-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND Original release date: November 14, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running various versions of BIND 4 and BIND 8 Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be affected if these vulnerabilities are exploited. Overview Multiple vulnerabilities with varying impacts have been found in BIND, the popular domain name server and client library software package from the Internet Software Consortium (ISC). Some of these vulnerabilities may allow remote attackers to execute arbitrary code with the privileges of the user running named, (typically root), or with the privileges of vulnerable client applications. The other vulnerabilities will allow remote attackers to disrupt the normal operation of DNS name service running on victim servers. I. Description Multiple vulnerabilities have been found in BIND (Berkeley Internet Name Domain). Some of these vulnerabilities (VU#852283, VU#844360) may allow remote attackers to execute arbitrary code with the privileges of the user running named, typically root. The other vulnerabilities (VU#229595, VU#581682) will allow remote attackers to disrupt the normal operation of your name server, possibly causing a crash. BIND DNS Server Vulnerabilities VU#852283 - Cached malformed SIG record buffer overflow This vulnerability is a buffer overflow in named. It can occur when responses are constructed using previously-cached malformed SIG records. (SIG records are typically associated with cryptographically signed DNS data.) Exploitation of the vulnerability can lead to arbitrary code execution as the named uid, typically root. The following versions of BIND are affected: - BIND versions 4.9.5 to 4.9.10 - BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3 VU#229595 - Overly large OPT record assertion ISC BIND 8 fails to properly handle DNS lookups for non-existent sub-domains when overly large OPT resource records are appended to a query. When a non-existent domain (NXDOMAIN) response is constructed by a victim nameserver, an assertion may be triggered if the client passes a large UDP buffer size. This assertion will cause the running named to exit. The following versions of BIND are affected: - BIND versions 8.3.0 to 8.3.3 VU#581682 - ISC BIND 8 fails to properly de-reference cache SIG RR elements with invalid expiry times from the internal database ISC's description of this vulnerability states: It is possible to de-reference a NULL pointer for certain signature expire values. The following versions of BIND are affected: - BIND versions 8.2 to 8.2.6 - BIND versions 8.3.0 to 8.3.3. BIND DNS Resolver Vulnerabilities VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service. The attacker would need to control the contents of DNS responses, possibly by spoofing responses or gaining control of a DNS server. These vulnerabilities are distinct from the issues discussed in CA-2002-19. The following DNS stub resolver libraries are known to be affected: - BIND 4.9.2 through 4.9.10 The status of other resolver libraries derived from BIND 4 such as BSD libc, GNU glibc, and those used by System V UNIX systems is currently unknown. Additionally, these issues are mapped to CVE as follows. VU#852283 - CAN-2002-1219 VU#229595 - CAN-2002-1220 VU#581682 - CAN-2002-1221 VU#844360 - CAN-2002-0029 II. Impact VU#852283 - Cached malformed SIG record buffer overflow A remote attacker could execute arbitrary code on the nameserver with the privileges of the named uid, typically root. VU#229595 - Overly large OPT record assertion A remote attacker can disrupt the normal operation of your name server, possibly causing a crash. VU#581682 - ISC BIND 8 fails to properly de-reference cache SIG RR elements with invalid expiry times from the internal database A remote attacker can disrupt the normal operation of your name server, possibly causing a crash. VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service. The attacker would need to control the contents of DNS responses, possibly by spoofing responses or gaining control of a DNS server. III. Solution Apply a patch from your vendor. Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. If a vendor patch is not available, you may wish to consider applying the patches ISC has produced: BIND 8.3.3 - http://www.isc.org/products/BIND/patches/bind833.diff BIND 8.2.6 - http://www.isc.org/products/BIND/patches/bind826.diff BIND 4.9.10 - http://www.isc.org/products/BIND/patches/bind4910.diff For VU#844360, the BIND 4 libresolv buffer overflows, an upgrade to a corrected version of the DNS resolver libraries will be required. Note that DNS resolver libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications. Applications that are statically linked must be recompiled using patched resolver libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched resolver libraries. System administrators should consider the following process when addressing this issue: 1. Patch or obtain updated resolver libraries. 2. Restart any dynamically linked services that use the resolver libraries. 3. Recompile any statically linked applications using the patched or updated resolver libraries. Workarounds VU#852283 - Cached malformed SIG record buffer overflow VU#229595 - Overly large OPT record assertion VU#581682 - ISC BIND 8 fails to properly dereference cache SIG RR elements with invalid expiry times from the internal database One potential workaround to limit exposure to the vulnerabilities in named is to disable recursion on any nameserver responding to DNS requests made by untrusted systems. As mentioned in "Securing an Internet Name Server": Disabling recursion puts your name servers into a passive mode, telling them never to send queries on behalf of other name servers or resolvers. A totally non-recursive name server is protected from cache poisoning, since it will only answer queries directed to it. It doesn't send queries, and hence doesn't cache any data. Disabling recursion can also prevent attackers from bouncing denial of services attacks off your name server by querying for external zones. Non-recursive nameservers should be much more resistant to exploitation of the server vulnerabilites listed above. Additional Countermeasures ISC recommends upgrading to BIND version 9.2.1. BIND version 9.2.1 is available from: http://www.isc.org/products/BIND/bind9.html. Note that the upgrade from previous versions of BIND may require additional site reconfiguration. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Conectiva Conectiva Linux 6.0 is affected by this. Updated packages are available at our ftp server: ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.6-1U60_2cl.i386.rpm An advisory about this vulnerability is pending and should be sent to our security mailing list and published in our web site during the day (Nov 14th). FreeBSD Please see FreeBSD-SA-02:43.bind. Hewlett-Packard Company SOURCE: Hewlett-Packard Company Software Security Response team x-ref: SSRT2408 At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products. As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel. MontaVista Software MontaVista ships BIND 9, thus is not vulnerable to these advisories. Nominum, Inc. Nominum "Foundation" Authoritative Name Server (ANS) is not affected by this vulnerability. Also, Nominum "Foundation" Caching Name Server (CNS) is not affected by this vulnerability. Nominum's commercial DNS server products, which are part of Nominum "Foundation" IP Address Suite, are not based on BIND and do not contain any BIND code, and so are not affected by vulnerabilities discovered in any version of BIND. Openwall Project BIND 4.9.10-OW2 includes the patch provided by ISC and thus has the two vulnerabilities affecting BIND 4 fixed. Previous versions of BIND 4.9.x-OW patches, if used properly, significantly reduced the impact of the "named" vulnerability. The patches are available at their usual location: http://www.openwall.com/bind/ A patch against BIND 4.9.11 will appear as soon as this version is officially released, although it will likely be effectively the same as the currently available 4.9.10-OW2. It hasn't been fully researched whether the resolver code in glibc, and in particular on Openwall GNU/*/Linux, shares any of the newly discovered BIND 4 resolver library vulnerabilities. Analysis is in progress. Red Hat Inc. Older releases (6.2, 7.0) of Red Hat Linux shipped with versions of BIND which may be vulnerable to these issues however a Red Hat security advisory in July 2002 upgraded all our supported distributions to BIND 9.2.1 which is not vulnerable to these issues. All users who have BIND installed should ensure that they are running these updated versions of BIND. http://rhn.redhat.com/errata/RHSA-2002-133.html Red Hat Linux http://rhn.redhat.com/errata/RHSA-2002-119.html Advanced Server 2.1 Appendix B. - References 1. "Securing an Internet Name Server" - http://www.cert.org/archive/pdf/dns.pdf 2. "Internet Security Systems Security Advisory - Multiple Remote Vulnerabilities in BIND4 and BIND8" - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid= 21469 "BIND Vulnerabilities" - http://www.isc.org/products/BIND/bind-security.html "RFC2671 - Extension Mechanisms for DNS (EDNS0)" - ftp://ftp.isi.edu/in-notes/rfc2671.txt _________________________________________________________________ Internet Security Systems publicly reported the following issues VU#852283, VU#229595, and VU#581682. We thank ISC for their cooperation. _________________________________________________________________ Author: Ian A. Finlay. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-31.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History November 14, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPdNOWWjtSoHZUTs5AQE4mAQAh6sFUqi/31ddeUc249b/oqXuHve7WThj NAYXdX34QBKg9iwVrxTGzkH/0AAzDdD9JnLXPCwfalb8w46BOm8ejR954kClrvx+ T9FjNS1srRz+/8LMLaZ4orY12SvCXXTRSoS1+Ai+U5Z1FvZrQpZtNBetRVOS7CN8 Yobf5hqgXd8= =YlT7 -----END PGP SIGNATURE-----