HOME

About Us
News
Y2K
PGP Key
Sponsors
Software
BIND
DHCP
INN
Client Services
Support
Training
Consulting
Software Dev.
Public Services
Root Server (F)
Hosted Sites
List Archives
Domain Survey

Donations

ISC Bookstore

ISC


BIND Vulnerabilities

ISC has discovered (or has been notified of) eight bugs which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC. Upgrading to BIND version 8.2.2 patchlevel 7, or higher, is strongly recommended for all users of BIND.


Name: "zxfr bug"

Versions affected:    8.2.2, 8.2.2 patchlevels 1 through 6
Severity:   SERIOUS
Exploitable:   Remotely
Type:   Denial of service

Description:

A bug in code intended to provide support for the transfer of compressed zone files can result in the name server crashing.

Workarounds:

A partial workaround can be implemented by disallowing zone transfers except from trusted hosts. Note that if the trusted hosts are compromised, name servers with this bug will be vulnerable to denial of service attacks.

Active Exploits:

This attack can be implemented using utilities provided with the BIND package (named-xfer and dig).


Name: "sigdiv0 bug"

Versions affected:    8.2, 8.2 patchlevel 1, 8.2.2 patchlevels 1 through 5
Severity:   MODERATE
Exploitable:   Remotely
Type:   Denial of service

Description

Improper argument checking while verifying signatures may cause a divide by zero error which will cause the name server to crash. This bug can only be encountered in signed zones.

Workarounds:

Do not sign zones for use with servers susceptible to this bug.

Active Exploits:

ISC is not aware of any active exploits of this bug at this time.


Name: "srv bug"

Versions affected:    8.2, 8.2 patchlevel 1, 8.2.1, 8.2.2, 8.2.2 patchlevels 1 - 6
Severity:   SERIOUS
Exploitable:   Remotely
Type:   Denial of Service

Description:

A bug in the handling of the compression pointer tables can result in the name server entering an infinite loop. This bug has been known to occur in the standard processing of SRV records used with Windows 2000 Active Directory.

Workarounds:

None.

Active Exploits:

ISC is not aware of any intentional active exploits of this bug at this time.


Name: "nxt bug"

Versions affected:    8.2, 8.2 patchlevel 1, 8.2.1
Severity:   CRITICAL
Exploitable:   Remotely
Type:   Access possible

Description:

A bug in the processing of NXT records can theoretically allow an attacker to gain access to the system running the DNS server at whatever privilege level the DNS server runs at.

Workarounds:

None.

Active Exploits:

Scripts are available which can implement this attack.


Name: "solinger bug"

Versions affected:    8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1
Severity:   SERIOUS
Exploitable:   Remotely
Type:   Denial of service

Description:

It is possible to remotely cause BIND to "pause" for intervals of up to 120 seconds using an abnormal TCP session.

Workarounds:

In some systems, it is possible to set the system wide SO_LINGER timeout to a lower value, however this may have unexpected consequences with other applications.

Active Exploits:

Scripts are available which can implement this attack.


Name: "fdmax bug"

Versions affected:    8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1
Severity:    SERIOUS
Exploitable:    Remotely
Type:    Denial of service

Description

A bug in the handling of file descriptors results in a vulnerability that will crash the DNS server when more than FD_SETSIZE descriptors are consumed.

Workarounds:

Set { files #; } where # is less than FD_SETSIZE (as typically found in /usr/include/sys/select.h) in in the "options" section of named.conf

Active Exploits:

Scripts are available which can implement this attack.

Name: "sig bug"

Versions affected:    4.9.5, 4.9.5 patchlevel 1, 4.9.6, 8.1, 8.1.1, 8.2, 8.2 patchlevel 1, 8.2.1
Severity:    SERIOUS
Exploitable:    Remotely
Type:    Denial of service

Description

Improper validation of SIG record contents can trigger the DNS server crashing resulting in a denial of service attack.

Workarounds:

None.

Active Exploits:

At this time, ISC is unaware of any active exploits of this vulnerability.

Name: "naptr bug"

Versions affected:    4.9.5, 4.9.5 patchlevel 1, 4.9.6, 4.9.7, 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1, 8.2.2, 8.2.2 patchlevel 1
Severity:    MINOR
Exploitable:    Locally
Type:    Denial of service

Description

Improper validation of zone data for the NAPTR record being loaded from disk can result in the DNS server crashing. Zone data read from the network cannot trigger this bug. Given the privilege level to modify the zone data is typically the same as running the DNS server, this bug is unlikely to result in an exploit unless zone files have unusual permissions.

Workarounds:

Insure permission level required to modify zone files is the same or higher than that of the DNS server.

Active Exploits:

At this time, ISC is unaware of any active exploits of this vulnerability.


Name: "maxdname bug"

Versions affected:    4.9.5, 4.9.5 patchlevel 1, 4.9.6, 4.9.7, 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1, 8.2.2, 8.2.2 patchlevel 1
Severity:    MINOR
Exploitable:    Remotely
Type:    Denial of service

Description

The use of sprintf() with data from the network can result in a buffer overflow condition which may result in unexpected behavior. Because of the placement of the buffer which might be overflowed, it is unlikely this bug will result in serious consequences, however the possibility of a remotely triggered server crash cannot be ruled out.

Workarounds:

None.

Active Exploits:

At this time, ISC is unaware of any active exploits of this vulnerability.


Summary

The following table summarizes the vulnerability to the bugs mentioned in this advisory for all versions of BIND distributed by ISC. Upgrading to BIND version 8.2.2 patchlevel 7, or higher, is strongly recommended for all users of BIND.

version zxfr sigdiv0 srv nxt sig naptr maxdname solinger fdmax
  4.8             -    
  4.8.1             -    
  4.8.2.1             -    
  4.8.3             -    
  4.9.3             -    
  4.9.4             -    
  4.9.4 p1             -    
  4.9.5     -   + + +    
  4.9.5 p1     -   + + +    
  4.9.6     -   + + +    
  4.9.7     -   - + +    
  8.1     -   + + + + +
  8.1.1     -   + + + + +
  8.1.2     -   - + + + +
  8.2 - + + + + + + + +
  8.2 p1 - + + + + + + + +
  8.2.1 - + + + + + + + +
  8.2.2 + + + - - + + - -
  8.2.2 p1 + + + - - + + - -
  8.2.2 p2 + + + - - - - - -
  8.2.2 p3 + + + - - - - - -
  8.2.2 p4 + + + - - - - - -
  8.2.2 p5 + + + - - - - - -
  8.2.2 p6 + - + - - - - - -
  8.2.2 p7 - - - - - - - - -
  9.0.0 - - - - - - - - -
Vulnerable: '+', Not Vulnerable: '-', Feature does not exist: '   '


ISC Privacy Statement
This Web Site and its contents - ©2000 Internet Software Consortium
Questions or comments regarding this web site can be sent to webmaster@isc.org