in ISC BIND versions 4 and 8"
The Internet security community has identified several new vulnerabilities in the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) software, which is used by many ISPs to provide DNS services. The National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten awareness to three newly identified vulnerabilities in BIND versions 4 and 8. These vulnerabilities affect nearly all currently deployed recursive Domain Name System (DNS) servers on the Internet. The most serious of these vulnerabilities allows the remote execution of arbitrary code via a buffer overflow, which may result in a full system compromise depending on the BIND version. According to several reports, the vulnerabilities affect only recursive DNS servers, and the attacker must satisfy certain conditions to exploit the vulnerabilities; however, "recursive operation" is the BIND's default configuration and the necessary exploit conditions are not difficult to meet. The other two vulnerabilities discovered allow an attacker to interrupt the DNS server's name daemon processes and leaves the DNS server vulnerable to a Denial of Service attack.
BIND is an implementation of the DNS that is maintained by the ISC and runs on many of the DNS servers on the internet to resolve domain names to IP addresses and reverse resolve IP addresses to domain names.
1) BIND caches information for future lookups, and if malformed DNS data that is cryptographically signed is cached, a buffer overflow is possible giving the attacker the same privileges as the BIND daemon.
2) BIND's resolver libraries may be vulnerable to a buffer overflow condition if the response for a DNS lookup contained carefully crafted malicious code, giving an attacker the same privileges as the program that originally made the DNS request. This requires the attacker to either use an actual DNS server responding to lookup requests or spoof the responses from an actual DNS server.
3) An overly large optional field (OPT) attached to a request for a nonexistent domain, together with an overly large UDP buffer size, may cause the BIND daemon to quit, causing a Denial of Service condition.
4) BIND does not dereference cached records properly if they have invalid times. This can cause a crash of the BIND server.
BIND SIG Cached RR Overflow Vulnerability
BIND SIG Expiry Time DoS
The NIPC strongly urges the community to consider all recommended actions
to either apply patches from their vendors or upgrade their version of BIND
to version 9.2.1. For mitigation strategies, as well as up-to-date vendor information
please refer to the BIND page, found here:
Internet Security Systems