Original release date: January 29, 2001<BR>
Last revised: August 07, 2001 <BR>
Source: CERT/CC<BR>
<P>A complete revision history can be found at the end of this file.
<A NAME="affected">
<H3>Systems Affected</H3>
<P>Domain Name System (DNS) Servers running various versions of ISC
BIND (including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3;
9.x is not affected) and derivatives. Because the normal operation of
most services on the Internet depends on the proper operation of DNS
servers, other services could be impacted if these vulnerabilities are
exploited.
<A NAME="overview">
<H2>Overview</H2>
<P>The CERT/CC has recently learned of four vulnerabilities spanning
multiple versions of the Internet Software Consortium's (<A
HREF="http://www.isc.org/">ISC</A>) Berkeley Internet Name Domain
(BIND) server. BIND is an implementation of the Domain Name System
(DNS) that is maintained by the ISC. Because the majority of name
servers in operation today run BIND, these vulnerabilities present a
serious threat to the Internet infrastructure.
<P>Three of these vulnerabilities (<A
HREF="http://www.kb.cert.org/vuls/id/196945">VU#196945</A>, <A
HREF="http://www.kb.cert.org/vuls/id/572183">VU#572183</A>, and <A
HREF="http://www.kb.cert.org/vuls/id/868916">VU#868916</A>) were
discovered by the <A
HREF="http://www.pgp.com/research/covert/default.asp">COVERT Labs at
PGP Security</A>, who have posted an advisory regarding these issues at
<P>
<DL>
<DD><A HREF="http://www.pgp.com/research/covert/advisories/047.asp">
http://www.pgp.com/research/covert/advisories/047.asp</A>
</DL>
<P>The fourth vulnerability (<A
HREF="http://www.kb.cert.org/vuls/id/325431">VU#325431</A>) was
discovered by Claudio Musmarra.
<P>The Internet Software Consortium has posted information about all
four vulnerabilities at
<P>
<DL>
<DD><A HREF="http://www.isc.org/products/BIND/bind-security.html">http://www.isc.org/products/BIND/bind-security.html</A>
</DL>
<A NAME="description">
<H2>I. Description</H2>
<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/196945">VU#196945</A> - ISC
BIND 8 contains buffer overflow in transaction signature (TSIG)
handling code
</B>
<P>During the processing of a transaction signature (TSIG), BIND 8
checks for the presence of TSIGs that fail to include a valid key. If
such a TSIG is found, BIND skips normal processing of the request and
jumps directly to code designed to send an error response. Because
the error-handling code initializes variables differently than in
normal processing, it invalidates the assumptions that later function
calls make about the size of the request buffer.
<P>Once these assumptions are invalidated, the code that adds a new
(valid) signature to the responses may overflow the request buffer and
overwrite adjacent memory on the stack or the heap. When combined
with other buffer overflow exploitation techniques, an attacker can
gain unauthorized privileged access to the system, allowing the
execution of arbitrary code.
<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/572183">VU#572183</A> - ISC
BIND 4 contains buffer overflow in <FONT FACE="monospace">
nslookupComplain()</FONT>
</B>
<P>The vulnerable buffer is a locally defined character array used to
build an error message intended for syslog. Attackers attempting to
exploit this vulnerability could do so by sending a specially
formatted DNS query to affected BIND 4 servers. If properly
constructed, this query could be used to disrupt the normal operation
of the DNS server process, resulting in either denial of service or
the execution of arbitrary code.
<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/868916">VU#868916</A> - ISC
BIND 4 contains input validation error in <FONT FACE="monospace">
nslookupComplain()</FONT>
</B>
<P>The vulnerable buffer is a locally defined character array used to
build an error message intended for syslog. Attackers attempting to
exploit this vulnerability could do so by sending a specially
formatted DNS query to affected BIND 4 servers. If properly
constructed, this query could be used to disrupt the normal operation
of the DNS server process, resulting in the execution of arbitrary code.
<P>This vulnerability was patched by the ISC in an earlier version of BIND 4,
most likely BIND 4.9.5-P1. However, there is strong evidence to suggest
that some third party vendors who redistribute BIND 4 have not included
these changes in their BIND packages. Therefore, the CERT/CC recommends
that all users of BIND 4 or its derivatives base their distributions on
BIND 4.9.8.
<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/325431">VU#325431</A> -
Queries to ISC BIND servers may disclose environment variables
</B>
<P>This vulnerability is an information leak in the query processing
code of both BIND 4 and BIND 8 that allows a remote attacker to access
the program stack, possibly exposing program and/or environment
variables. This vulnerability is triggered by sending a specially
formatted query to vulnerable BIND servers.
<BR>
<P>NOTE: Frequently asked questions regarding these vulnerabilities
can be found in <A HREF="#faq">Appendix B</A>.
<A NAME="impact">
<H2>II. Impact</H2>
<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/196945">VU#196945</A> - ISC
BIND 8 contains buffer overflow in transaction signature (TSIG)
handling code
</B>
<P>This vulnerability may allow an attacker to execute code with the
same privileges as the BIND server. Because BIND is typically run by
a superuser account, the execution would occur with superuser
privileges.
<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/572183">VU#572183</A> - ISC
BIND 4 contains buffer overflow in <FONT FACE="monospace">
nslookupComplain()</FONT>
</B>
<P>This vulnerability can disrupt the proper operation of the BIND
server and may allow an attacker to execute code with the privileges
of the BIND server. Because BIND is typically run by a superuser
account, the execution would occur with superuser privileges.
<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/868916">VU#868916</A> - ISC
BIND 4 contains input validation error in <FONT FACE="monospace">
nslookupComplain()</FONT>
</B>
<P>This vulnerability may allow an attacker to execute code with the
privileges of the BIND server. Because BIND is typically run by a
superuser account, the execution would occur with superuser
privileges.
<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/325431">VU#325431</A> -
Queries to ISC BIND servers may disclose environment variables
</B>
<P>This vulnerability may allow attackers to read information from the
program stack, possibly exposing environment variables. In addition,
the information obtained by exploiting this vulnerability may aid in
the development of exploits for <A
HREF="http://www.kb.cert.org/vuls/id/572183">VU#572183</A> and <A
HREF="http://www.kb.cert.org/vuls/id/868916">VU#868916</A>.
<A NAME="history">
<H2>III. History </H2>
<P>Since 1997, the CERT/CC has published <A HREF="#hist-refs">twelve
documents</A> describing vulnerabilities or exploitation of
vulnerabilities in BIND with information and advice on upgrading and
preventing compromises. Unfortunately, many system and network
administrators still have not upgraded their versions of BIND, making
them susceptible to a number of vulnerabilities. Prior
vulnerabilities in BIND have been widely exploited by intruders.
<P>For example, on November 10, 1999, the CERT/CC published
CA-1999-14, which detailed multiple vulnerabilities in BIND. The
CERT/CC continued to receive reports of compromises based on those
vulnerabilities through December 2000. On April 8, 1998, the
CERT/CC published CA-1998-05; reports of compromises based on the
vulnerabilities described therein continued through November of 1998.
<P>The following graph shows the number of incidents reported to the
CERT/CC regarding BIND NXT record (<A
HREF="http://www.kb.cert.org/vuls/id/16532">VU#16532</A>) exploits
after the publication of CA-1999-14:
<CENTER>
<P><A HREF="CA-2001-02/nxt-history.png">
<IMG SRC="CA-2001-02/nxt-history.png" WIDTH="500" HEIGHT="360" ALT="Incidents By Month Involving the BIND NXT Record Vulnerability (VU#16532)">
</A>
</CENTER>
<P>Based on this past experience, the CERT/CC expects that intruders will quickly
begin developing and using intruder tools to compromise machines. It is
important for IT and security managers to ensure that their organizations are
properly protected before the expected wide-spread exploitation happens.
<A NAME="exploits">
<H4>Exploitation</H4>
<P>The vulnerabilities described in <A
HREF="http://www.kb.cert.org/vuls/id/196945">VU#196945</A>, <A
HREF="http://www.kb.cert.org/vuls/id/572183">VU#572183</A>, and <A
HREF="http://www.kb.cert.org/vuls/id/868916">VU#868916</A> have been
successfully exploited by COVERT Labs in a laboratory environment. To
the best of our knowledge, these vulnerabilities have not been
publicly exploited.
<A NAME="solution">
<H2>IV. Solution</H2>
<H3>Apply a patch from your vendor</H3>
<P>The ISC has released BIND versions 4.9.8 and 8.2.3 to address these
security issues. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x
upgrade to BIND 4.9.8, BIND 8.2.3, or BIND 9.1.
<P>Because BIND 4 is no longer actively maintained, the ISC recommends
that users affected by this vulnerability upgrade to either BIND 8.2.3
or BIND 9.1. Upgrading to one of these versions will also provide
functionality enhancements that are not related to security.
<P>The BIND 4.9.8 and 8.2.3 distributions can be downloaded from
<DL>
<DD><A HREF="ftp://ftp.isc.org/isc/bind/src/">ftp://ftp.isc.org/isc/bind/src/</A>
</DL>
<P>The BIND 9.1 distribution can be downloaded from
<DL>
<DD><A HREF="ftp://ftp.isc.org/isc/bind9/">ftp://ftp.isc.org/isc/bind9/</A>
</DL>
<P><A HREF="#vendors">Appendix A</A> contains information supplied by ISC and distributors of
BIND. Depending on your local processes, procedures, and expertise,
you may wish to obtain updates from the ISC or from an operating
system vendor who redistributes BIND.</p>
<A NAME="ssl">
<H3>Use Strong Cryptography to Authenticate Services</H3>
<P>Services and transactions that rely exclusively on the DNS system for
authentication are inherently weak. We encourage organizations to use
strong cryptography to authenticate services and transactions where
possible. One common use of strong cryptography is the use of SSL in
authenticating and encrypting electronic commerce transactions over the
web. In addition to this use, we encourage organizations to use SSL, PGP,
S/MIME, SSH, and other forms of strong cryptography to distribute
executable content, secure electronic mail, distribute important
information, and protect the confidentiality of all kinds of data
traversing the Internet.
<A NAME="split">
<H3>Use Split Horizon DNS to Minimize Impact</H3>
<P>It may also be possible to minimize the impact of the exploitation of
these vulnerabilities by configuring your DNS environment to separate
DNS servers used for the public dissemination of information about your
hosts from the DNS servers used by your internal hosts to connect to
other hosts on the Internet. Frequently, different security polices
can be applied to these servers such that even if one server is
compromised the other server will continue to function normally.
Split horizon DNS configuration may also have other security benefits.
<A NAME="refs">
<H2>References</H2>
<A NAME="vu-nums">
<H4>CERT/CC Vulnerability Notes</H4>
<P>To read more about the vulnerabilities described in this document,
please visit the CERT/CC <A
HREF="http://www.kb.cert.org/vuls">Vulnerability Notes Database</A>:
<P>
<DL>
<DT>VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
<DD><A HREF="http://www.kb.cert.org/vuls/id/196945">http://www.kb.cert.org/vuls/id/196945</A>
<DT>VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
<DD><A HREF="http://www.kb.cert.org/vuls/id/572183">http://www.kb.cert.org/vuls/id/572183</A>
<DT>VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()
<DD><A HREF="http://www.kb.cert.org/vuls/id/868916">http://www.kb.cert.org/vuls/id/868916</A>
<DT>VU#325431 - Queries to ISC BIND servers may disclose environment variables
<DD><A HREF="http://www.kb.cert.org/vuls/id/325431">http://www.kb.cert.org/vuls/id/325431</A>
</DL>
<A NAME="cve-nums">
<H4>Common Vulnerabilities and Exposures</H4>
<P>To cross-reference CERT/CC VU numbers with other vendor documents
via <A HREF="http://cve.mitre.org">CVE</A>, please visit
<P>
<DL>
<DT>VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
<DD><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0010">
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0010</A>
<DT>VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
<DD><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0011">
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0011</A>
<DT>VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()
<DD><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0013">
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0013</A>
<DT>VU#325431 - Queries to ISC BIND servers may disclose environment variables
<DD><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0012">
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0012</A>
</DL>
<A NAME="hist-refs">
<H4>Historical References</H4>
<P>For information on historical issues involving BIND vulnerabilities
and compromises, please visit
<P>
<DL>
<DT>CERT Advisory CA-2000-20 Multiple Denial-of-Service Problems in ISC BIND
<DD><A HREF="http://www.cert.org/advisories/CA-2000-20.html">
http://www.cert.org/advisories/CA-2000-20.html</A>
<DT>CERT Advisory CA-2000-03 Continuing Compromises of DNS servers
<DD><A HREF="http://www.cert.org/advisories/CA-2000-03.html">
http://www.cert.org/advisories/CA-2000-03.html</A>
<DT>CERT Advisory CA-1999-14 Multiple Vulnerabilities in BIND
<DD><A HREF="http://www.cert.org/advisories/CA-1999-14.html">
http://www.cert.org/advisories/CA-1999-14.html</A>
<DT>CERT Advisory CA-1998-05 Multiple Vulnerabilities in BIND
<DD><A HREF="http://www.cert.org/advisories/CA-1998-05.html">
http://www.cert.org/advisories/CA-1998-05.html</A>
<DT>CERT Advisory CA-1997-22 BIND - The Berkeley Internet Name Daemon
<DD><A HREF="http://www.cert.org/advisories/CA-1997-22.html">
http://www.cert.org/advisories/CA-1997-22.html</A>
</DL>
<A NAME="secbind">
<H4>Rob Thomas's Secure BIND Template</H4>
<P>Rob Thomas has published the "Secure BIND Template Version 2.0," a
document providing guidelines to help network and system
administrators build and maintain secure BIND configurations. For
more information, please visit
<DL>
<DD><A
HREF="http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html">http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html</A>
</DL>
<A NAME="tsigs">
<H4>Transaction Signatures</H4>
<P>For more information on transaction signatures, please visit
<P>
<DL>
<DT>RFC 2535: Domain Name System Security Extensions
<DD><A HREF="http://www.ietf.org/rfc/rfc2535.txt">http://www.ietf.org/rfc/rfc2535.txt</A>
<DT>RFC 2845: Secret Key Transaction Authentication for DNS (TSIG)
<DD><A HREF="http://www.ietf.org/rfc/rfc2845.txt">http://www.ietf.org/rfc/rfc2845.txt</A>
</DL>
<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>
<P>This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
a particular vendor is not listed below, we have not received their
comments.</P>
<A NAME="caldera">
<H4>Caldera Systems</H4>
<P>OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable.
<P>Update packages will be provided at
<DL>
<DD><A HREF="ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3">ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3</A>
<DD><A HREF="ftp://ftp.calderasystems.com/pub/updates/eServer/2.3">ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3</A>
<DD><A HREF="ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4">ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4</A>
</DL>
<!-- end vendor -->
<A NAME="compaq">
<H4>Compaq Computer Corporation</H4>
<PRE>
COMPAQ COMPUTER CORPORATION
------------------------------------------------------------------------------------
VU#325431 - INFOLEAK: servers may disclose environment variables
X-REF: SSRT1-66U, SSRT1-68U, SSRT1-69U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1 -
V5.1 patch: SSRT1-66U_v5.1.tar.Z
Compaq Tru64 UNIX V5.0 & V5.0a -
V5.0 patch: SSRT1-68U_v5.0.tar.Z
V5.0a patch: SSRT1-68U_v5.0a.tar.Z
Compaq Tru64 UNIX V4.0D/F/G -
V4.0d patch: SSRT1-69U_v4.0d.tar.Z
V4.0f patch: SSRT1-69U_v4.0f.tar.Z
V4.0g patch: SSRT1-69U_v4.0g.tar.Z
TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
VU#572183 - BIND 4 Buffer overflow in nslookupComplain()
X-REF: SSRT1-69U
VU#868916 - BIND 4 Input validation error in nslookupComplain()
X-REF: SSRT1-69U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1, V5.0, V5.0a - Not Vulnerable
Compaq Tru64 UNIX V4.0D/F/G -
V4.0d patch: SSRT1-69U_v4.0d.tar.Z
V4.0f patch: SSRT1-69U_v4.0f.tar.Z
V4.0g patch: SSRT1-69U_v4.0g.tar.Z
TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
VU#196945 - BIND 8 contains buffer overflow in transaction signature handling code
X-REF: SSRT1-66U, SSRT1-68U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1 -
V5.1 patch: SSRT1-66U_v5.1.tar.Z
Compaq Tru64 UNIX V5.0 & V5.0a -
V5.0 patch: SSRT1-68U_v5.0.tar.Z
V5.0a patch: SSRT1-68U_v5.0a.tar.Z
Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable
TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
Compaq will provide notice of the completion/availability of the
patches through AES services (DIA, DSNlink FLASH), the Security
mailing list (**), and be available from your normal Compaq Support
channel.
**You may subscribe to the Security mailing list at:
http://www.support.compaq.com/patches/mailing-list.shtml
Software Security Response Team
COMPAQ COMPUTER CORPORATION
------------------------------------------------------------------------------------
</PRE>
<!-- end vendor -->
<A NAME="djbdns">
<H4>djbdns</H4>
<P>djbdns has none of these bugs, has never used any BIND-derived
code, and is covered by a security guarantee. See <A
HREF="http://cr.yp.to/djbdns.html">http://cr.yp.to/djbdns.html</a>.
<!-- end vendor -->
<A NAME="freebsd">
<H4>FreeBSD, Inc.</H4>
<P>No supported version of FreeBSD contains BIND 4.x, so this does not
affect us. We current ship betas of 8.2.3 in the FreeBSD 4.x release
branch, and will be upgrading to 8.2.3 once it is released.
<P>[CERT/CC Addendum: FreeBSD has published an advisory regarding this
issue at <A
HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc">ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc</A>]
<!-- end vendor -->
<A NAME="hp">
<H4>Hewlett-Packard Company</H4>
<P>Patches are available, see HP Security Bulletin #144.
<P>[CERT/CC Addendum: To locate this HP Security Bulletin online, please
visit <A HREF="http://itrc.hp.com">http://itrc.hp.com</A> and search for
"HPSBUX0102-144". Please note that registration may be required to access
this document.]
<!-- end vendor -->
<A NAME="ibm">
<H4>IBM Corporation</H4>
<P>IBM has posted an emergency fix for all four of the vulnerabilities
described in this Advisory.
<P>This fix can be downloaded from <A
HREF="ftp://ftp.software.ibm.com/aix/efixes/security">ftp://ftp.software.ibm.com/aix/efixes/security</A>.
The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation
instructions and other important information are given in the README
file that is included in the tarball.
<P>The official fix for the four BIND4 and BIND8 vulnerabilities will
be in APAR #IY16182.
<P>AIX Security Response Team
<BR>IBM Austin
<!-- end vendor -->
<A NAME="microsoft">
<H4>Microsoft Corporation</H4>
<P>Microsoft's implementation of DNS is not based on BIND, and is not
affected by this vulnerability.
<!-- end vendor -->
<A NAME="netbsd">
<H4>NetBSD</H4>
<P>Please see NetBSD-SA2001-001, "Security vulnerabilities in BIND" at:
<DL><DD>
<a href="ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-001.txt.asc">ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-001.txt.asc</a>
</DL>
<!-- end vendor -->
<A NAME="openbsd">
<H4>OpenBSD</H4>
<P>Please see OpenBSD 2.8 release errata "018: SECURITY FIX: Jan 29,
2001" at
<DL><DD>
<a href="http://www.openbsd.org/errata.html#named">http://www.openbsd.org/errata.html#named</a>
</DL>
<!-- end vendor -->
<A NAME="redhat">
<H4>RedHat</H4>
<P>Please see RHSA-2001-007 and associated bug reports at:
<DL><DD>
<a href="http://www.redhat.com/support/errata/RHSA-2001-007.html">http://www.redhat.com/support/errata/RHSA-2001-007.html</a>
<BR>
<a href="http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25209">http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25209</a>
</DL>
</P>
<!-- end vendor -->
<A NAME="sgi">
<H4>SGI</H4>
<P>
SGI's IRIX (tm) operating system contains base BIND 4.9.7 with SGI
modifications. IRIX BIND 4.9.7 is vulnerable to buffer overflow in
<FONT FACE="monospace">nslookupComplain()</FONT> [VU#572183]. Patches are forth coming and
will be released with an advisory to
http://www.sgi.com/support/security/ when available.
</P>
<!-- end vendor -->
<A NAME="sun">
<H4>Sun Microsystems, Inc.</H4>
<PRE>
CERT Advisory CA-2001-02 describes four vulnerabilities in certain
versions of BIND. The four vulnerabilities are listed below along with
the affected versions of Solaris and the version of BIND shipped with each
version of Solaris.
VU#196945 - ISC BIND 8 contains buffer overflow in transaction
signature (TSIG) handling code
Solaris 8 04/01* (BIND 8.2.2-p5)
Solaris 8 Maintenance Update 4* (BIND 8.2.2-p5)
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 2.5.1** (BIND 4.9.3)
VU#868916 - ISC BIND 4 contains input validation error in
nslookupComplain()
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 2.5.1** (BIND 4.9.3)
VU#325431 - Queries to ISC BIND servers may disclose environment variables
Solaris 2.4, 2.5 (BIND 4.8.3)
Solaris 2.5.1** (BIND 4.9.3 and BIND 4.8.3)
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 7 and 8 (BIND 8.1.2)
* To determine if one is running Solaris 8 04/01 or Solaris 8 Maintenance
Update 4, check the contents of the /etc/release file.
** Solaris 2.5.1 ships with BIND 4.8.3 but patch 103663-01 for SPARC and
103664-01 for x86 upgrades BIND to 4.9.3, current revision for each
patch is -17.
List of Patches
The following patches are available in relation to the above problems.
OS Version Patch ID
__________ _________
SunOS 5.8 109326-04
SunOS 5.8_x86 109327-04
SunOS 5.7 107018-03
SunOS 5.7_x86 107019-03
SunOS 5.6 105755-10
SunOS 5.6_x86 105756-10
SunOS 5.5.1 103663-16
SunOS 5.5.1_x86 103664-16
SunOS 5.5 103667-12
SunOS 5.5_x86 103668-12
SunOS 5.4 102479-14
SunOS 5.4_x86 102480-12
</PRE>
<!-- end vendor -->
<HR NOSHADE>
<A NAME="faq">
<H2>Appendix B. - Frequently Asked Questions</H2>
<P>This appendix addresses questions that have been raised since this
advisory was originally published.
<P><B>
What is the Berkeley Internet Name Domain (BIND)?
</B>
<P>BIND is the most commonly used implementation of DNS software.
Every organization attached to the Internet depends on the DNS system
to allow users to access services. When users connect to web sites,
transfer files, or send email, they use domain names, such as
"cert.org". Their computers, using DNS servers, translate
those host names into IP addresses, such as 10.21.30.5, in order for
the computers to communicate.
</P>
<P><B>
To whom is this advisory directed?
</B>
<P>This advisory is primarily directed to IT managers and system
administrators responsible for running DNS services with BIND
software.
</P>
<P><B>
I'm a home user - do I need to worry about this advisory?
</B>
<P>Home users are affected by this problem, but they typically rely
upon an ISP for DNS service. These users may wish to contact their
service provider to draw attention to these issues.
<P>However, users running Linux or other UNIX variants on their machines
need to verify if a vulnerable version of BIND is installed; if so
they need to disable or upgrade this software. Several UNIX/Linux
operating systems install DNS servers by default. Thus, some users
might be running this service, even if they did not specifically
configure it.
<P><B>
Is this vulnerability being actively exploited?
</B>
<P>We are not aware of any active exploitation of these BIND
vulnerabilities. However, based on past experience, we expect that
intruders will quickly begin developing and using intruder tools to
compromise machines. As we receive reports of compromises and
attempted compromises, we will post information on our current
activity page:
<DL>
<DD><P><A HREF="http://www.cert.org/current/current_activity.html">
http://www.cert.org/current/current_activity.html</A>
</DL>
<BR>
<P><B>
Is the timing of your advisory in any way related to the
problems at Microsoft's site?
</B>
<P>No, we believe that the recent activity at Microsoft is
unrelated. You should contact Microsoft if you have any questions
related to their systems and services.
</P>
<P><B>
Should I switch from BIND to another type of DNS software?
</B>
<P>As a federally funded research and development center (FFRDC), we
cannot recommend products and services. We encourage each
organization to choose and test products best suited to their needs.
</P>
<HR NOSHADE>
<P>The CERT/CC thanks the COVERT Labs at PGP Security for discovering
and analyzing three of these vulnerabilities (<A
HREF="http://www.kb.cert.org/vuls/id/196945">VU#196945</A>, <A
HREF="http://www.kb.cert.org/vuls/id/572183">VU#572183</A>, and <A
HREF="http://www.kb.cert.org/vuls/id/868916">VU#868916</A>) and
Claudio Musmarra for discovering the infoleak vulnerability (<A
HREF="http://www.kb.cert.org/vuls/id/325431">VU#325431</A>). We also
thank the Internet Software Consortium for providing patches to fix
the vulnerabilities.
<P></P>
<HR NOSHADE>
<P>This document was written by <A
HREF="mailto:cert@cert.org?subject=Feedback%20Regarding%20CA-2001-02%20VU%23196945%20VU%23572183%20VU%23325431%20VU%23868916">Jeffrey
P. Lanza</A>, Cory Cohen, Roman Danyliw, Ian Finlay, Shawn Hernan, and
Quinn R. Peyton.
<P></P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2001 Carnegie Mellon University.</P>
<P>Revision History
<PRE>
Jan 29, 2001: Initial release
Jan 30, 2001: Added Microsoft vendor statement
Jan 30, 2001: Added OpenBSD vendor statement
Feb 02, 2001: Added revised IBM vendor statement
Feb 02, 2001: Modified exploitation comments
Feb 02, 2001: Added reference Secure BIND Template
Feb 02, 2001: Added Frequently Asked Questions as Appendix B
Feb 05, 2001: Added information about djbdns
Feb 06, 2001: Updated and added several vendor statements
Feb 15, 2001: Removed initial OpenBSD vendor statement
Feb 15, 2001: Added several vendor statements: NetBSD, OpenBSD, RedHat, SGI
Apr 04, 2001: Updated Compaq vendor statement
May 10, 2001: Updated HP statement
Aug 07, 2001: Updated Sun vendor statement
</PRE>
|