CERT/CC Vulnerability Note VU#852283

Overview

A vulnerability in BIND allows remote attackers to execute code with the privileges of the process running named. This vulnerability is resolved in BIND versions 4.9.11, 8.2.7, 8.3.4, and BIND 9.

Description

A remotely exploitable buffer overflow exists in named. An attacker using malformed SIG records can exploit this vulnerability against a nameserver with recursion enabled. The overflow occurs when the nameserver constructs responses to recursive requests using the malformed SIG records, leading to arbitrary code execution as the named uid, typically root. As was the case with a previous issue affecting named and NXT records (CA-1999-14, VU#16532), a malicious server must reply to a forwarded request from a recursive nameserver in order to exploit the vulnerability. However, as with the NXT record exploit, a full-service nameserver is not required, only a service replying to a legitimate victim nameserver request.

The following versions of BIND are affected:

- BIND versions 4.9.5 to 4.9.10
- BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3

Impact

A remote attacker could execute arbitrary code on the nameserver with the privileges of the named uid, typically root.

Solution

Upgrade to BIND 4.9.11, BIND 8.2.7, BIND 8.3.4, or BIND 9.

One interim workaround is to disable recursion on vulnerable servers.

Vendor Information

852283

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Apple Computer Inc. Affected

Notified: November 12, 2002 Updated: December 03, 2002

Status

Affected

Vendor Statement

Affected Systems: Mac OS X and Mac OS X Server with BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3

Mitigating Factors: BIND is not enabled by default on Mac OS X or Mac OS X Server

This is addressed in Security Update 2002-11-21

http://www.apple.com/support/security/security_updates.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Affected

Notified: November 12, 2002 Updated: November 14, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - --------------------------------------------------------------------------
PACKAGE : bind SUMMARY : Remote vulnerabilities in the BIND DNS server DATE : 2002-11-14 15:36:00 ID : CLA-2002:546 RELEVANT RELEASES : 6.0
- -------------------------------------------------------------------------
DESCRIPTION "bind" is probably the most used DNS server on the internet.
ISS reported[7] buffer overflow and denial of service vulnerabilities in some versions of the BIND software. The most dangerous one, the buffer overflow, could be used by remote attacker to execute arbitrary code on the server with the privileges of the user running the "named" process.
The vulnerabilities explained below affect BIND as shipped with Conectiva Linux 6.0. Conectiva Linux 7.0 and 8 already ship BIND 9.x, which is not vulnerable to the problems reported by ISS.
1) Buffer overflow (CAN-2002-1219) [5] An attacker who can make a vulnerable BIND server make recursive queries to a domain that he (the attacker) controls can exploit this vulnerability and execute arbitrary code on the server with the same privileges as the "named" process. The BIND packages in Conectiva Linux run the "named" process with an unprivileged user, and not root, which mitigates the impact of this vulnerability somewhat, requiring that the attacker take further steps to obtain root access. Additionally, there is the bind-chroot package which, if used, runs the server in a chroot area under /var/named which imposes an additional restriction on the actions a potential intruder can take.
2) Denial of service (CAN-2002-1221) [6] The BIND server can be triggered into attempting a NULL pointer dereference which will terminate the service. This can be caused by a remote attacker who controls a DNS server authoritative for some domain queried by the vulnerable BIND server.

The packages available through this advisory were built with patches that were made publicly available[3] by ISC less than 24 hours ago. Conectiva Linux and the majority of other GNU/Linux distributions were notified about this vulnerability (but with not enough details to produce a patch) about 12 hours before ISS made it public[7]. We are worried about the way in which this whole incident has been handled, specially when considering that DNS is part of the internet infrastructure and thus a vital service.
We, and many vendors, do believe in what is commonly called "responsible full disclosure"[8], where all details about a vulnerability are made public after all vendors were notified in advance and have had a reasonable amount of time to prepare and test updated packages. We believe this to be the most secure and responsible method for disclosing vulnerabilities.

SOLUTION All BIND users should upgrade immediately. After the upgrade, the named service will be automatically restarted if needed.
If it is not possible to upgrade the packages immediately, users should disable recursive queries or restrict them. Disabling recursive queries can be done by the "recursion no;" parameter in the options section of the named.conf configuration file. Restricting access to such queries can be accomplished via the "allow-recursion" directive in the same configuration file.

REFERENCES 1.http://www.isc.org/ 2.http://www.cert.org/advisories/CA-2002-31.html 3.http://www.isc.org/products/BIND/patches/bind826.diff 4.http://www.isc.org/products/BIND/bind-security.html 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221 7.https://gtoc.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469 8.http://distro.conectiva.com.br/seguranca/problemas/?idioma=en

DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGESftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-8.2.6-1U60_2cl.src.rpmftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-chroot-8.2.6-1U60_2cl.src.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.6-1U60_2cl.i386.rpm

ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update - after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples can be found athttp://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found athttp://distro.conectiva.com.br/seguranca/chave/?idioma=enInstructions on how to check the signatures of the RPM packages can be found athttp://distro.conectiva.com.br/seguranca/politica/?idioma=en- ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed athttp://distro.conectiva.com.br/atualizacoes/?idioma=en
- ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info seehttp://www.gnupg.org
iD8DBQE9099O42jd0JmAcZARAiZGAKDMz0e8eiF+0Zws8sQkvkE5NcHKywCg24tc ixMwRpolJ8skSz3KyrLfVjM= =Smdc -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Notified: November 12, 2002 Updated: November 14, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.debian.org/security/2002/dsa-196.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Affected

Notified: November 12, 2002 Updated: November 14, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

+------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory November 14, 2002 | |http://www.engardelinux.org/ ESA-20021114-029 | | | | Packages: bind-chroot, bind-chroot-utils | | Summary: buffer overflow, DoS attacks. | +------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, e-commerce, and integrated open source security tools.
OVERVIEW - -------- Several vulnerabilities were found in the BIND nameserver. The vulnerabilities, discovered by ISS, range from buffer overflows to denial of service (DoS) attacks.
The summaries below are from the ISS advisory which may be found at:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
* CAN-2002-1219 -- BIND SIG Cached RR Overflow Vulnerability
"A buffer overflow exists in BIND 4 and 8 that may lead to remote compromise of vulnerable DNS servers. An attacker who controls any authoritative DNS server may cause BIND to cache DNS information within its internal database, if recursion is enabled. Recursion is enabled by default unless explicitly disabled via command line options or in the BIND configuration file. Attackers must either create their own name server that is authoritative for any domain, or compromise any other authoritative server with the same criteria. Cached information is retrieved when requested by a DNS client. There is a flaw in the formation of DNS responses containing SIG resource records (RR) that can lead to buffer overflow and execution of arbitrary code."
* CAN-2002-1220 -- BIND OPT DoS
"Recursive BIND 8 servers can be caused to abruptly terminate due to an assertion failure. A client requesting a DNS lookup on a nonexistent sub- domain of a valid domain name may cause BIND 8 to terminate by attaching an OPT resource record with a large UDP payload size. This DoS may also be triggered for queries on domains whose authoritative DNS servers are unreachable."
* CAN-2002-1221 -- BIND SIG Expiry Time DoS
"Recursive BIND 8 servers can be caused to abruptly terminate due to a null pointer dereference. An attacker who controls any authoritative name server may cause vulnerable BIND 8 servers to attempt to cache SIG RR elements with invalid expiry times. These are removed from the BIND internal database, but later improperly referenced, leading to a DoS condition."
All users should upgrade as soon as possible.
SOLUTION - -------- Users of the EnGarde Professional edition can use the Guardian Digital Secure Network to update their systems automatically.
EnGarde Community users should upgrade to the most recent version as outlined in this advisory. Updates may be obtained from:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh files
You must now update the LIDS configuration by executing the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signatures of the updated packages, execute the command:
# rpm -Kv files
UPDATED PACKAGES - ---------------- These updated packages are for EnGarde Secure Linux Community Edition.
Source Packages:
SRPMS/bind-chroot-8.2.6-1.0.29.src.rpm MD5 Sum: 3c845d09bcbe9b07e5395d75a8686689
Binary Packages:
i386/bind-chroot-8.2.6-1.0.29.i386.rpm MD5 Sum: 0c1daf47be94ae0fd5a29e4007bf68c2
i386/bind-chroot-utils-8.2.6-1.0.29.i386.rpm MD5 Sum: 58e0e54d895b8dc3c6f6b5e9228912fb
i686/bind-chroot-8.2.6-1.0.29.i686.rpm MD5 Sum: 84cb58f02d228859a2fbda3ed1b46dd5
i686/bind-chroot-utils-8.2.6-1.0.29.i686.rpm MD5 Sum: 20fb3e4a34cecb431511308afe027941
REFERENCES - ---------- Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
BIND's Official Web Site: http://www.isc.org/products/BIND/
Security Contact: security@guardiandigital.com EnGarde Advisories:http://www.engardelinux.org/advisories.html
- -------------------------------------------------------------------------- $Id: ESA-20021114-029-bind-chroot,v 1.4 2002/11/14 10:02:51 rwm Exp $ - -------------------------------------------------------------------------- Author: Ryan W. Maple <ryan@guardiandigital.com> Copyright 2002, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info seehttp://www.gnupg.org
iD8DBQE903h0HD5cqd57fu0RAgQ2AJ4h+6JBMcFRlC3vKwfRi7dnMRE69ACbBQoO jReNCYKqxnuwuvOLsRqhznY= =9v8+ -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Affected

Notified: November 12, 2002 Updated: November 14, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:43.bind.asc

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Affected

Notified: November 12, 2002 Updated: November 18, 2002

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to the named and DNS resolver issues in releases 4.3.3, 5.1.0 and 5.2.0. Temporary patches will be available through an efix package by 11/22/2002 or before. The efix will be available at the following URL:

ftp://ftp.software.ibm.com/aix/efixes/security/bind_multiple_efix.tar.Z

In the interim, customers may want to implement the workarounds given in the Solutions section to limit their exposure.

The following APARs will be available in the near future:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ISC Affected

Notified: November 12, 2002 Updated: November 12, 2002

Status

Affected

BIND 4.9.10-OW2 includes the patch provided by ISC and thus has the two vulnerabilities affecting BIND 4 fixed. Previous versions of BIND 4.9.x-OW patches, if used properly, significantly reduced the impact of the "named" vulnerability. The patches are available at their usual location:

http://www.openwall.com/bind/

A patch against BIND 4.9.11 will appear as soon as this version is officially released, although it will likely be effectively the same as the currently available 4.9.10-OW2.

It hasn't been fully researched whether the resolver code in glibc,and in particular on Openwall GNU/*/Linux, shares any of the newly discovered BIND 4 resolver library vulnerabilities. Analysis is in progress.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Notified: November 12, 2002 Updated: November 13, 2002

Status

Affected

Vendor Statement

Older releases (6.2, 7.0) of Red Hat Linux shipped with versions of BIND which may be vulnerable to these issues however a Red Hat security advisory in July 2002 upgraded all our supported distributions to BIND 9.2.1 which is not vulnerable to these issues.

All users who have BIND installed should ensure that they are running these updated versions of BIND.

http://rhn.redhat.com/errata/RHSA-2002-133.html

http://rhn.redhat.com/errata/RHSA-2002-119.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Affected

Notified: November 12, 2002 Updated: November 14, 2002

Status

Affected

Vendor Statement

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 102 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

http://www.secunia.com/advisories/9856/

Acknowledgements

Thanks to ISS for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs:	CVE-2002-1219
CERT Advisory:	CA-2002-31
Severity Metric:	30.38
Date Public:	2002-11-11
Date First Published:	2002-11-13
Date Last Updated:	2004-10-18 14:58 UTC
Document Revision:	18

Software Engineering Institute

CERT Coordination Center

Cached malformed SIG record buffer overflow

Vulnerability Note VU#852283

Overview

Description

Impact

Solution

Vendor Information

Apple Computer Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Conectiva Affected

Status

Vendor Statement

Vendor Information

Addendum

Debian Affected

Status

Vendor Statement

Vendor Information

Addendum

Engarde Affected

Status

Vendor Statement

Vendor Information

Addendum

FreeBSD Affected

Status

Vendor Statement

Vendor Information

Addendum

IBM Affected

Status

Vendor Statement

Vendor Information

Addendum

ISC Affected

Status

Vendor Statement

Vendor Information

Addendum

MandrakeSoft Affected

Status

Vendor Statement

Vendor Information

Addendum

Nortel Networks Affected

Status

Vendor Statement

Vendor Information

Addendum

Openwall GNU/*/Linux Affected

Status

Vendor Statement

Vendor Information

Addendum

Red Hat Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

SuSE Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Cray Inc. Not Affected

Status

Vendor Statement

Vendor Information

Addendum

InfoBlox Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Microsoft Corporation Not Affected