search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple vendors' Domain Name System (DNS) stub resolvers vulnerable to buffer overflow via network name and address lookups

Vulnerability Note VU#542971

Original Release Date: 2002-08-01 | Last Revised: 2002-08-28

Overview

Buffer overflow vulnerabilities exists in the DNS stub resolver library used by BSD, ISC BIND, and GNU glibc. Other systems that use DNS resolver code derived from ISC BIND may also be affected. An attacker who is able to control DNS responses could exploit arbitrary code or cause a denial of service on vulnerable systems.

Description

The Domain Name System (DNS) provides name, address, and other information about Internet Protocol (IP) networks and devices. By issuing queries to and interpreting responses from DNS servers, IP-enabled network operating systems can access DNS information. When an IP network application needs to access or process DNS information, it calls functions in the stub resolver library, which may be part of the underlying network operating system. On BSD-based systems, DNS stub resolver functions are implemented in the system library libc. In ISC BIND, they are implemented in libbind. On GNU/Linux-based systems, they are implemented in glibc. The DNS resolver libraries on BSD-based systems (libc), ISC BIND (libbind), GNU/Linux (glibc), and possibly other systems that use code derived from ISC BIND contain buffer overflow vulnerabilities in the way the resolver handles DNS responses.

This document specifically addresses a buffer overflow that can ocur when stub resolvers process DNS responses for network name and address resolution.

The stub resolver implementation in ISC BIND 4 (4.8 to 4.9.8 at least) is vulnerable to buffer overflows via DNS responses for both network and host name and address resolution. The BSD and GNU/Linux stub resolvers are derived from the BIND 4 code, therefore they are also vulnerable via both sets of responses.

    • In October 1999, GNU/Linux glibc was patched against the buffer overflow that can occur during the processing of responses for host name and address resolution. glibc versions 2.1.3 and later are not vulnerable to this problem.
    • In June 2002, ISC BIND and {Free,Net,Open}BSD patched their stub resolver libraries against both problems. At this time, it was discovered that glibc was still vulnerable to a buffer overflow via responses for network name and address resolution. Unpatched versions of GNU glibc 2.2.5 and earlier are vulnerable to this problem.
The Systems Affected section of this document only applies to products that use the GNU/Linux stub resolver implementation in glibc. See CERT Advisory CA-2002-19 and VU#803539 for more complete vendor information.

Note that any application that uses a vulnerable resolver library is likely to be affected. Applications that are statically linked must be recompiled using patched resolver libraries.

Impact

An attacker who is able to control DNS responses could exploit arbitrary code or cause a denial of service on vulnerable systems. The attacker would need to be able to spoof DNS responses or control a DNS server that provides responses to a vulnerable system. Any code executed by the attacker would run with the privileges of the process that called the vulnerable resolver function, potentially root.

Solution


Apply a Patch

Apply a patch from your vendor. In the case of statically linked binaries, it is necessary to recompile using the patched version of the DNS stub resolver libraries.

Upgrade

Upgrade your system as specified by your vendor.

Use of a local caching DNS server is not an effective workaround

When this document was initially published, it was thought that a caching DNS server that reconstructs DNS responses would prevent malicious code from reaching systems with vulnerable resolver libraries. This workaround does not prevent some DNS responses that contain malicious code from reaching clients, whether or not the responses are reconstructed by a local caching DNS server. Since the server may cache the responses, the malicious code could persist until the server's cache is purged or the entries expire.

Disable Reverse DNS Lookups

Disable the reverse DNS lookup functions in applications that perform DNS name lookups from IP addresses. For example, some HTTP and FTP servers perform reverse DNS lookups to convert IP addresses to hostnames in logs. Disabling reverse DNS lookups will only protect against specific exploit attempts that rely on the reverse lookup as an attack vector.

Configure Name Service Switch (glibc only)

On GNU/Linux systems using glibc, configure the Name Service Switch function of glibc not to use DNS to resolve network names and addresses. Modify the Name Service Switch configuration file /etc/nsswitch.conf so that the "networks:" line does not contain the term "dns".

# This "networks:" line omits "dns" to work around a bug in glibc 2.2.5 and earlier.
networks: files nisplus

Note that this will prevent resolution of network names and addresses via DNS, which will likely cause resolution of non-local networks to fail.

Vendor Information

542971
 

View all 14 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks PINE-CERT for reporting this vulnerability and the GNU glibc developers for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2002-0684
CERT Advisory: CA-2002-19
Severity Metric: 29.72
Date Public: 2002-06-26
Date First Published: 2002-08-01
Date Last Updated: 2002-08-28 01:57 UTC
Document Revision: 38

Sponsored by CISA.