IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Advisory 02-009

"Multiple Vulnerabilities in ISC BIND versions 4 and 8"
November 15, 2002

The Internet security community has identified several new vulnerabilities in the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) software, which is used by many ISPs to provide DNS services. The National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten awareness to three newly identified vulnerabilities in BIND versions 4 and 8. These vulnerabilities affect nearly all currently deployed recursive Domain Name System (DNS) servers on the Internet. The most serious of these vulnerabilities allows the remote execution of arbitrary code via a buffer overflow, which may result in a full system compromise depending on the BIND version. According to several reports, the vulnerabilities affect only recursive DNS servers, and the attacker must satisfy certain conditions to exploit the vulnerabilities; however, "recursive operation" is the BIND's default configuration and the necessary exploit conditions are not difficult to meet. The other two vulnerabilities discovered allow an attacker to interrupt the DNS server's name daemon processes and leaves the DNS server vulnerable to a Denial of Service attack.

Description:

BIND is an implementation of the DNS that is maintained by the ISC and runs on many of the DNS servers on the internet to resolve domain names to IP addresses and reverse resolve IP addresses to domain names.

1) BIND caches information for future lookups, and if malformed DNS data that is cryptographically signed is cached, a buffer overflow is possible giving the attacker the same privileges as the BIND daemon.

2) BIND's resolver libraries may be vulnerable to a buffer overflow condition if the response for a DNS lookup contained carefully crafted malicious code, giving an attacker the same privileges as the program that originally made the DNS request. This requires the attacker to either use an actual DNS server responding to lookup requests or spoof the responses from an actual DNS server.

3) An overly large optional field (OPT) attached to a request for a nonexistent domain, together with an overly large UDP buffer size, may cause the BIND daemon to quit, causing a Denial of Service condition.

4) BIND does not dereference cached records properly if they have invalid times. This can cause a crash of the BIND server.

Affected Versions:

BIND SIG Cached RR Overflow Vulnerability
BIND 8 versions up to and including 8.3.3-REL
BIND 4 versions up to and including 4.9.10-REL

BIND OPT DoS
BIND 8 versions up to and including 8.3.3-REL

BIND SIG Expiry Time DoS
BIND 8 versions up to and including 8.3.3-REL

Recommended Actions:

The NIPC strongly urges the community to consider all recommended actions to either apply patches from their vendors or upgrade their version of BIND to version 9.2.1. For mitigation strategies, as well as up-to-date vendor information please refer to the BIND page, found here:
http://www.isc.org/products/BIND/bind-security.html
Other resources that provided information on this topic:

Internet Security Systems
http://www.iss.net/security_center/static/6018.php

CERT/CC
http://www.cert.org/advisories/CA-2002-31.html


The NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.