Original release date: November 13, 2000<BR>
Last updated: August 08, 2001<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<UL>
<LI>Systems running Internet Software Consortium (ISC) BIND version 8.2 through 8.2.2-P6</LI>
<LI>Systems running name servers derived from BIND version 8.2 through 8.2.2-P6
</LI>
</UL>

<A NAME="overview">
<H2>Overview</H2>

<P>The CERT Coordination Center has recently learned of two serious
denial-of-service vulnerabilities in the Internet Software
Consortium's (ISC) BIND software.

<P>The first vulnerability is referred to by the ISC as the "zxfr bug"
and affects ISC BIND version 8.2.2, patch levels 1 through 6.  The
second vulnerability, the "srv bug", affects ISC BIND versions 8.2
through 8.2.2-P6. Derivatives of the above code sets should also be
presumed vulnerable unless proven otherwise.

<A NAME="description">
<H2>I. Description</H2>

<P>The Internet Software Consortium, the maintainer of BIND, the
software used to provide domain name resolution services, has recently
posted information about several denial-of-service vulnerabilities. If
exploited, any of these vulnerabilities could allow remote intruders
to cause site DNS services to be stopped.

<P>For more information about these vulnerabilities and others, please
see
<BR>
<DL>
<DD><A HREF="http://www.isc.org/products/BIND/bind-security.html">http://www.isc.org/products/BIND/bind-security.html</A></DD>
</DL>

<P>Two vulnerabilities in particular have been categorized by both the
ISC and the CERT/CC as being serious.

<H4><A HREF="http://www.kb.cert.org/vuls/id/715973">VU#715973</A> - ISC BIND 8.2.2-P6 vulnerable to DoS via compressed zone
transfer, aka the "zxfr bug" (<A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0887">CVE-2000-0887</A>)</H4>

<P>Using this vulnerability, attackers on sites which are permitted to
request zone transfers can force the <i>named</i> daemon running on
vulnerable DNS servers to crash, disrupting name resolution service
until the <i>named</i> daemon is restarted. The only preconditions for
this attack to succeed is that a compressed zone transfer (ZXFR)
request be made from a site allowed to make any zone transfer request
(not just ZXFR), and that a subsequent name service query of an
authoritative and non-cached record be made. The time between the
attack and the crash of <i>named</i> may vary from system to system.

<P>This vulnerability has been discussed in public forums. The ISC has
confirmed that all platforms running version 8.2.2 of the BIND
software prior to patch level 7 are vulnerable to this attack.

<H4><A HREF="http://www.kb.cert.org/vuls/id/198355">VU#198355</A> - ISC
BIND 8.2.2-P6 vulnerable to DoS when processing SRV records, aka the "srv
bug" (<A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0888">CVE-2000-0888</A>)</H4>

<P>This vulnerability can cause affected DNS servers running
<i>named</i> to go into an infinite loop, thus preventing further name
requests to be handled. This can happen if an SRV record (defined in <a
href="http://www.ietf.org/rfc/rfc2782.txt">RFC2782</a>) is sent to
the vulnerable server. 

<P>Microsoft's Windows 2000 Active Directory service makes extensive
use of SRV records and is reportedly capable of triggering this bug in
the course of normal operations. This is not, however, a vulnerability
in Microsoft Active Directory. <b><i>Any network client capable of
sending SRV records to vulnerable name server systems can exercise
this vulnerability.</i></b>

<P>The CERT/CC has not received any direct reports of either of these
vulnerabilities being exploited to date.

<P>Both vulnerabilities can be used by malicious users to break the DNS
services being offered at all exposed sites on the Internet. System
administrators are strongly recommended to upgrade their DNS software
with either ISC's current distribution or their vendor-supplied
software. See the <A HREF="#solution">Solution</A> and <A
HREF="#vendors">Vendor Information</A> sections of this document for
more details.

<A NAME="impact">
<H2>II. Impact</H2>

<P>Domain name resolution services (DNS) can be disabled on affected
servers from arbitrary remote hosts.


<A NAME="solution">
<H2>III. Solution</H2>

<H4>Apply a patch from your vendor</H4>

<P>The CERT/CC recommends that all users of ISC BIND upgrade to the
recently-released BIND 8.2.2-P7, which patches both of the
vulnerabilities discussed in this document. Sites running
vendor-specific distributions of domain name resolution software
should check the Vendor Information section below for more specific
information on how to upgrade to non-vulnerable software. 


<H4>Restrict zone transfers to trusted hosts</H4>

<P>If it is not possible to immediately upgrade systems affected by
the "zxfr bug", the ISC suggests not allowing zone transfers from
untrusted hosts.  This action, however, will not mitigate against the
effects of an attack using the "srv bug".

<P>Although it has been reported that not allowing recursive queries
may help mitigate against the "zxfr" vulnerability, ISC has indicated
that this is not the case.

<A NAME="vendors">

<H2>Appendix A. Vendor Information</H2>

<A NAME="isc">
<H4>The Internet Software Consortium</H4>

<P>For the latest information regarding these vulnerabilities, please
consult the ISC web site at:

<DL>
<DD><A HREF="http://www.isc.org/products/BIND/bind-security.html">http://www.isc.org/products/BIND/bind-security.html</A></DD>
</DL>

<A NAME="caldera">
<H4>Caldera</H4>

<P>Our advisory is available at:

<DL><DD> <a
href="http://www.calderasystems.com/support/security/advisories/CSSA-2000-040.0.txt">http://www.calderasystems.com/support/security/advisories/CSSA-2000-040.0.txt</a><DD></DL>

<P>Updated packages are available from<BR> 

<BR> OpenLinux Desktop 2.3<BR>

<a
href="ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current">ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current</a>
<BR>
<FONT FACE="monospace">
9d8429f25c5fb3bebe2d66b1f9321e61 RPMS/bind-8.2.2p7-1.i386.rpm<BR>
0e958eb01f40826f000d779dbe6b8cb3 RPMS/bind-doc-8.2.2p7-1.i386.rpm<BR>
866ff74c77e9c04a6abcddcc11dbe17b RPMS/bind-utils-8.2.2p7-1.i386.rpm<BR>
6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm<BR> 
</FONT>

<BR>OpenLinux eServer 2.3<BR> <a
href="ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current">ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current</a>
<BR>

<FONT FACE="monospace">
379c4328604b4491a8f3d0de44e42347 RPMS/bind-8.2.2p7-1.i386.rpm<BR>
b428b824c8b67f2d8d4bf53738a3e7e0 RPMS/bind-doc-8.2.2p7-1.i386.rpm<BR>
28311d630281976a870d38abe91f07fb RPMS/bind-utils-8.2.2p7-1.i386.rpm<BR>
6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm<BR> <BR>
</FONT>

OpenLinux eDesktop 2.4<BR> <a
href="ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current">ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current</a>
<BR>

<FONT FACE="monospace">
c37b6673cc9539e592013ac114846940 RPMS/bind-8.2.2p7-1.i386.rpm<BR>
bbe0d7e317fde0d47cba1384f6d4b635 RPMS/bind-doc-8.2.2p7-1.i386.rpm<BR>
5c28dd5641a4550c03e9859d945a806e RPMS/bind-utils-8.2.2p7-1.i386.rpm<BR>
6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm<BR>
</FONT>

<A NAME="compaq">
<H4>Compaq Computer Corporation</H4>

SOURCE: Compaq Services Software Security Response Team<BR>

<FONT FACE="monospace">
<PRE>
......................................................................
 COMPAQ COMPUTER CORPORATION

......................................................................
  CERT-2000-20 - BIND 8 The "zxfr bug"  
                              X-REF: SSRT1-38U, CERT-2000-20
......................................................................
       Compaq Tru64 UNIX V5.1           -        
                                   patch:  SSRT1-66U_v5.1.tar.Z      

       Compaq Tru64 UNIX V5.0 & V5.0a   -
                            V5.0   patch: SSRT1-68U_v5.0.tar.Z      
                            V5.0a  patch: SSRT1-68U_v5.0a.tar.Z    

       Compaq Tru64 UNIX V4.0D/F/G              - Not Vulnerable
       TCP/IP Services for Compaq OpenVMS       - Not Vulnerable

......................................................................
CERT02000-20 - BIND 8 The "srv bug" 
                             X-REF: SSRT1-38U, CERT CA2000-20
......................................................................
       Compaq Tru64 UNIX V5.1           -         
                                   patch: SSRT1-66U_v5.1.tar.Z     

       Compaq Tru64 UNIX V5.0 & V5.0a   -
                            V5.0   patch: SSRT1-68U_v5.0.tar.Z      
                            V5.0a  patch: SSRT1-68U_v5.0a.tar.Z    

       Compaq Tru64 UNIX V4.0D/F/G              - Not Vulnerable
       TCP/IP Services for Compaq OpenVMS	- Not Vulnerable

 Compaq will provide notice of the completion/availability of the
 patches through AES services (DIA, DSNlink FLASH), the Security
 mailing list, and be available from your normal Compaq Support
 channel. You may subscribe to the Security mailing list at:
              
<a href="http://www.support.compaq.com/patches/mailing-list.shtml">http://www.support.compaq.com/patches/mailing-list.shtml</a>

</PRE>
</FONT>

<A NAME="conectiva">
<H4>Conectiva</H4>

<P>Please see Conectiva Linux Security Announcement CLSA-2000:339 at:

<DL><DD> <A
HREF="http://listserv.securityportal.com/SCRIPTS/WA-SECURITYPORTAL.EXE?A1=ind0011&L=linux-security#27">http://listserv.securityportal.com/SCRIPTS/WA-SECURITYPORTAL.EXE?A1=ind0011&L=linux-security#27</A>
</DD></DL>

<P>Note: Conectiva Linux Security Announcement CLSA-2000:338, also
regarding this issue, had a packaging error in it. Users who
downloaded updates based on CLSA-2000:338 should see CLSA-2000:339 for
further information.

<A NAME="debian">
<H4>Debian</H4>

<P>Please see Debian Security notice 20001112, bind  at:
 
<DL><DD><A
HREF="http://www.debian.org/security/2000/20001112">http://www.debian.org/security/2000/20001112</A>
</DD></DL>

<A NAME="freebsd">
<H4>FreeBSD</H4>

<P>All versions of FreeBSD after 4.0-RELEASE (namely 4.1-RELEASE,
4.1.1-RELEASE and the forthcoming 4.2-RELEASE) are not vulnerable to
this bug since they include versions of BIND 8.2.3. FreeBSD
4.0-RELEASE and earlier are vulnerable to the reported problems since
they include an older version of BIND, and an update to a
non-vulnerable version is scheduled to be committed to FreeBSD
3.5.1-STABLE in the next few days.

<P>[CERT/CC Addendum: FreeBSD has published an advisory regarding this
issue at <A
HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:10.bind.asc">ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:10.bind.asc</A>]

<A NAME="fujitsu">
<H4>Fujitsu</H4>

<P>Fujitsu's UXP/V is not vulnerable to these bugs because we support a different version of BIND.
 
<A NAME="hp">
<H4>Hewlett-Packard</H4>

<P>HP is vulnerable to the SRV issue and patches are available, see HP
Security Bulletin #144.

<P>[CERT/CC Addendum: To locate this HP Security Bulletin online, please
visit <A HREF="http://itrc.hp.com">http://itrc.hp.com</A> and search for
"HPSBUX0102-144".  Please note that registration may be required to access
this document.]

<A NAME="ibm">
<H4>IBM</H4>

<P>IBM has reported to the CERT/CC that AIX is vulnerable to the bugs
described in this document.  IBM initially released an e-patch in APAR
IY14512.

<P>IBM has posted an e-fix for the BIND denial-of-service vulnerabilities to
<a href="ftp://aix.software.ibm.com/aix/efixes/security/named8_DoS_efix.tar.Z">ftp.software.ibm.com/aix/efixes/security</a>. See the <a href="ftp://aix.software.ibm.com/aix/efixes/security/README">README</a> file in this ftp
directory for additional information.

<P>Also, IBM has posted an <a href="ftp://aix.software.ibm.com/aix/efixes/security/locale_format_efix.tar.Z">e-fix</a> to this same site that contains libc.a
library that incorporates a fix to the BIND vulnerabilities and the recent
locale subsystem format string vulnerability discovered by Ivan Arce of CORE,
and discussed on <a href="http://www.securityfocus.com/vdb/bottom.html?section=credit&vid=1634">Bugtraq</a>.  The e-fix for BIND must be downloaded and installed
before implementing this e-fix. See the same <a href="ftp://aix.software.ibm.com/aix/efixes/security/README">README</a> file for details.


<A NAME="immunix">
<H4>Immunix</H4>

<P>Immunix Linux versions 6.2 and 7.0 beta are both vulnerable, and a
fix has been issued.  See <A
HREF="http://www.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2000-70-005-01">http://www.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2000-70-005-01</A>
for the advisory and updated package information.

<A NAME="mandrake">
<H4>MandrakeSoft</H4>

<P>Please see "MDKSA-2000:067: bind" at:

<DL><DD> <A
HREF="http://www.linux-mandrake.com/en/security/MDKSA-2000-067.php3">http://www.linux-mandrake.com/en/security/MDKSA-2000-067.php3</A></DD></DL>

<a name="microsoft">
<H4>Microsoft Corporation</H4>

<P>We have had a chance to investigate these issues and we are
not-vulnerable.  This includes both Windows 2000 and Windows NT 4.0.


<A NAME="netbsd">
<H4>NetBSD</H4>

<P>NetBSD is believed to be vulnerable to these problems; in response,
NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7 will be
present in the forthcoming NetBSD 1.5 release.

<A NAME"redhat">
<H4>RedHat</H4>

<P>Please see "RHSA-2000:107-01: Updated bind packages fixing DoS
attack", available at: 

<DL><DD><A
HREF="http://www.redhat.com/support/errata/RHSA-2000-107.html">http://www.redhat.com/support/errata/RHSA-2000-107.html</A></DD></DL>

<A NAME="slackware">
<H4>Slackware</H4>

<P>Updated Slackware distributions for bind may be found at:

<DL><DD><A
HREF="ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz">ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz</A>
</DD></DL>

<A NAME="suse">
<H4>SuSE Inc</H4>

<P>SuSE Linux has published a Security Announcement regarding these
vulnerabilities.  For further information, please visit:

<DL><DD> <A
HREF="http://www.suse.com/de/support/security/2000_045_bind8_txt.txt">http://www.suse.com/de/support/security/2000_045_bind8_txt.txt</A>
</DD></DL>

<P>

<HR NOSHADE>

<P>The CERT Coordination Center thanks Mark Andrews, David Conrad, and
Paul Vixie of the <a href="http://www.isc.org">ISC</a> for developing
a solution and assisting in the preparation of this advisory. We would
also recognize the contribution of <a
href="mailto:okir@caldera.de">Olaf Kirch</a> in helping us understand
the exact nature of the "zxfr bug" vulnerability.

<P>

<HR NOSHADE>

<P>Author: This document was written by Jeffrey S. Havrilla and Jeffrey P. Lanza.
<A HREF="mailto:cert@cert.org?subject=CA-2000-20%20Feedback%20VU%23715973%20VU%23198355">
Feedback</A> on this advisory is appreciated.

<P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
Nov 13, 2000: Initial release
Nov 13, 2000: Added information regarding Immunix
Nov 13, 2000: Corrected typographical error in title
Nov 14, 2000: Updated RedHat and Microsoft sections
Nov 16, 2000: Added vendor info for IBM AIX and SuSE Linux
Nov 16, 2000: Added references for each vulnerability
Nov 22, 2000: Ammended statement from HP
Nov 28, 2000: Ammended statement from IBM
Feb 28, 2001: Updated Compaq statement; Tru64 Unix is affected 
May 10, 2001: Updated HP statement
Jul 18, 2001: Added statement for Fujitsu (statement received on 12/22/00)
Aug 08, 2001: Fixed CVE references, added references to VU#715973 and VU#198355
</PRE>