Last revised: Tue Apr 29 17:46:04 EST 2003
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
- Systems running various versions of BIND 4 and BIND 8
Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be affected if these vulnerabilities are exploited.
Overview
Multiple vulnerabilities with varying impacts have been found in BIND, the popular domain name server and client library software package from the Internet Software Consortium (ISC).
Some of these vulnerabilities may allow remote attackers to execute arbitrary code with the privileges of the user running named, (typically root), or with the privileges of vulnerable client applications. The other vulnerabilities will allow remote attackers to disrupt the normal operation of DNS name service running on victim servers.
I. Description
Multiple vulnerabilities have been found in BIND (Berkeley Internet Name Domain). One of these vulnerabilities (VU#852283) may allow remote attackers to execute arbitrary code with the privileges of the user running named, typically root. Other vulnerabilities (VU#229595, VU#581682) may allow remote attackers to disrupt the normal operation of your name server, possibly causing a crash. A vulnerability in the DNS resolver library (VU#844360) may allow remote attackers to execute arbitrary code with the privileges of applications that issue network name or address requests.
BIND DNS Server Vulnerabilities
VU#852283 - Cached malformed SIG record buffer overflow
This vulnerability is a buffer overflow in named. It can occur when responses are constructed using previously-cached malformed SIG records. (SIG records are typically associated with cryptographically signed DNS data.) Exploitation of the vulnerability can lead to arbitrary code execution as the named uid, typically root.The following versions of BIND are affected:
- - BIND versions 4.9.5 to 4.9.10
- BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3
VU#229595 - Overly large OPT record assertion
ISC BIND 8 fails to properly handle DNS lookups for non-existent sub-domains when overly large OPT resource records are appended to a query. When a non-existent domain (NXDOMAIN) response is constructed by a victim nameserver, an assertion may be triggered if the client passes a large UDP buffer size. This assertion will cause the running named to exit.The following versions of BIND are affected:
- - BIND versions 8.3.0 to 8.3.3
VU#581682 - ISC BIND 8 fails to properly de-reference cache SIG RR elements with invalid expiry times from the internal database
ISC's description of this vulnerability states:
It is possible to de-reference a NULL pointer for certain signature expire values.
The following versions of BIND are affected:
- - BIND
versions 8.2 to 8.2.6
- BIND versions 8.3.0 to 8.3.3.
BIND DNS Resolver Vulnerabilities
VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups
The stub resolver library in BIND 4 contains buffer overflows in code that handles responses for network name and address requests. Note that these overflows are distinct from the issues discussed in CA-2002-19 and VU#738331.
The
following DNS stub resolver libraries are known to be affected:
- - BIND 4.9.2 through 4.9.10
VU#852283 - CAN-2002-1219
VU#229595 - CAN-2002-1220
VU#581682 - CAN-2002-1221
VU#844360 - CAN-2002-0029
II. Impact
VU#852283 - Cached malformed SIG record buffer overflow
A remote attacker could execute arbitrary code on the nameserver with the privileges of the named uid, typically root.
VU#229595 - Overly large OPT record assertion
A remote attacker can disrupt the normal operation of your name server, possibly causing a crash.
VU#581682 - ISC BIND 8 fails to properly de-reference cache SIG RR elements with invalid expiry times from the internal database
A remote attacker can disrupt the normal operation of your name server, possibly causing a crash.
VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups
A remote attacker could execute arbitrary code with the privileges
of the application that made the request or cause a denial of
service. The attacker would need to control DNS responses possibly by
spoofing the responses or by gaining sufficient access to a DNS
server.
III. Solution
Apply a patch from your vendor.
Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.
If a vendor patch is not available, you may wish to consider applying the patches ISC has produced:
BIND 8.3.3 - http://www.isc.org/products/BIND/patches/bind833.diffFor VU#844360, the BIND 4 libresolv buffer overflows, an upgrade to a corrected version of the DNS resolver libraries will be required.
BIND 8.2.6 - http://www.isc.org/products/BIND/patches/bind826.diff
BIND 4.9.10 - http://www.isc.org/products/BIND/patches/bind4910.diff
Note that DNS resolver libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.
Applications that are statically linked must be recompiled using patched resolver libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched resolver libraries.
System administrators should consider the following process when addressing this issue:
- Patch or obtain updated resolver libraries.
- Restart any dynamically linked services that use the resolver libraries.
- Recompile any statically linked applications using the patched or updated resolver libraries.
Workarounds
VU#852283 - Cached malformed SIG record buffer overflow
VU#229595 - Overly large OPT record assertion
VU#581682 - ISC BIND 8 fails to properly dereference cache SIG RR elements with invalid expiry times from the internal database
One potential workaround to limit exposure to the vulnerabilities in named is to disable recursion on any nameserver responding to DNS requests made by untrusted systems. As mentioned in Securing an Internet Name Server":
Disabling recursion puts your name servers into a passive mode, telling them never to send queries on behalf of other name servers or resolvers. A totally non-recursive name server is protected from cache poisoning, since it will only answer queries directed to it. It doesn't send queries, and hence doesn't cache any data. Disabling recursion can also prevent attackers from bouncing denial of services attacks off your name server by querying for external zones.Non-recursive nameservers should be much more resistant to exploitation of the server vulnerabilites listed above.
Additional Countermeasures
ISC recommends upgrading to BIND version 9.2.1. BIND version 9.2.1 is available from: http://www.isc.org/products/BIND/bind9.html.
Note that the upgrade from previous versions of BIND may require additional site reconfiguration.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
Alcatel
Following CERT advisory CA-2002-31 on security vulnerabilities in the ISC BIND implementation, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that the following products (OmniSwitch 6600, 7700, 8800) may be impacted. Customers may wish to contact their support for more details. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential ISC BIND security vulnerabilities and will provide updates if necessary.Apple
Affected Systems: Mac OS X and Mac OS X Server with BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3Mitigating Factors: BIND is not enabled by default on Mac OS X or Mac OS X Server
This is addressed in Security Update 2002-11-21
http://www.apple.com/support/security/security_updates.html
Conectiva
Conectiva Linux 6.0 is affected by this. Updated packages are available at our ftp server: ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.6-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.6-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.6-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.6-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.6-1U60_2cl.i386.rpm
An advisory about this vulnerability is pending and should be sent to our security mailing list and published in our web site during the day (Nov 14th).
Cray Inc.
Cray Inc. may be vulnerable and has opened spr 723892 to investigate.Debian GNU/Linux
Debian (among other GNU/Linux distributors) was very unhappe to learn that ISC knew about this vulerability since mid October and that the advisory was released without patches, so only paying members of the ISC forum were able to provide updates to their customers. However, after the patches were finally released to the public, Debian was able to provide fixed packages as well. They are announced in DSA 196FreeBSD
Please see FreeBSD-SA-02:43.bind.GNU glibc
Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are also vulnerable. The following patch has been installed into the CVS sources, and should appear in the next version of the GNU C Library. This patch is also available from the following URL:<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/resolv/nss_dns/
dns-network.c.diff?r1=1.17&r2=1.15&cvsroot=glibc>
2002-11-18 Roland McGrath* resolv/nss_dns/dns-network.c (getanswer_r): In BYNAME case, search all aliases for one that matches the " .IN-ADDR.ARPA" form. Do the parsing inline instead of copying strings and calling inet_network, and properly skip all alias names not matching the form. 2002-11-14 Paul Eggert * resolv/nss_dns/dns-network.c (getanswer_r): Check for buffer overflow when skipping the question part and when unpacking aliases. =================================================================== RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v retrieving revision 1.15 retrieving revision 1.17 diff -u -r1.15 -r1.17 --- libc/resolv/nss_dns/dns-network.c 2002/10/17 21:49:12 1.15 +++ libc/resolv/nss_dns/dns-network.c 2002/11/19 06:40:16 1.17 @@ -283,7 +283,15 @@ /* Skip the question part. */ while (question_count-- > 0) - cp += __dn_skipname (cp, end_of_message) + QFIXEDSZ; + { + int n = __dn_skipname (cp, end_of_message); + if (n < 0 || end_of_message - (cp + n) < QFIXEDSZ) + { + __set_h_errno (NO_RECOVERY); + return NSS_STATUS_UNAVAIL; + } + cp += n + QFIXEDSZ; + } alias_pointer = result->n_aliases = &net_data->aliases[0]; *alias_pointer = NULL; @@ -344,64 +352,94 @@ return NSS_STATUS_UNAVAIL; } cp += n; - *alias_pointer++ = bp; - n = strlen (bp) + 1; - bp += n; - linebuflen -= n; - result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC; - ++have_answer; + if (alias_pointer + 2 < &net_data->aliases[MAX_NR_ALIASES]) + { + *alias_pointer++ = bp; + n = strlen (bp) + 1; + bp += n; + linebuflen -= n; + result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC; + ++have_answer; + } } } if (have_answer) { - char *tmp; - int len; - char *in, *cp, *rp, *wp; - int cnt, first_flag; - *alias_pointer = NULL; switch (net_i) { case BYADDR: - result->n_name = result->n_aliases[0]; + result->n_name = *result->n_aliases++; result->n_net = 0L; - break; - case BYNAME: - len = strlen (result->n_aliases[0]); - tmp = (char *) alloca (len + 1); - tmp[len] = 0; - wp = &tmp[len - 1]; - - rp = in = result->n_aliases[0]; - result->n_name = ans; - - first_flag = 1; - for (cnt = 0; cnt < 4; ++cnt) - { - char *startp; + return NSS_STATUS_SUCCESS; - startp = rp; - while (*rp != '.') - ++rp; - if (rp - startp > 1 || *startp != '0' || !first_flag) - { - first_flag = 0; - if (cnt > 0) - *wp-- = '.'; - cp = rp; - while (cp > startp) - *wp-- = *--cp; - } - in = rp + 1; - } - - result->n_net = inet_network (wp); + case BYNAME: + { + char **ap = result->n_aliases++; + while (*ap != NULL) + { + /* Check each alias name for being of the forms: + 4.3.2.1.in-addr.arpa = net 1.2.3.4 + 3.2.1.in-addr.arpa = net 0.1.2.3 + 2.1.in-addr.arpa = net 0.0.1.2 + 1.in-addr.arpa = net 0.0.0.1 + */ + uint32_t val = 0; /* Accumulator for n_net value. */ + unsigned int shift = 0; /* Which part we are parsing now. */ + const char *p = *ap; /* Consuming the string. */ + do + { + /* Match the leading 0 or 0[xX] base indicator. */ + unsigned int base = 10; + if (*p == '0' && p[1] != '.') + { + base = 8; + ++p; + if (*p == 'x' || *p == 'X') + { + base = 16; + ++p; + if (*p == '.') + break; /* No digit here. Give up on alias. */ + } + if (*p == '\0') + break; + } + + uint32_t part = 0; /* Accumulates this part's number. */ + do + { + if (isdigit (*p) && (*p - '0' < base)) + part = (part * base) + (*p - '0'); + else if (base == 16 && isxdigit (*p)) + part = (part << 4) + 10 + (tolower (*p) - 'a'); + ++p; + } while (*p != '\0' && *p != '.'); + + if (*p != '.') + break; /* Bad form. Give up on this name. */ + + /* Install this as the next more significant byte. */ + val |= part << shift; + shift += 8; + ++p; + + /* If we are out of digits now, there are two cases: + 1. We are done with digits and now see "in-addr.arpa". + 2. This is not the droid we are looking for. */ + if (!isdigit (*p) && !strcasecmp (p, "in-addr.arpa")) + { + result->n_net = val; + return NSS_STATUS_SUCCESS; + } + + /* Keep going when we have seen fewer than 4 parts. */ + } while (shift < 32); + } + } break; } - - ++result->n_aliases; - return NSS_STATUS_SUCCESS; } __set_h_errno (TRY_AGAIN);
Hewlett-Packard Company
SOURCE: Hewlett-Packard Company Software Security Response team x-ref: SSRT2408At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products. As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.
IBM Corporation
The AIX operating system is vulnerable to the named and DNS resolver issues in releases 4.3.3, 5.1.0 and 5.2.0. The following APARs are available:AIX 4.3.3 APAR IY37088 (available)
AIX 5.1.0 APAR IY37091 (available)
AIX 5.2.0 APAR IY37289 (available)
MandrakeSoft
Linux-Mandrake 7.2 and Single Network Firewall 7.2 are the only supported distributions to ship with BIND8; all other supported distributions ship with BIND9 and are thus not vulnerable. Updates for Linux-Mandrake 7.2 and Single Network Firewall 7.2 will be made available shortly. These updates will consist of BIND9 packages and patched BIND8 packages, although MandrakeSoft recommends that everyone able to, upgrade to the BIND9 packages.MetaSolv
MetaSolv Statement ref:CERTR Advisory CA-2002-31The BIND code embedded in the DNS Server (Based on ISC BIND 8.2.3) on both MetaSolv Policy Services 4.1 and 4.2 (base) are partially vulnerable to CERTR Advisory CA-2002-31. This issue is being tracked by MetaSolv under Case #28231. In particular:
VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups (VU#852283 - CAN-2002-1219 / VU#229595 - CAN-2002-1220 / VU#581682 - CAN-2002-1221/ VU#844360 - CAN-2002-0029) was addressed in Policy Services 4.2 Service Pack 1 efix 1. The vulnerability can be avoided by upgrading to Policy Services 4.2 Service Pack 1 efix 1 from MetaSolv Policy Services 4.1 and 4.2 (base). The efix includes all ISC sanctioned patches to BIND 8.2.6. to remedy this vulnerability. Please contact MetaSolv Global Customer Care (supporthd@metasolv.com) for assistance.
VU#229595 - Overly large OPT record assertion on BIND 8.3.x does not affect the current distribution as the base is on ISC BIND 8.2.6 and the ISC Sanctioned Patches to 8.2.6 in 4.2 Service Pack 1 efix 1. No action is required in Policy Services 4.1 and 4.2 (base) or Policy Services 4.2 Service Pack 1 efix 1 for this vulnerability.
VU#852283 - Cached malformed SIG record buffer overflow and VU#581682 - ISC BIND 8 fails to properly de-reference cache SIG RR elements with invalid expiry times from the internal database. The ISC sanctioned library changes to 8.2.6. have been applied to 4.2 Service Pack 1 and are currently undergoing load and integration testing and will be available as Policy Services 4.2 Service Pack 1 efix 2 on 11/22/02. Please contact MetaSolv Global Customer Care (supporthd@metasolv.com) for availability and assistance.
Microsoft Corporation
Microsoft products do not use the program in question. Microsoft products are not affected by this issue.MontaVista Software
MontaVista ships BIND 9, thus is not vulnerable to these advisories.Nominum, Inc.
Nominum "Foundation" Authoritative Name Server (ANS) is not affected by this vulnerability. Also, Nominum "Foundation" Caching Name Server (CNS) is not affected by this vulnerability. Nominum's commercial DNS server products, which are part of Nominum "Foundation" IP Address Suite, are not based on BIND and do not contain any BIND code, and so are not affected by vulnerabilities discovered in any version of BIND.Nortel Networks
NetID version 4.3.1 and below is affected by the vulnerabilities identified in CERT/CC Advisory CA-2002-31. A bulletin and patched builds are available from the following Nortel Networks support contacts:North America: 1-800-4NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
Optivity NMS is not affected.
Openwall Project
BIND 4.9.10-OW2 includes the patch provided by ISC and thus has the two vulnerabilities affecting BIND 4 fixed. Previous versions of BIND 4.9.x-OW patches, if used properly, significantly reduced the impact of the "named" vulnerability. The patches are available at their usual location:http://www.openwall.com/bind/
A patch against BIND 4.9.11 will appear as soon as this version is officially released, although it will likely be effectively the same as the currently available 4.9.10-OW2. It hasn't been fully researched whether the resolver code in glibc, and in particular on Openwall GNU/*/Linux, shares any of the newly discovered BIND 4 resolver library vulnerabilities. Analysis is in progress.
Red Hat Inc.
Older releases (6.2, 7.0) of Red Hat Linux shipped with versions of BIND which may be vulnerable to these issues however a Red Hat security advisory in July 2002 upgraded all our supported distributions to BIND 9.2.1 which is not vulnerable to these issues.All users who have BIND installed should ensure that they are
running these updated versions of BIND.
http://rhn.redhat.com/errata/RHSA-2002-133.html Red Hat Linux
http://rhn.redhat.com/errata/RHSA-2002-119.html Advanced Server 2.1
Sun Microsystems
The Solaris DNS resolver library (libresolv(3LIB)) is affected by VU#844360 in the following supported versions of Solaris:Solaris 2.6The Solaris BIND (in.named(1M)) daemon is affected by VU#852283 and VU#581682 in the following supported versions of Solaris:
Solaris 7, 8, and 9The Solaris BIND (in.named(1M)) daemon is affected by VU#229595 in the following supported versions of Solaris:
Solaris 9Patches are being generated for all of the above releases. Sun will be publishing a Sun Alert for this issue at the following location shortly:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F48818The patches will be available from:
http://sunsolve.sun.com/securitypatch
Xerox
A response to this vulnerability [VU#229595, VU#844360, VU#852283] is available from our web site: http://www.xerox.com/security.Appendix B. - References
-
"Securing an Internet Name Server" - http://www.cert.org/archive/pdf/dns.pdf
"Internet Security Systems Security Advisory - Multiple Remote Vulnerabilities in BIND4 and BIND8" - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
"BIND Vulnerabilities" - http://www.isc.org/products/BIND/bind-security.html
"RFC2671 - Extension Mechanisms for DNS (EDNS0)" - ftp://ftp.isi.edu/in-notes/rfc2671.txt
Internet Security Systems publicly reported the following issues VU#852283, VU#229595, and VU#581682.
We thank ISC for their cooperation.
Author: Ian A. Finlay, Jeffrey S. Havrilla, Art Manion, and Jeffrey J. Carpenter.
Copyright 2002 Carnegie Mellon University.
Revision History
November 14, 2002: Initial release November 14, 2002: Added vendor statement for MandrakeSoft November 14, 2002: Added vendor statement for Cray Inc. November 14, 2002: Re-worded VU#844360 overview, description, and impact, added indentation November 14, 2002: Added vendor statement for Microsoft Corporation November 14, 2002: Added vendor statement for Debian GNU/Linux November 15, 2002: Added vendor statement for IBM November 15, 2002: Added vendor statement for MetaSolv November 15, 2002: Added vendor statement for Sun November 15, 2002: Added vendor statement for Nortel November 21, 2002: Added vendor statement for Apple December 03, 2002: Revised vendor statement for Nortel (note their update was sent on Nov 27, 2002) December 09, 2002: Revised vendor statement for IBM February 25, 2003: Added vendor statement for Alcatel February 26, 2003: Added vendor statement for glibc February 27, 2003: Updated vendor statement for IBM April 29, 2003: Added vendor statement for Xerox