BIND Vulnerabilities

ISC has discovered or has been notified of several bugs which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC. Upgrading to the latest BIND version is strongly recommended.

See the BIND Vulnerability matrix at the bottom of this document for an overview of which versions are subject to specified vulnerabilities.

CERT VU#800113 DNS Cache Poisoning Issue

CVE:	CVE-2008-1447
CERT:	VU#800113
Versions affected:	BIND 8 (all versions) BIND 9 (all versions)
Severity:	High
Known exploits to date:	None

A weakness in the DNS protocol may enable the poisoning of caching recurive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack.

Description:

Thanks to recent work by Dan Kaminsky of IOActive, ISC has become aware of a potential attack exploiting weaknesses in the DNS protocol itself. (Full details of the vulnerability will be explained by Kaminsky at the Black Hat conference on August 7th.) The weakness is inherent to the DNS protocol and not specific to any single implementation. The DNS protocol uses the Query ID field to match incoming responses to previously sent queries. The Query ID field is only 16 bits, which makes it an easy target to exploit in the particular spoofing scenario described by Kaminsky.

Impact:

ANYONE RUNNING BIND AS A CACHING RESOLVER IS AFFECTED.

Immediate action required:

IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.

DNSSEC is the only definitive solution for this issue. Understanding that immediate DNSSEC deployment is not a realistic expectation, ISC is releasing patched versions of BIND that improve its resilience against this attack. The method used makes it harder to spoof answers to a resolver by expanding the range of UDP ports from which queries are sent, thereby increasing the variability of parameters in outgoing queries.

YOU ARE ADVISED TO INSTALL EITHER THE MOST CURRENT SECURITY PATCHES, STAYING WITHIN YOUR MAJOR VERSION (currently 9.5.0-P2, 9.5.0-P2-W1, 9.4.2, 9.4.2-P2-W1, 9.3.5-P2, or 9.3.5-P2-W1 ) OR ELSE THE LATEST BETA RELEASES (9.5.1b1, 9.4.3b2) IMMEDIATELY.

The patches will have a noticeable impact on the performance of BIND caching resolvers with query rates at or above 10,000 queries per second. The beta releases include optimized code that will reduce the impact in performance to non-significant levels.

DNS administrators who operate these servers behind port-restricted firewalls are encouraged to review their firewall policies to allow this protocol-compliant behavior. Restricting the possible use of various UDP ports, for instance at the firewalls, in outgoing queries and the corresponding replies will result in decreased security for the DNS service.

Again, DNSSEC is the definitive solution to this type of attack. ISC strongly encourages DNS administrators to deploy DNSSEC as soon as possible to fully address this problem. DNS domain owners that want their data to be protected against spoofing to the end-user must sign their zones. ISP and Enterprise DNS administrators who provide caching recursive name servers to their users should enable DNSSEC validation.

DNSSEC Lookaside Validation (DLV), offered by ISC and others, is another DNSSEC deployment option.

Additional Assistance available from ISC:

BIND 9 software support: http://www.isc.org/sw/support

Managed caching resolvers: Through September 30, 2008, ISC support customers have the option of forwarding their recursive servers' queries to caching resolvers deployed on ISC's SNS production network while the required software upgrades are performed on their own networks. For additional information on this option, please open a ticket in your support queue with the subject line including "forwarder service."

ISC DLV: https://secure.isc.org/ops/dlv/

DNSSEC tools & presentations:

• http://www.isc.org/training/syllabus_intro_advanced.php
• http://www.isc.org/sw/bind/docs/dnssec.html
  
• http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
  
• http://www.ripe.net/training/dns/index.html
  

BIND: buffer overflow in inet_network()

CVE:	CVE-2008-0122
CERT:	VU#203611
Versions affected:	BIND 8 (all versions) BIND 9.0 (all versions) BIND 9.1 (all versions) BIND 9.2 (all versions) BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4 BIND 9.4.0, 9.4.1, 9.4.2 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5, 9.5.0a6, 9.5.0a7, 9.5.0b1
Severity:	Low

Description:

An off-by-one error in the inet_network() function in libbind could lead to memory corruption with certain inputs.

Impact:

Applications linked against libbind which call inet_network() with untrusted inputs could lead to a denial-of-service or potentially code execution.

Note that none of the applications shipped with BIND 8 or BIND 9 call inet_network().

Solution:

Upgrade to 9.3.5, 9.4.3, 9.5.0b2 or later when released.

Otherwise, apply the patch below to:

BIND 9: lib/bind/inet/inet_network.c
BIND 8: lib/inet/inet_network.c

Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5	Wed Apr 27 04:56:21 2005
+++ inet_network.c	Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}

Questions should be addressed to bind9-bugs@isc.org.

Acknowledgements:

BIND 8: cryptographically weak DNS query IDs

CVE:	CVE-2007-2930
CERT:	VU#927905
Versions affected:	BIND 8.x.x (all versions)

Description:

ISC (Internet Systems Consortium) BIND 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches.

This bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers.

The DNS query id generation is vulnerable to analysis which provides a high chance of guessing the next query id. This can be used to perform cache poisoning by an attacker.

All users are encouraged to upgrade.

Impact:

A remote attacker could predict DNS query IDs and respond with arbitrary answers, thus poisoning DNS caches.

Solution:

Upgrade or Patch

This issue is addressed in ISC BIND 8.4.7-P1, available as patch that can be applied to BIND 8.4.7.

The more definitive solution is to upgrade to BIND 9. BIND 8 is being declared "end of life" by ISC due to multiple architectural issues. Please see ISC's website at www.isc.org/sw/bind/bind8-eol.php for additional information and tools.

Note that BIND 8.x.x is End of Life as of August 2007.

Users who obtain BIND 8 from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.

Acknowledgements:

BIND 9: allow-query-cache/allow-recursion default acls not set.

CVE:	CVE-2007-2925
Versions affected:	BIND 9.4.0, 9.4.1 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5
Severity:	Medium
Exploitable:	Remotely

Description:

The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents.

Workaround:

Explicitly set allow-query-cache and allow-recursion acl's if not already set to:

{ localnets; localhost; };

If recursion is supposed to be allowed to local clients (default).

options {
recursion yes; // default
allow-recursion { localnets; localhost; };
allow-query-cache { localnets; localhost; };
...
};

options {
recursion no;
allow-query-cache { localnets; localhost; };
...
};

BIND 9: cryptographically weak query ids.

CVE:	CVE-2007-2926
Versions affected:	BIND 9.0 (all versions) BIND 9.1 (all versions) BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8 BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4 BIND 9.4.0, 9.4.1 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5
Severity:	Medium
Exploitable:	Remotely

Description:

The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of guessing the next query id for 50% of the query ids. This can be used to perform cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers.

All users are encouraged to upgrade.

Workaround:

None.

Fix:

Upgrade to BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6.

BIND 9: query_addsoa DoS

CVE:	CVE-2007-2241
Versions affected:	BIND 9.4.0 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3 [BIND 9.5.0* have only been released to BIND Forum members]
Severity:	High
Exploitable:	Remotely

Description:

A sequence of queries can cause a recursive nameserver to exit. While it is unlikely these will occur in normal operation, an attack can use them to cause the affected versions to exit. This attack is a denial of service, and does not allow an attacker to gain control of affected systems.

Workaround:

Disable recursion ('recursion no;' set in named.conf) if it is not required by your configuration.

Fix:

Upgrade to BIND 9.4.1 or BIND 9.5.0a4.

Name: "BIND 9: dereferencing freed fetch context"

CVE:	CVE-2007-0493
Versions affected:	BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1 BIND 9.5.0a1 (Bind Forum only)
Severity:	Low
Exploitable:	Remotely

Description:

It is possible for the named to dereference (read) a freed fetch context. This can cause named to exit unintentionally.

Workaround:

Disable / restrict recursion (to limit exposure).

Fix:

Upgrade to BIND 9.2.8, BIND 9.3.4 or BIND 9.4.0rc2. Additionally this will be fixed in the upcoming BIND 9.5.0a2.

Name: "BIND 9: DNSSEC Validation"

CVE:	CVE-2007-0494
Versions affected:	BIND 9.0.x (all versions of BIND 9.0) (at end-of-life) BIND 9.1.x (all versions of BIND 9.1) (at end-of-life) BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7 BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1 9.4.0b2, 9.4.0b3, 9.4.0b4, 9.4.0rc1 BIND 9.5.0a1 (Bind Forum only)
Severity:	Low
Exploitable:	Remotely

Description:

When validating responses to type * (ANY) queries that return multiple RRsets in the answer section it is possible to trigger assertions checks. To be vulnerable you need to have enabled dnssec validation in named.conf by specifying trusted-keys.

Workaround:

Disable / restrict recursion (to limit exposure). Disable DNSSEC validation (remove all trusted-keys from named.conf).

Fix:

Upgrade to BIND 9.2.8, BIND 9.3.4 or BIND 9.4.0rc2. Additionally this will be fixed in the upcoming BIND 9.5.0a2.

Note:

It is recommended that anyone using DNSSEC upgrade to BIND 9.3 as the DNSSEC implementation in BIND 9.2 has been obsoleted.

Name: "BIND: Multiple DoS vulnerabilities

CVE:	CVE-2006-4095, CVE-2006-4096
Versions affected:	All previous releases of BIND 9.3.x and 9.4.x. See note regarding BIND 9.2.x
Severity:	HIGH
Exploitable:	Remotely
Type:	Denial of Service

Description:

SIG Query Processing:

Recursive servers:

Queries for SIG records will trigger a assertion failure if more than one SIG (covered) RRset is returned.

Exposure can be minimized by restricting sources that can ask for recursion.

Authoritative servers:

If a nameserver is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where the are multiple SIG(covered) RRsets (e.g. a zone apex) then named will trigger a assertion failure when it trys to construct the response.

Excessive Recursive Queries INSIST failure:

It is possible to trigger a INSIST failure by sending enough recursive queries that the response to the query arrives after all the clients looking for the response have left the recursion queue.

Exposure can be minimized by restricting sources that canask for recursion.

Note for BIND 9.2.x: Code handling this path for 9.2.x has been determined to be wrong, though ISC has not been able to detect an execution path that would trigger the erroneous code in 9.2.x. Nonetheless a patch is provided.

Workarounds:

None

Active Exploits:

None known

Fix:

Upgrade to BIND 9.4.0b2, BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1 or BIND 9.2.6-P1 (or later).
http://www.isc.org/sw/bind/

ISC would like to thank The Measurement Factory for bringing this to our attention.

Name: "BIND: Self Check Failing

CVE:	CVE-2005-0034
Versions affected:	BIND 9.3.0
Severity:	LOW
Exploitable:	Remotely
Type:	Denial of Service

Description:

An incorrect assumption in the validator (authvalidated) can result in a REQUIRE (internal consistancy) test failing and named exiting.

Workarounds:

Turn off dnssec validation (off by default) at the options/view level.

   dnssec-enable no; 

Active Exploits:

None known

Fix:

Upgrade to BIND 9.3.1
http://www.isc.org/sw/bind/

Name: "BIND: q_usedns array overrun

Description:

It is possible to overrun the q_usedns array which is used to track nameservers / addresses that have been queried.

Workarounds:

Disable recursion and glue fetching.

Active Exploits:

None known

Fix:

Upgrade to BIND 8.4.6
http://www.isc.org/sw/bind/

Name: "BIND: Negative Cache DOS" A/K/A "negcache"

CVE:	CVE-2003-0914
Versions affected:	All BIND 8 versions prior to 8.4.3, 8.3.7. Except vendor-only releases 8.1.3, 8.2.2-P8, 8.2.4-P1, 8.2.5-P1.
Severity:	SERIOUS
Exploitable:	Remotely
Type:	Denial of Service

Description:

An attacker must configure a name server to return authoritative negative responses for a given target domain. Then, the attacker must convince a victim user to query the attacker's maliciously configured name server. When the attacker's name server receives the query, it will reply with an authoritative negative response containing a large TTL (time-to-live) value. If the victim's site runs a vulnerable version of BIND 8, it will cache the negative response and render the target domain unreachable until the TTL expires.

Workarounds:

Disable recursion if possible, or limit recursion to specific clients.

Active Exploits:

None known

Name: "BIND: Remote Execution of Code"  A/K/A "sigrec"

Description:

When constructing a response containing SIG records a incorrect space allows a write buffer overflow. It is then possible to execute code with the privileges of named.

Workarounds:

Disable recursion if possible, or limit recursion to specific clients.

Active Exploits:

None known

ISC would like to thank Internet Security Systems for bringing this to our attention.

Name: "BIND: Multiple Denial of Service" A/K/A "DoS_multi"

CVE:	CVE-2002-1220, CVE-2002-1221
Versions affected:	1. BIND 8.3.0 - 8.3.3 2. BIND 8.2 - 8.2.6, BIND 8.3.0 - 8.3.3
Severity:	SERIOUS
Exploitable:	Remotely
Type:	Possibility to execute arbitrary code.

Description:

2. It is possible to de-reference a NULL pointer for certain signature expire values.

In both cases, the service will shutdown.

Workarounds:

2. Disable recursion if possible.

Active Exploits:

None known

ISC would like to thank Internet Security Systems for bringing this to our attention.

Name: "LIBRESOLV: buffer overrun"

CVE:	CVE-2002-0029
Versions affected:	BIND 4.9.2 to 4.9.10
Severity:	SERIOUS
Exploitable:	Remotely
Type:	Possibility to execute arbitrary code.

Description:

THIS DOES NOT AFFECT THE NAMESERVER.

THIS CAN BE TRANSMITTED THROUGH CACHES.

BIND 8 is NOT affected. BIND 9 is NOT affected.
BIND 4 up to and including BIND 4.9.1 is NOT affected.

Workarounds:

None. Upgrade and re-linking required

BIND 4 is officially deprecated. Only security fixes will be issued for BIND 4.

Active Exploits:

None known

Name: "OpenSSL buffer overflow"

Description:

BIND 9.1.x ship with a copy of the vulnerable sections of OpenSSL crypto library (obj_dat.c and asn1_lib.c).
Vendors shipping product based on BIND 9.1 should contact bind9-bugs@isc.org.

BIND 9.2.x is vulnerable if linked against a vulnerable library. By default BIND 9.2 does not link against OpenSSL.

Workarounds:

Disable DNSSEC validation of responses by commenting out any trusted keys in named.conf.

Fix:

Upgrade BIND 9.1.x to BIND 9.2.1 and/or link with fixed OpenSSL library
e.g. configure --with-openssl=/path/to/fixed/openssl
Link BIND 9.2.x with a fixed OpenSSL library.

Active Exploits:

None known

Name: "libbind buffer overflow"

Description:

It is possible to construct a response to a DNS query issued by an application linked to vulnerable versions of the stub resolver library included in the BIND distributions mentioned above that may potentially result in a buffer overflow of a few bytes. This bug does NOT affect the name server (named) itself, but rather applications linked to the resolver library.

NOTE: Upgrading the name server DOES NOT remove this vulnerability. To remove this vulnerability, ALL applications linked to a vulnerable version of the stub resolver library must be re-linked with a non-vulnerable version. Note that if static libraries were used, the the static library must be updated and all applications must be relinked. If shared libraries were used, then upgrading the shared library will suffice.

Workarounds:

None.

Fix:

Update libbind to a version that is not affected and relink all applications that use it.

Active Exploits:

None known

Name: "DoS internal consistency check" A/K/A "DoS_findtype"

Description:

When chasing additional data chains in a response it is possible to trigger an internal consistency check.

Workarounds / fix:

Upgrade to 9.2.1.

Name: "tsig bug"

Description:

It is possible to overflow a buffer handling TSIG signed queries, thereby obtaining access to the system.

Workarounds:

None.

Active Exploits:

Exploits for this bug exist.

Name: "infoleak"

Description:

It is possible to construct a inverse query that allows the stack to be read remotely exposing environment variables.

Workarounds:

None.

Active Exploits:

Exploits for this bug exist.

Name: "complain bug"

Description:

It is possible to overflow the buffer used by sprintf in nslookupComplain().

Workarounds:

None.

Active Exploits:

Exploits for this bug exist.

Name: "zxfr bug"

Description:

A bug in code intended to provide support for the transfer of compressed zone files can result in the name server crashing.

Workarounds:

A partial workaround can be implemented by disallowing zone transfers except from trusted hosts. Note that if the trusted hosts are compromised, name servers with this bug will be vulnerable to denial of service attacks.

Active Exploits:

This attack can be implemented using utilities provided with the BIND package (named-xfer and dig).

Name: "sigdiv0 bug"

Description

Improper argument checking while verifying signatures may cause a divide by zero error which will cause the name server to crash. This bug can only be encountered in signed zones.

Workarounds:

Do not sign zones for use with servers susceptible to this bug.

Active Exploits:

ISC is not aware of any active exploits of this bug at this time.

Name: "srv bug"

Description:

A bug in the handling of the compression pointer tables can result in the name server entering an infinite loop. This bug has been known to occur in the standard processing of SRV records used with Windows 2000 Active Directory.

Workarounds:

None.

Active Exploits:

ISC is not aware of any intentional active exploits of this bug at this time.

Name: "nxt bug"

Description:

A bug in the processing of NXT records can theoretically allow an attacker to gain access to the system running the DNS server at whatever privilege level the DNS server runs at.

Workarounds:

None.

Active Exploits:

Scripts are available which can implement this attack.

Name: "solinger bug"

Description:

It is possible to remotely cause BIND to "pause" for intervals of up to 120 seconds using an abnormal TCP session.

Workarounds:

In some systems, it is possible to set the system wide SO_LINGER timeout to a lower value, however this may have unexpected consequences with other applications.

Active Exploits:

Scripts are available which can implement this attack.

Name: "fdmax bug"

Description

Workarounds:

Active Exploits:

Name: "sig bug"

Description

Workarounds:

Active Exploits:

Name: "naptr bug"

Description

Improper validation of zone data for the NAPTR record being loaded from disk can result in the DNS server crashing. Zone data read from the network cannot trigger this bug. Given the privilege level to modify the zone data is typically the same as running the DNS server, this bug is unlikely to result in an exploit unless zone files have unusual permissions.

Workarounds:

Insure permission level required to modify zone files is the same or higher than that of the DNS server.

Active Exploits:

At this time, ISC is unaware of any active exploits of this vulnerability.

Name: "maxdname bug"

Description

The use of sprintf() with data from the network can result in a buffer overflow condition which may result in unexpected behavior. Because of the placement of the buffer which might be overflowed, it is unlikely this bug will result in serious consequences, however the possibility of a remotely triggered server crash cannot be ruled out.

Workarounds:

None.

Active Exploits:

At this time, ISC is unaware of any active exploits of this vulnerability.