-----Original Message-----
From: UNIRAS (UK Govt CERT) [mailto:uniras@;niscc.gov.uk]
Sent: 13 November 2002 09:38
To: [EMAIL PROTECTED]
Subject: UNIRAS ALERT - 24/02 - Multiple Remote Vulnerabilities in BIND4
and BIND8
-----BEGIN PGP SIGNED MESSAGE-----
-
------------------------------------------------------------------------
----------
UNIRAS (UK Govt CERT) ALERT Notice - 24/02 dated 13.11.02 Time:
09:45
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
Centre)
-
------------------------------------------------------------------------
----------
UNIRAS material is also available from its website at
www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
-
------------------------------------------------------------------------
----------
Title
=====
Multiple Remote Vulnerabilities in BIND4 and BIND8
Detail
======
Internet Security Systems Security Advisory
November 12, 2002
Multiple Remote Vulnerabilities in BIND4 and BIND8
Synopsis:
ISS X-Force has discovered several serious vulnerabilities in the
Berkeley
Internet Name Domain Server (BIND). BIND is the most common
implementation of
the DNS (Domain Name Service) protocol, which is used on the vast
majority of
DNS servers on the Internet. DNS is a vital Internet protocol that
maintains
a database of easy-to-remember domain names (host names) and their
corresponding numerical IP addresses.
Impact:
The vulnerabilities described in this advisory affect nearly all
currently
deployed recursive DNS servers on the Internet. The DNS network is
considered
a critical component of Internet infrastructure. There is no
information
implying that these exploits are known to the computer underground,
and there
are no reports of active attacks. If exploits for these
vulnerabilities are
developed and made public, they may lead to compromise and DoS attacks
against
vulnerable DNS servers. Since the vulnerability is widespread, an
Internet
worm may be developed to propagate by exploiting the flaws in BIND.
Widespread
attacks against the DNS system may lead to general instability and
inaccuracy
of DNS data.
Affected Versions:
BIND SIG Cached RR Overflow Vulnerability
BIND 8, versions up to and including 8.3.3-REL
BIND 4, versions up to and including 4.9.10-REL
BIND OPT DoS
BIND 8, versions 8.3.0 up to and including 8.3.3-REL
BIND SIG Expiry Time DoS
BIND 8, versions up to and including 8.3.3-REL
Description:
BIND SIG Cached RR Overflow Vulnerability
A buffer overflow exists in BIND 4 and 8 that may lead to remote
compromise of
vulnerable DNS servers. An attacker who controls any authoritative DNS
server
may cause BIND to cache DNS information within its internal database,
if
recursion is enabled. Recursion is enabled by default unless
explicitly
disabled via command line options or in the BIND configuration file.
Attackers
must either create their own name server that is authoritative for any
domain,
or compromise any other authoritative server with the same criteria.
Cached
information is retrieved when requested by a DNS client. There is a
flaw in
the formation of DNS responses containing SIG resource records (RR)
that can
lead to buffer overflow and execution of arbitrary code.
BIND OPT DoS
Recursive BIND 8 servers can be caused to abruptly terminate due to an
assertion failure. A client requesting a DNS lookup on a nonexistent
sub-
domain of a valid domain name may cause BIND 8 to terminate by
attaching an
OPT resource record with a large UDP payload size. This DoS may also
be
triggered for queries on domains whose authoritative DNS servers are
unreachable.
BIND SIG Expiry Time DoS
Recursive BIND 8 servers can be caused to abruptly terminate due to a
null
pointer dereference. An attacker who controls any authoritative name
server
may cause vulnerable BIND 8 servers to attempt to cache SIG RR
elements with
invalid expiry times. These are removed from the BIND internal
database, but
later improperly referenced, leading to a DoS condition.
Recommendations:
ISS X-Force recommends that system administrators immediately take
steps to
protect their networks. ISS has made several product updates available
to
assess vulnerability to this issue as well as protect customers from
exploitation attempts.
The following ISS updates and product releases address the issues
described
in this advisory. These updates are available from the ISS Download
Center
(http://www.iss.net/download):
RealSecure Network Sensor XPU 20.7 and XPU 5.6
Internet Scanner XPU 6.20
RealSecure Guard 3.1 ebs
RealSecure Sentry 3.1 ebs
RealSecure Server Sensor 6.5 SR 3.3
System Scanner SR 3.08
As a workaround for DNS servers that do not need recursive DNS
functionality,
it is recommended to disable recursion within the BIND configuration
file:
BIND 8, named.conf
options {
recursion no;
};
BIND 4, named.boot
options no-recursion
Where disabling recursion is not possible, a temporary workaround
exists that
may protect perimeter DNS servers from the remote compromise
vulnerability.
Due to the nature and organization of stack variables, exploitation is
much
easier if the attack is embedded within TCP DNS traffic. It is unclear
at this
time if this attack is possible with UDP traffic on certain
architectures. The
UDP protocol is used for most DNS related queries and responses,
except large
responses and zone transfers between primary and secondary DNS
servers.
Therefore, perimeter DNS servers should be protected by filtering TCP
port 53.
This workaround will block the exploit technique demonstrated by
X-Force, but
this solution should be examined carefully to determine if it would
not affect
normal DNS functionality. This workaround is meant as a temporary
solution to
offer some level of protection before a patch can be applied.
ISC has made software patches available. ISC recommends that BIND
installations should be upgraded to BIND version 4.9.11, 8.2.7, 8.3.4
or to
BIND version 9. BIND 9 was not affected by any of the vulnerabilities
described in this advisory. These versions will be available soon at
the following
address: http://www.isc.org/products/BIND/bind-security.html. ISC
recommends that
all users requesting the security patches should contact [EMAIL PROTECTED]
for
assistance.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the
following names to these issues. These are candidates for inclusion in
the CVE
list (http://cve.mitre.org), which standardizes names for security
problems.
CAN-2002-1219 BIND SIG Cached RR Overflow Vulnerability
CAN-2002-1220 BIND OPT DoS
CAN-2002-1221 BIND SIG Expiry Time DoS
ISC BIND
http://www.isc.org/products/BIND
Credits:
These vulnerabilities were discovered and researched by Neel Mehta of
the ISS
X-Force.
______
About Internet Security Systems (ISS) Founded in 1994, Internet
Security
Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software
and services that protect critical online resources from an ever-
changing spectrum of threats and misuse. Internet Security Systems is
headquartered in Atlanta, GA, with additional operations throughout
the
Americas, Asia, Australia, Europe and the Middle East.
Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If
you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email [EMAIL PROTECTED] for
permission.
Disclaimer: The information within this paper may change without
notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard
to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet
Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
[EMAIL PROTECTED] of Internet Security Systems, Inc.
- - --------------------------END INCLUDED TEXT--------------------
-
------------------------------------------------------------------------
----------
For additional information or assistance, please contact the HELP Desk
by
telephone or Not Protectively Marked information may be sent via EMail
to:
[EMAIL PROTECTED]
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
-
------------------------------------------------------------------------
----------
UNIRAS wishes to acknowledge the contributions of ISS for the
information
contained in this Briefing.
-
------------------------------------------------------------------------
----------
This Briefing contains the information released by the original author.
Some
of the information may have changed since it was released. If the
vulnerability
affects you, it may be prudent to retrieve the advisory from the
canonical site
to ensure that you receive the most current information concerning that
problem.
Reference to any specific commercial product, process, or service by
trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The
views
and opinions of authors expressed within this notice shall not be used
for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall
not be liable for any loss or damage whatsoever, arising from or in
connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs)
in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst
its
members and the community at large.
-
------------------------------------------------------------------------
----------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQCVAwUBPdIdJIpao72zK539AQGkTQP/SL7q3dbvH7F6fqf9N6XmtuXV+aQyNjmY
UeaOcGRc7htHjj/wTEYzWqZVAOKF/YX70swJSygh9FzVXeamLxLWjLYDxkLPYSPe
DUV1BcSqZKjbuquK2HyKpRouaLBdlOhWFTHSMuiCNyhq6MtvNZHbUgu/KjFVd9Z4
dT09U2BAxuE=
=YrtV
-----END PGP SIGNATURE-----
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
