Newest Bind Vulnerabilities.
Vasiliy Boulytchev
vasiliy at boulytcheva.com
Wed Jul 3 16:56:43 UTC 2002
Ladies and Gents,
I'm running Bind version 9.2.1. The latest vulnerability that touched the DNS resolver libraries..... does it apply to me or anyone else out there?
http://www.cert.org/advisories/CA-2002-19.html
CERTR Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Original release date: June 28, 2002
Last revised: July 1, 2002
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Applications using vulnerable implementations of the Domain Name System (DNS) resolver libraries, which include, but are not limited to:
a.. Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) DNS resolver library (libbind)
b.. Berkeley Software Distribution (BSD) DNS resolver library (libc)
Overview
A buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system.
I. Description
The DNS protocol provides name, address, and other information about Internet Protocol (IP) networks and devices. To access DNS information, a network application uses the resolver to perform DNS queries on its behalf. Resolver functionality is commonly implemented in libraries that are included with operating systems.
Multiple implementations of DNS resolver libraries contain a remotely exploitable buffer overflow vulnerability in the way the resolver handles DNS responses. Both BSD (libc) and ISC (libbind) resolver libraries share a common code base and are vulnerable to this problem; any DNS resolver implementation that derives code from either of these libraries may also be vulnerable. Network applications that makes use of vulnerable resolver libraries are likely to be affected, therefore this problem is not limited to DNS or BIND servers.
This vulnerability has been assigned CAN-2002-0651 by the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0651
Vulnerability Note VU#803539 lists vendors that have been contacted and provides further information about this vulnerability:
http://www.kb.cert.org/vuls/id/803539
This vulnerability is not the same as the Sendmail DNS issue discussed in Vulnerability Note VU#814627:
http://www.kb.cert.org/vuls/id/814627
NetBSD Security Advisory 2002-006 also explains this vulnerability in detail:
ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc
II. Impact
An attacker who is able to send malicious DNS responses could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service on vulnerable systems. Any code executed by the attacker would run with the privileges of the process that calls the vulnerable resolver function.
Note that an attacker could cause one of the victim's network services to make a DNS request to a DNS server under the attacker's control. This would permit the attacker to remotely exploit this vulnerability.
III. Solution
Upgrade to a corrected version of the DNS resolver libraries
Note that DNS resolver libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.
Applications that are statically linked must be recompiled using patched resolver libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched resolver libraries.
System administrators should consider the following process when addressing this issue:
1.. Patch or obtain updated resolver libraries.
2.. Restart any dynamically linked services that make use of the resolver libraries.
3.. Recompile any statically linked applications using the patched or updated resolver libraries.
Use a local caching DNS server
Using a local caching DNS server that reconstructs DNS responses can prevent malicious responses from reaching systems using vulnerable DNS resolver libraries. For example, BIND 9 reconstructs responses in this way, with the exception of forwarded dynamic DNS update messages. Note that BIND 8 does not reconstruct all responses; therefore this workaround may not be effective when using BIND 8 as a caching DNS server.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
Apple Computer, Inc.
Mac OS X and Mac OS X Server are not vulnerable to the issue described in this notice.
Compaq
SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team
x-ref:SSRT2270
At the time of writing this document, Compaq is currently investigating the potential impact to Compaq's released Operating System software products.
As further information becomes available Compaq will provide notice of the completion/availibility of any necessary patches through standard product and security bulletin announcements and be available from your normal HP Services support channel.
Cray, Inc.
The DNS resolver code supplied by Cray, Inc. in Unicos and Unicos/mk is vulnerable. SPR 722619 has been opened to track this problem.
FreeBSD
FreeBSD has released FreeBSD-SA-02:28.resolv:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28.resolv.asc
GNU adns
adns is not derived from BIND libresolv. Furthermore, it does not support a gethostbyname-like interface (which is where the bug in BIND libresolv is). Therefore, it is not vulnerable.
For more information on GNU adns, see:
http://www.gnu.org/software/adns/
http://www.chiark.greenend.org.uk/~ian/adns/
Internet Software Consortium
All versions of BIND 4 from 4.8.1 prior to BIND 4.9.9 are vulnerable.
All versions of BIND 8 prior to BIND 8.2.6 are vulnerable.
All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable.
BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable.
The status of BIND 4.8 is unknown, assume that it is vulnerable.
BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable.
'named' itself is not vulnerable.
Updated releases can be found at:
ftp://ftp.isc.org/isc/bind/src/4.9.9/
ftp://ftp.isc.org/isc/bind/src/8.2.6/
ftp://ftp.isc.org/isc/bind/src/8.3.3/
ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.3.3/
BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind). This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the meantime please use the original in BIND 8.3.3.
In addition the BIND 9 'named' can be used to prevent malformed answers reaching vulnerable clients.
Vendors wishing additional patches should contact bind-bugs at isc.org.
Query about BIND 4 and BIND 8 should be addressed to bind-bugs at isc.org.
Query about BIND 9 should be addressed to bind9-bugs at isc.org.
Juniper Networks
All versions of Juniper Networks JUNOS software released prior to June 27, 2002, are potentially vulnerable to this bug. This includes JUNOS versions 4.x, 5.0R1 through 5.0R4, 5.1R1 through 5.1R4, 5.2R1 through 5.2R3, and 5.3R1 through 5.3R2. (All releases of JUNOS software with version 5.4 or higher are NOT vulnerable.) The bug has been corrected as of June 27, 2002, and all future software releases will contain the correction. All Juniper Networks customers are encouraged to contact JTAC, the Juniper Networks Technical Assistance Center by telephone at 1-888-314-JTAC, or by E-mail at support at juniper.net for details on the availability of corrected software.
Microsoft
Microsoft products do not use the libraries in question. Microsoft products are not affected by this issue.
NetBSD
NetBSD has released NetBSD Security Advisory 2002-006:
ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc
Network Appliance
Some NetApp systems are vulnerable to this problem. Check NOW (http://now.netapp.com) for information on whether your system is vulnerable and the appropriate patch release that you should install.
OpenBSD
[T]he resolver libraries in question got copied far and wide. They used to have a hell of a lot of bugs in them.
Now might be a good time for people to compare each others' libraries to each other. I would urge them to compare against the OpenBSD ones, where we've spent a lot of time on, but of course we still missed this. But perhaps people can then share some around. Not everyone is going to move to the bind9 stuff, since it is very different.
Openwall Project
No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for this vulnerability, originally developed by Jun-ichiro itojun Hagino of NetBSD. The updated patches are available at the usual location:
http://www.openwall.com/bind/
The BIND 4.9.x-OW patches provide certain security features which are not a part of ISC's now deprecated BIND 4 and are recommended for use by sites which chose to stick with BIND 4 for a little longer for whatever reason. They aren't a part of Owl.
Sendmail
Sendmail uses the BIND resolver API, and is commonly linked with the BIND resolver library (libbind). As a result, Sendmail could be leveraged to exploit this vulnerability.
Note that the DNS map problem that was addressed in Sendmail 8.12.5 is a different issue, which is described in VU#814627:
http://www.kb.cert.org/vuls/id/814627
The announcement for Sendmail 8.12.5 also references the DNS map problem:
http://www.sendmail.org/8.12.5.html
SGI
SGI is looking into the matter.
Sun Microsystems
The Solaris DNS resolver library (libresolv.so) is affected by this issue in all currently supported versions of Solaris:
Solaris 2.5.1, 2.6, 7, 8, and 9
Patches are being generated for all of the above releases. Sun will publish a Sun Security Bulletin and a Sun Alert for this issue. The Sun Alert and patches will be available from:
http://sunsolve.sun.com/securitypatch
Sun Security Bulletins are available from:
http://sunsolve.sun.com/security
--------------------------------------------------------------------------------
The CERT Coordination Center thanks Joost Pol of PINE-CERT and the FreeBSD Project for their analysis of these vulnerabilities.
--------------------------------------------------------------------------------
Feedback can be directed to the authors: Art Manion and Jason A. Rafail
--------------------------------------------------------------------------------
Appendix B. - References
1.. http://www.pine.nl/advisories/pine-cert-20020601.asc
2.. ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc
3.. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28.resolv.asc
--------------------------------------------------------------------------------
This document is available from: http://www.cert.org/advisories/CA-2002-19.html
--------------------------------------------------------------------------------
CERT/CC Contact Information
Email: cert at cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo at cert.org. Please include in the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
--------------------------------------------------------------------------------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
--------------------------------------------------------------------------------
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
June 28, 2002: Initial release
June 29, 2002: Updated NetBSD references, addded Sendmail statement, reformatted vendor statements,
added CVE reference, added Juniper statement
June 30, 2002: Updated ISC statement
July 1, 2002: Added Apple, Sun, and Openwall statements
Regards,
Vasiliy Boulytchev
Colorado Information Technologies Inc.
More information about the bind-users
mailing list