by February 28, 2001 0 comments

Four vulnerabilities have been found in Internet Software Consortium’s (ISC)
Berkeley Internet Name Domain (BIND) server. This is a widely used
implementation of the Domain Name System (DNS) maintained by the ISC. What makes
the threat very serious is that most name servers today run BIND. At risk are
servers running BIND 4.9.x below 4.9.8, and those running BIND 8.2.x below
8.2.3. Simply speaking, name servers translate Internet domain names to their
address numbers that are needed to connect to the particular Website.

Below is a description of the four vulnerabilities.

  • Buffer overflow in transaction
    signature handling code of BIND 8: During the handling of a transaction
    signature (TSIG), BIND 8 checks for the presence of TSIGs that don’t have
    a valid key. If it finds such a signature, it skips normal processing of the
    request and jumps to the code that sends an error response. The security
    hole lies in the fact that this error-handling code invalidates assumptions
    that later function calls make about the size of the request buffer. Now,
    the code that adds a new valid signature to the responses may overflow the
    request buffer and overwrite adjacent memory. Using this with other buffer
    overflow exploitation techniques, an attacker can gain unauthorized access
    to the system and run arbitrary code, or write code that could kill the name
    server remotely.

  • Buffer overflow in
    nslookupComplain() in BIND 4: The vulnerable buffer in this case is a
    locally defined character array used to build an error message for logging
    purposes. An attacker can send a specially-formulated DNS query to the
    server, which could result in either a denial-of-service attack, or
    execution of arbitrary code on the server.

  • Input validation error in
    nslookupComplain() in BIND 4: This vulnerability lets an attacker send a
    specially formulated DNS query to the server, which would result in the
    execution of arbitrary code. This vulnerability was patched by the ISC in an
    earlier version of BIND 4, but many third-party vendors have not included
    these changes in their BIND packages.

  • Queries to BIND servers can
    disclose environment variables: An information leak in the query processing
    code of both BIND 4 and BIND 8 can allow a remote attacker to access the
    program stack, exposing program or environment variables. This vulnerability
    can be exploited by sending a specially formatted query to the BIND server.

Patch availability: The ISC has released BIND versions 4.9.8
and 8.2.3, which have patched these security holes. So, users of BIND 4.9.x and
8.2.x should upgrade to these versions respectively. Since BIND 9.x is not
affected by these vulnerabilities, you can also upgrade to BIND 9.1. BIND 4
users should preferably upgrade to BIND 8.2.3 or 9.1 for additional features not
related to security.

BIND 4.9.8 and 8.2.3 are available at: ftp://ftp.isc.org/isc/bind/src/

BIND 9.1 is available at: ftp://ftp.isc.org/isc/bind9/

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<