-SA2001-001, "Security vulnerabilities in BIND" at:
Please see OpenBSD 2.8 release errata "018: SECURITY FIX: Jan 29,
2001" at
Please see RHSA-2001-007 and associated bug reports at:
SGI's IRIX (tm) operating system contains base BIND 4.9.7 with SGI
modifications. IRIX BIND 4.9.7 is vulnerable to buffer overflow in
nslookupComplain() [VU#572183]. Patches are forth coming and
will be released with an advisory to
http://www.sgi.com/support/security/ when available.
This appendix addresses questions that have been raised since this
advisory was originally published.
What is the Berkeley Internet Name Domain (BIND)?
BIND is the most commonly used implementation of DNS software.
Every organization attached to the Internet depends on the DNS system
to allow users to access services. When users connect to web sites,
transfer files, or send email, they use domain names, such as
"cert.org". Their computers, using DNS servers, translate
those host names into IP addresses, such as 10.21.30.5, in order for
the computers to communicate.
To whom is this advisory directed?
This advisory is primarily directed to IT managers and system
administrators responsible for running DNS services with BIND
software.
I'm a home user - do I need to worry about this advisory?
Home users are affected by this problem, but they typically rely
upon an ISP for DNS service. These users may wish to contact their
service provider to draw attention to these issues.
However, users running Linux or other UNIX variants on their machines
need to verify if a vulnerable version of BIND is installed; if so
they need to disable or upgrade this software. Several UNIX/Linux
operating systems install DNS servers by default. Thus, some users
might be running this service, even if they did not specifically
configure it.
Is this vulnerability being actively exploited?
We are not aware of any active exploitation of these BIND
vulnerabilities. However, based on past experience, we expect that
intruders will quickly begin developing and using intruder tools to
compromise machines. As we receive reports of compromises and
attempted compromises, we will post information on our current
activity page:
Is the timing of your advisory in any way related to the
problems at Microsoft's site?
No, we believe that the recent activity at Microsoft is
unrelated. You should contact Microsoft if you have any questions
related to their systems and services.
Should I switch from BIND to another type of DNS software?
As a federally funded research and development center (FFRDC), we
cannot recommend products and services. We encourage each
organization to choose and test products best suited to their needs.
The CERT/CC thanks the COVERT Labs at PGP Security for discovering
and analyzing three of these vulnerabilities (VU#196945, VU#572183, and VU#868916) and
Claudio Musmarra for discovering the infoleak vulnerability (VU#325431). We also
thank the Internet Software Consortium for providing patches to fix
the vulnerabilities.
This document was written by Jeffrey
P. Lanza, Cory Cohen, Roman Danyliw, Ian Finlay, Shawn Hernan, and
Quinn R. Peyton.
Copyright 2001 Carnegie Mellon University. Revision History
Systems Affected
Overview
I. Description
II. Impact
III. History
Exploitation
IV. Solution
Apply a patch from your vendor
Use Strong Cryptography to Authenticate Services
Use Split Horizon DNS to Minimize Impact
References
CERT/CC Vulnerability Notes
Common Vulnerabilities and Exposures
Historical References
Rob Thomas's Secure BIND Template
Transaction Signatures
Appendix A. - Vendor Information
Caldera Systems
Compaq Computer Corporation
COMPAQ COMPUTER CORPORATION
------------------------------------------------------------------------------------
VU#325431 - INFOLEAK: servers may disclose environment variables
X-REF: SSRT1-66U, SSRT1-68U, SSRT1-69U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1 -
V5.1 patch: SSRT1-66U_v5.1.tar.Z
Compaq Tru64 UNIX V5.0 & V5.0a -
V5.0 patch: SSRT1-68U_v5.0.tar.Z
V5.0a patch: SSRT1-68U_v5.0a.tar.Z
Compaq Tru64 UNIX V4.0D/F/G -
V4.0d patch: SSRT1-69U_v4.0d.tar.Z
V4.0f patch: SSRT1-69U_v4.0f.tar.Z
V4.0g patch: SSRT1-69U_v4.0g.tar.Z
TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
VU#572183 - BIND 4 Buffer overflow in nslookupComplain()
X-REF: SSRT1-69U
VU#868916 - BIND 4 Input validation error in nslookupComplain()
X-REF: SSRT1-69U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1, V5.0, V5.0a - Not Vulnerable
Compaq Tru64 UNIX V4.0D/F/G -
V4.0d patch: SSRT1-69U_v4.0d.tar.Z
V4.0f patch: SSRT1-69U_v4.0f.tar.Z
V4.0g patch: SSRT1-69U_v4.0g.tar.Z
TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
VU#196945 - BIND 8 contains buffer overflow in transaction signature handling code
X-REF: SSRT1-66U, SSRT1-68U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1 -
V5.1 patch: SSRT1-66U_v5.1.tar.Z
Compaq Tru64 UNIX V5.0 & V5.0a -
V5.0 patch: SSRT1-68U_v5.0.tar.Z
V5.0a patch: SSRT1-68U_v5.0a.tar.Z
Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable
TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
Compaq will provide notice of the completion/availability of the
patches through AES services (DIA, DSNlink FLASH), the Security
mailing list (**), and be available from your normal Compaq Support
channel.
**You may subscribe to the Security mailing list at:
http://www.support.compaq.com/patches/mailing-list.shtml
Software Security Response Team
COMPAQ COMPUTER CORPORATION
------------------------------------------------------------------------------------
djbdns
FreeBSD, Inc.
Hewlett-Packard Company
IBM Corporation
IBM Austin
Microsoft Corporation
NetBSD
OpenBSD
RedHat
SGI
Sun Microsystems, Inc.
CERT Advisory CA-2001-02 describes four vulnerabilities in certain
versions of BIND. The four vulnerabilities are listed below along with
the affected versions of Solaris and the version of BIND shipped with each
version of Solaris.
VU#196945 - ISC BIND 8 contains buffer overflow in transaction
signature (TSIG) handling code
Solaris 8 04/01* (BIND 8.2.2-p5)
Solaris 8 Maintenance Update 4* (BIND 8.2.2-p5)
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 2.5.1** (BIND 4.9.3)
VU#868916 - ISC BIND 4 contains input validation error in
nslookupComplain()
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 2.5.1** (BIND 4.9.3)
VU#325431 - Queries to ISC BIND servers may disclose environment variables
Solaris 2.4, 2.5 (BIND 4.8.3)
Solaris 2.5.1** (BIND 4.9.3 and BIND 4.8.3)
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 7 and 8 (BIND 8.1.2)
* To determine if one is running Solaris 8 04/01 or Solaris 8 Maintenance
Update 4, check the contents of the /etc/release file.
** Solaris 2.5.1 ships with BIND 4.8.3 but patch 103663-01 for SPARC and
103664-01 for x86 upgrades BIND to 4.9.3, current revision for each
patch is -17.
List of Patches
The following patches are available in relation to the above problems.
OS Version Patch ID
__________ _________
SunOS 5.8 109326-04
SunOS 5.8_x86 109327-04
SunOS 5.7 107018-03
SunOS 5.7_x86 107019-03
SunOS 5.6 105755-10
SunOS 5.6_x86 105756-10
SunOS 5.5.1 103663-16
SunOS 5.5.1_x86 103664-16
SunOS 5.5 103667-12
SunOS 5.5_x86 103668-12
SunOS 5.4 102479-14
SunOS 5.4_x86 102480-12
Appendix B. - Frequently Asked Questions
Jan 29, 2001: Initial release
Jan 30, 2001: Added Microsoft vendor statement
Jan 30, 2001: Added OpenBSD vendor statement
Feb 02, 2001: Added revised IBM vendor statement
Feb 02, 2001: Modified exploitation comments
Feb 02, 2001: Added reference Secure BIND Template
Feb 02, 2001: Added Frequently Asked Questions as Appendix B
Feb 05, 2001: Added information about djbdns
Feb 06, 2001: Updated and added several vendor statements
Feb 15, 2001: Removed initial OpenBSD vendor statement
Feb 15, 2001: Added several vendor statements: NetBSD, OpenBSD, RedHat, SGI
Apr 04, 2001: Updated Compaq vendor statement
May 10, 2001: Updated HP statement
Aug 07, 2001: Updated Sun vendor statement