CERT® Advisory CA-2002-19 Buffer Overflows in Multiple DNS Resolver Libraries
Original release date: June 28, 2002
Last revised: November 19, 2008
A complete revision history can be found at the end of this file.
Applications using vulnerable implementations of the Domain Name System
(DNS) resolver libraries, which include, but are not limited to
Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) DNS resolver library (libbind)
Berkeley Software Distribution (BSD) DNS resolver library (libc)
GNU DNS resolver library (glibc)
Buffer overflow vulnerabilities exist in multiple implementations
of DNS resolver libraries. Operating systems and applications that
utilize vulnerable DNS resolver libraries may be affected. A remote
attacker who is able to send malicious DNS responses could potentially
exploit these vulnerabilities to execute arbitrary code or cause a denial
of service on a vulnerable system.
The DNS protocol provides name, address, and other information about
Internet Protocol (IP) networks and devices. To access DNS
information, a network application uses the resolver to perform DNS
queries on its behalf. Resolver functionality is commonly implemented
in libraries that are included with operating systems.
Multiple implementations of DNS resolver libraries contain remotely
exploitable buffer overflow vulnerabilities in the code used to handle
DNS responses. Both BSD (libc) and ISC BIND (libbind) resolver
libraries share a common code base and are vulnerable to this problem;
any DNS resolver implementation that derives code from either of these
libraries may also be vulnerable. Network applications that use
vulnerable resolver libraries are likely to be affected, therefore
this problem is not limited to DNS or BIND servers.
Two sets of responses could trigger buffer overflows in vulnerable
DNS resolver libraries: responses for host names or addresses,
and responses for network names or addresses. The GNU glibc
resolver addressed the vulnerability in handling responses for host
resolution in version 2.1.3. However, versions of glibc prior to and
including 2.2.5 are vulnerable to responses for network resolution, as
explained below in the GNU glibc vendor
statement. BSD (libc) and ISC BIND (libbind) resolvers are
vulnerable to both types of responses.
VU#803539 (CAN-2002-0651) lists vendors that have been contacted and provides further information about these vulnerabilities:
VU#542971 (CAN-2002-0684) describes the network name and address resolution vulnerability in the GNU libc library (glibc):
NetBSD Security Advisory 2002-006 also explains these vulnerabilities in detail:
Note that these vulnerabilities are not related to the Sendmail DNS map
issue discussed in VU#814627.
An attacker who is able to send malicious DNS responses could remotely
exploit these vulnerabilities to execute arbitrary code or cause a denial of
service on vulnerable systems. Any code executed by the attacker would run
with the privileges of the process that calls the vulnerable resolver
Note that an attacker could cause one of the victim's network services
to make a DNS request to a DNS server under the attacker's control. This
would permit the attacker to remotely exploit these vulnerabilities.
Upgrade to a corrected version of the DNS resolver libraries
Use of a local caching DNS server is not an effective workaround
Note that DNS resolver libraries can be used by multiple applications
on most systems. It may be necessary to upgrade or apply multiple
patches and then recompile statically linked applications.
Applications that are statically linked must be recompiled
using patched resolver libraries. Applications that are
dynamically linked do not need to be recompiled; however,
running services need to be restarted in order to use the patched
System administrators should consider the following process when
addressing this issue:
- Patch or obtain updated resolver libraries.
- Restart any dynamically linked services that use the resolver libraries.
- Recompile any statically linked applications using the patched or updated resolver libraries.
When this advisory was initially published, it was thought that a
caching DNS server that reconstructs DNS responses would prevent
malicious code from reaching systems with vulnerable resolver
This workaround is not sufficient. It does not prevent some DNS
responses that contain malicious code from reaching clients, whether
or not the responses are reconstructed by a local caching DNS server.
DNS responses containing code that is capable of exploiting the
vulnerabilities described in VU#803539 and VU#542971 can be
cached and reconstructed before being transmitted to clients. Since
the server may cache the responses, the malicious code could persist
until the server's cache is purged or the entries expire.
The only complete solution to this problem is to upgrade to a
corrected version of the DNS resolver libraries as noted above.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. When vendors report new information, this section is
updated and the changes are noted in the revision history. If a
vendor is not listed below, we have not received their comments.
Mac OS X and Mac OS X Server are not vulnerable to the issue
described in this notice.
Caldera OpenLinux is affected (glibc):
Caldera UnixWare is affected:
SOURCE: Compaq Computer Corporation,
a wholly-owned subsidiary of
and Hewlett-Packard Company HP Services
Software Security Response Team
[Compaq (Hewlett-Packard) has released a security bulletin (SRB0039W/SSRT2275) that addresses VU#803539 and other vulnerabilities.]
Conectiva Linux supported versions (6.0, 7.0 and 8) are not vulnerable
to VU#803539 regarding glibc packages. Regarding VU#542971, these
same versions of Conectiva Linux are vulnerable but not in the default
installation, since /etc/nsswitch.conf ships without the dns parameter
in the "networks:" line.
Updated glibc packages which fix the second vulnerability, VU#542971, will be provided.
Please see Conectiva Linux Announcement CLSA-2002:507 (english).
The DNS resolver code supplied by Cray, Inc. in Unicos and Unicos/mk
is vulnerable. SPR 722619 has been opened to track this problem.
Debian is vulnerable to the second vulnerability [VU#542971]:
Debian 2.2 aka potato aka stable: glibc 2.1.3 does not contain the included patch
Debian woody aka testing: glibc 2.2.5 does not contain the included patch
Debian sid aka unstable: glibc 2.2.5 does not contain the included patch
We are working towards an updated library.
We are not vulnerable to the first vulnerability [VU#803539] as published in the
CERT Advisory CA-2002-19, though.
djbdns does not have these bugs. djbdns has never used any
BIND-derived code. djbdns, including the djbdns client library, is
covered by a $500 security guarantee. The djbdns client library is
free for use by other packages in place of BIND's libresolv. See http://cr.yp.to/djbdns.html.
Elsewhere in this advisory, CERT and the BIND company suggest that
administrators do not need to rush to upgrade their libresolv-based
clients if they are using BIND 9 caches. The idea is that (1) BIND 9
caches never put CNAME records into the answer section of a DNS packet
except at the top and (2) the BIND company believes that these
libresolv bugs cannot be triggered by answer sections with all CNAME
records at the top.
dnscache, the caching component of djbdns, is like the BIND 9 cache in
all relevant respects. Specifically, it never puts CNAME records into
the answer section except at the top. (This is the normal behavior
for DNS caches; BIND 4 and BIND 8 are abnormal.)
However, it is simply not true that clients are protected by caches.
Attackers can send unusual packets directly to clients, using the same
well-known techniques used to selectively forge DNS responses. I do
not endorse the suggestion of relying on caches (whether BIND 9 or
dnscache) as a ``solution'' to the libresolv bugs. All libresolv-based
clients must be upgraded immediately.
There are exceptions. Sites that use a local dnscache on every
machine, with local firewalls preventing forgery of 127.0.0.1 and with
proper IP-address checks in client libraries, are immune to
cache-to-client packet forgery, as are sites that use IPSEC. However,
even at those sites, libresolv-based clients should be upgraded
immediately; the ability of the cache to take control of client
programs, rather than simply providing DNS data, is a violation of
standard security policy.
FreeBSD has released FreeBSD-SA-02:28.resolv:
adns is not derived from BIND libresolv. Furthermore, it does not
support a gethostbyname-like interface (which is where the bug in BIND
libresolv is). Therefore, it is not vulnerable.
For more information on GNU adns, see:
For resolving host names and addresses via DNS, Version 2.1.2 and earlier versions of the GNU C Library are vulnerable. Later versions are not vulnerable.
For the less commonly used action of resolving network names and addresses via DNS as per Internet RFC 1011, Version 2.2.5 and earlier versions are vulnerable.
To work around the problems, modify the file /etc/nsswitch.conf so that it contains "hosts:" and "networks:" lines that do not mention "dns".
For example, you might use the following lines in your /etc/nsswitch.conf file:
# This "networks:" line omits "dns" to work around a bug in glibc
Most GNU/Linux distributions with glibc 2.1.3 and later ship with a
line like "networks: files" in /etc/nsswitch.conf and thus unless this
line is changed they are not vulnerable.
# 2.2.5 and earlier.
networks: files nisplus
# This "hosts:" line omits "dns" to work around a bug in glibc 2.1.2
# and earlier.
hosts: nisplus [NOTFOUND=return] files
To fix the problem instead of working around it, we suggest upgrading
to Version 2.1.3 or later, and applying the following patch, taking
care to relink any statically linked applications that use the
affected functions. This patch can also be found at:
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v
retrieving revision 1.10
retrieving revision 126.96.36.199
diff -u -r1.10 -r188.8.131.52
--- libc/resolv/nss_dns/dns-network.c 2001/07/06 04:55:39 1.10
+++ libc/resolv/nss_dns/dns-network.c 2002/07/02 09:38:29 184.108.40.206
@@ -328,7 +328,9 @@
cp += n;
*alias_pointer++ = bp;
- bp += strlen (bp) + 1;
+ n = strlen (bp) + 1;
+ bp += n;
+ linebuflen -= n;
result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
Please see EnGarde Secure Linux Security Advisory ESA-20020724-018.
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0208-209
Originally issued: 12 Aug 2002
reference id: VU#803539, SSRT2316
HP Published Security Bulletin HPSBUX0208-209 with solutions for
HP9000 Series 700/800 running HP-UX releases 11.00 and 11.11 (11i)
with products using DNS resolver libraries, including, but not limited
This bulletin is available from the HP IT Resource Center page at: http://itrc.hp.com "Maintenance and
Support" then "Support Information Digests" and then "hp security
bulletins archive" search for bulletin HPSBUX0208-209.
reference id: VU#542971
describes a specific aspect of this vulnerability as it affects the
GNU libc library (glibc):
The glibc resolver used by HP Secure OS Software for Linux is
vulnerable. Please see Hewlett-Packard Company Security Bulletin
HPSBTL0207-053 for more information.
IBM is vulnerable to the above DNS stub resolver issues in both the 4.3 and 5.1 releases of AIX. A temporary patch is available through an efix pacakge. Efixes are available from ftp.software.ibm.com/aix/efixes/security. See the README file in this directory for additional information on the efixes.
The following APARs will be available in the near future:
AIX 4.3.3: IY32719
AIX 5.1.0: IY32746
All versions of BIND 4 from 4.8.1 prior to BIND 4.9.9 are vulnerable.
All versions of BIND 8 prior to BIND 8.2.6 are vulnerable.
All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable.
BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable.
The status of BIND 4.8 is unknown, assume that it is vulnerable.
BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable.
'named' itself is not vulnerable.
Updated releases can be found at:
BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind).
This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the
meantime please use the original in BIND 8.3.3.
Vendors wishing additional patches should contact
Query about BIND 4 and BIND 8 should be addressed to
Query about BIND 9 should be addressed to email@example.com.
All versions of Juniper Networks JUNOS software released prior to June
27, 2002, are potentially vulnerable to this bug. This includes JUNOS
versions 4.x, 5.0R1 through 5.0R4, 5.1R1 through 5.1R4, 5.2R1 through
5.2R3, and 5.3R1 through 5.3R2. (All releases of JUNOS software with
version 5.4 or higher are NOT vulnerable.) The bug has been corrected
as of June 27, 2002, and all future software releases will contain the
correction. All Juniper Networks customers are encouraged to contact
JTAC, the Juniper Networks Technical Assistance Center by telephone at
1-888-314-JTAC, or by E-mail at firstname.lastname@example.org for details
on the availability of corrected software.
The resolver code embedded in the DNS Server (Based on ISC BIND 8.2.3)
on both MetaSolv Policy Services 4.1 and 4.2 are vulnerable to CERT/CC
Advisory CA-2002-19. This issue is being tracked by MetaSolv under
Case #28230. The ISC Sanctioned Patches to 8.2.3 for this advisory
have been compiled and applied, and will be available in Policy
Services 4.2 Service Pack 1. Please contact MetaSolv Global Customer
Care (email@example.com) for
availability and assistance.
Please see MandrakeSoft Security Advisory MDKSA-2002:043 (BIND) and MDKSA-2002:050 (glibc).
Microsoft products do not use the libraries in question. Microsoft
products are not affected by this issue.
NetBSD has released NetBSD Security Advisory 2002-006:
Some NetApp systems are vulnerable to this problem. Check NOW (http://now.netapp.com) for information on
whether your system is vulnerable and the appropriate patch release that
you should install.
The following Nortel Networks products are potentially affected by the vulnerability identified in CERT/CC Advisory CA-2002-19:
NetID. A bulletin entitled "NetID BIND Bulletin", dated 7-12-02 has been issued and is available from the following Nortel Networks support contacts:
North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
Contacts for other regions are available at www.nortelnetworks.com/help/contact/global/
Optivity NMS, which uses Sun Solaris operating systems supplied by third parties. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification. Implementing such practices will not adversely impact this Nortel Networks product.
Also, the former Nortel Networks product Preside Policy Server divested to MetaSolv Software, Inc. in February 2002 uses BIND 8 and may be potentially affected.
[T]he resolver libraries in question got copied far and wide. They used
to have a hell of a lot of bugs in them.
Now might be a good time for people to compare each others' libraries
to each other. I would urge them to compare against the OpenBSD ones,
where we've spent a lot of time on, but of course we still missed this.
But perhaps people can then share some around. Not everyone is going to
move to the bind9 stuff, since it is very different.
Please see OpenPKG Security Advisory OpenPKG-SA-2002.006.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for this vulnerability, originally developed by
Jun-ichiro itojun Hagino of NetBSD. The updated patches are available
at the usual location:
The BIND 4.9.x-OW patches provide certain security features which are
not a part of ISC's now deprecated BIND 4 and are recommended for use
by sites which chose to stick with BIND 4 for a little longer for whatever
reason. They aren't a part of Owl.
No release or branch of Openwall GNU/*/Linux (Owl) is affected in
default configuration as the "dns" NSS module isn't enabled for
network lookups in our default /etc/nsswitch.conf file.
The defect in "dns" module has been corrected in Owl-current on
2002/07/04 and that fix is included in the snapshot from 2002/07/07.
Please see Red Hat Security Advisory RHSA-2002:139 (glibc) and RHSA-2002:133 (libbind).
This is the official Secure Computing response to CERT Advisory
CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries. Note
that we are currently supporting three different firewalls with
different solutions to this vulnerability.
GAUNTLET (tm) FIREWALL & VPN (5.X and 6.0)
Gauntlet software users should contact their operating system vendor
for a revised version of the library (on Solaris it is libresolv.so,
on HP-UX it is libnss_dns.1) in question and apply it as soon as it is
GAUNTLET E-PPLIANCE FIREWALL & VPN (EPL 1.X and 2.0)
Gauntlet e-ppliance would be vulnerable to this theoretical attack.
Secure Computing engineering is currently examining the issue in
preparation for a patch for the e-ppliance 300 and 1000 (all
SIDEWINDER(tm) FIREWALL & VPN (all releases including Sidewinder
This buffer overflow vulnerability can not be exploited to gain access
to, or gain any valuable information from a Sidewinder. An attack
against one of the Sidewinder components using this vulnerability
would yield no special privileges (such as root access, shell access,
configuration information, etc.) due to Sidewinder's SecureOS(tm) Type
Enforcement(tm) technology (TE).
None of Sidewinder's critical services (proxies, ACL engine, etc.) do
direct DNS processing. Resolution is done by 'self contained' DNS
resolver processes which are not granted Type Enforcement access to
any of the services configuration data, nor could it access the data
contained by the service sessions, nor even execute a shell. This
process has no access to any system resources useful to an attacker.
And of course, there is no useful concept of root privilege on
Sendmail uses the BIND resolver API, and is commonly linked with the BIND resolver library (libbind). As a result, Sendmail could be leveraged to exploit this vulnerability.
Note that the DNS map problem that was addressed in Sendmail 8.12.5 is
a different issue, which is described in VU#814627:
The announcement for Sendmail 8.12.5 also references the DNS map problem:
SGI IRIX is not vulnerable. Please see SGI Security Advisory 20020701-01-I for more information.
The Solaris DNS resolver library (libresolv.so) is affected by this
issue in all currently supported versions of Solaris:
Solaris 2.5.1, 2.6, 7, 8, and 9
Sun has released patches as specified in Sun Alert ID 46042.
Sun Security Bulletins are available from:
Please see SUSE Security Announcement SUSE-SA:2002:026 (previously located here). See also SUSE Linux Enterprise Security.
Please see Trustix Secure Linux Security Advisory #2002-0061.
The CERT Coordination Center thanks Joost Pol of PINE-CERT, the
FreeBSD Project, the NetBSD Project, and David Conrad of Nominum for
information used in this document.
Feedback can be directed to the authors: Art Manion and Jason A. Rafail.
Appendix B. - References
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
June 28, 2002: Initial release
June 29, 2002: Updated NetBSD references, addded Sendmail statement,
reformatted vendor statements, added CVE reference, added Juniper
June 30, 2002: Updated ISC statement
July 1, 2002: Added Apple, Sun, and Openwall statements
July 10, 2002: Added IBM statement and GNU glibc statements
July 18, 2002: Added reference to VU#542971, added description of
network and host responses and glibc vulnerability, added Secure
Computing statement, updated Thanks statement, added Name Service
July 25, 2002: Added djbns, Nortel, HP, Trustix, SGI, Conectiva, SuSE,
Red Hat, OpenPKG, and Guardian Digital statements, updated IBM
July 26, 2002: Added MetaSolv statement, updated HP statement
August 9, 2002: Updated Red Hat statement
August 14, 2002: Changed title to reflect plural "overflows", changed references to plural "vulnerabilities", re-ordered Description section, added firewall statement to caching DNS server workaround, updated HP, Conectiva, and Openwall statements, added SuSE URL, added Debian and MandrakeSoft statements, re-formatted fixed-width text
August 27, 2002: Deprecated caching DNS server workaround, updated Caldera statement
August 28, 2002: Updated ISC and Sun statements
September 9, 2002: Updated Compaq statement
November 19, 2008: Update SUSE statement