CERT^® Advisory CA-2002-19 Buffer Overflows in Multiple DNS Resolver Libraries

A complete revision history can be found at the end of this file.

Systems Affected

Applications using vulnerable implementations of the Domain Name System (DNS) resolver libraries, which include, but are not limited to

• Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) DNS resolver library (libbind)
• Berkeley Software Distribution (BSD) DNS resolver library (libc)
• GNU DNS resolver library (glibc)

Overview

Buffer overflow vulnerabilities exist in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit these vulnerabilities to execute arbitrary code or cause a denial of service on a vulnerable system.

I. Description

The DNS protocol provides name, address, and other information about Internet Protocol (IP) networks and devices. To access DNS information, a network application uses the resolver to perform DNS queries on its behalf. Resolver functionality is commonly implemented in libraries that are included with operating systems.

Multiple implementations of DNS resolver libraries contain remotely exploitable buffer overflow vulnerabilities in the code used to handle DNS responses. Both BSD (libc) and ISC BIND (libbind) resolver libraries share a common code base and are vulnerable to this problem; any DNS resolver implementation that derives code from either of these libraries may also be vulnerable. Network applications that use vulnerable resolver libraries are likely to be affected, therefore this problem is not limited to DNS or BIND servers.

Two sets of responses could trigger buffer overflows in vulnerable DNS resolver libraries: responses for host names or addresses, and responses for network names or addresses. The GNU glibc resolver addressed the vulnerability in handling responses for host resolution in version 2.1.3. However, versions of glibc prior to and including 2.2.5 are vulnerable to responses for network resolution, as explained below in the GNU glibc vendor statement. BSD (libc) and ISC BIND (libbind) resolvers are vulnerable to both types of responses.

VU#803539 (CAN-2002-0651) lists vendors that have been contacted and provides further information about these vulnerabilities:

http://www.kb.cert.org/vuls/id/803539

VU#542971 (CAN-2002-0684) describes the network name and address resolution vulnerability in the GNU libc library (glibc):

http://www.kb.cert.org/vuls/id/542971

NetBSD Security Advisory 2002-006 also explains these vulnerabilities in detail:

ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc

Note that these vulnerabilities are not related to the Sendmail DNS map issue discussed in VU#814627.

When this advisory was initially published, it was thought that a caching DNS server that reconstructs DNS responses would prevent malicious code from reaching systems with vulnerable resolver libraries.

This workaround is not sufficient. It does not prevent some DNS responses that contain malicious code from reaching clients, whether or not the responses are reconstructed by a local caching DNS server. DNS responses containing code that is capable of exploiting the vulnerabilities described in VU#803539 and VU#542971 can be cached and reconstructed before being transmitted to clients. Since the server may cache the responses, the malicious code could persist until the server's cache is purged or the entries expire.

The only complete solution to this problem is to upgrade to a corrected version of the DNS resolver libraries as noted above.

Apple Computer, Inc.

Mac OS X and Mac OS X Server are not vulnerable to the issue described in this notice.

Caldera

Caldera OpenLinux is affected (glibc):

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-034.1.txt

Caldera UnixWare is affected:

ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.37.txt

Compaq

SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team

x-ref:SSRT2270

[Compaq (Hewlett-Packard) has released a security bulletin (SRB0039W/SSRT2275) that addresses VU#803539 and other vulnerabilities.]

Conectiva

Conectiva Linux supported versions (6.0, 7.0 and 8) are not vulnerable to VU#803539 regarding glibc packages. Regarding VU#542971, these same versions of Conectiva Linux are vulnerable but not in the default installation, since /etc/nsswitch.conf ships without the dns parameter in the "networks:" line.

Updated glibc packages which fix the second vulnerability, VU#542971, will be provided.

Please see Conectiva Linux Announcement CLSA-2002:507 (english).

Cray, Inc.

The DNS resolver code supplied by Cray, Inc. in Unicos and Unicos/mk is vulnerable. SPR 722619 has been opened to track this problem.

Debian

Debian is vulnerable to the second vulnerability [VU#542971]:

Debian 2.2 aka potato aka stable: glibc 2.1.3 does not contain the included patch
Debian         woody aka testing: glibc 2.2.5 does not contain the included patch
Debian         sid  aka unstable: glibc 2.2.5 does not contain the included patch

We are working towards an updated library.

We are not vulnerable to the first vulnerability [VU#803539] as published in the CERT Advisory CA-2002-19, though.

djbdns

djbdns does not have these bugs. djbdns has never used any BIND-derived code. djbdns, including the djbdns client library, is covered by a $500 security guarantee. The djbdns client library is free for use by other packages in place of BIND's libresolv. See http://cr.yp.to/djbdns.html.

Elsewhere in this advisory, CERT and the BIND company suggest that administrators do not need to rush to upgrade their libresolv-based clients if they are using BIND 9 caches. The idea is that (1) BIND 9 caches never put CNAME records into the answer section of a DNS packet except at the top and (2) the BIND company believes that these libresolv bugs cannot be triggered by answer sections with all CNAME records at the top.

dnscache, the caching component of djbdns, is like the BIND 9 cache in all relevant respects. Specifically, it never puts CNAME records into the answer section except at the top. (This is the normal behavior for DNS caches; BIND 4 and BIND 8 are abnormal.)

However, it is simply not true that clients are protected by caches. Attackers can send unusual packets directly to clients, using the same well-known techniques used to selectively forge DNS responses. I do not endorse the suggestion of relying on caches (whether BIND 9 or dnscache) as a ``solution'' to the libresolv bugs. All libresolv-based clients must be upgraded immediately.

There are exceptions. Sites that use a local dnscache on every machine, with local firewalls preventing forgery of 127.0.0.1 and with proper IP-address checks in client libraries, are immune to cache-to-client packet forgery, as are sites that use IPSEC. However, even at those sites, libresolv-based clients should be upgraded immediately; the ability of the cache to take control of client programs, rather than simply providing DNS data, is a violation of standard security policy.

FreeBSD

FreeBSD has released FreeBSD-SA-02:28.resolv:

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28.resolv.asc

GNU adns

adns is not derived from BIND libresolv. Furthermore, it does not support a gethostbyname-like interface (which is where the bug in BIND libresolv is). Therefore, it is not vulnerable.

For more information on GNU adns, see:

http://www.gnu.org/software/adns/

http://www.chiark.greenend.org.uk/~ian/adns/

GNU glibc

For resolving host names and addresses via DNS, Version 2.1.2 and earlier versions of the GNU C Library are vulnerable. Later versions are not vulnerable.

For the less commonly used action of resolving network names and addresses via DNS as per Internet RFC 1011, Version 2.2.5 and earlier versions are vulnerable.

To work around the problems, modify the file /etc/nsswitch.conf so that it contains "hosts:" and "networks:" lines that do not mention "dns". For example, you might use the following lines in your /etc/nsswitch.conf file:

# This "networks:" line omits "dns" to work around a bug in glibc
# 2.2.5 and earlier.
networks: files nisplus

# This "hosts:" line omits "dns" to work around a bug in glibc 2.1.2
# and earlier.
hosts: nisplus [NOTFOUND=return] files

Most GNU/Linux distributions with glibc 2.1.3 and later ship with a line like "networks: files" in /etc/nsswitch.conf and thus unless this line is changed they are not vulnerable.

To fix the problem instead of working around it, we suggest upgrading to Version 2.1.3 or later, and applying the following patch, taking care to relink any statically linked applications that use the affected functions. This patch can also be found at:

<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/resolv/nss_dns/dns-network.c.diff?
r1=1.10&r2=1.10.2.1&cvsroot=glibc>

===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v
retrieving revision 1.10
retrieving revision 1.10.2.1
diff -u -r1.10 -r1.10.2.1
--- libc/resolv/nss_dns/dns-network.c    2001/07/06 04:55:39    1.10
+++ libc/resolv/nss_dns/dns-network.c    2002/07/02 09:38:29    1.10.2.1
@@ -328,7 +328,9 @@
                }
            cp += n;
            *alias_pointer++ = bp;
-       bp += strlen (bp) + 1;
+       n = strlen (bp) + 1;
+       bp += n;
+       linebuflen -= n;
            result->n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
            ++have_answer;
        }

Guardian Digital

Please see EnGarde Secure Linux Security Advisory ESA-20020724-018.

Hewlett-Packard Company

HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0208-209
Originally issued: 12 Aug 2002

reference id: VU#803539, SSRT2316

HP Published Security Bulletin HPSBUX0208-209 with solutions for HP9000 Series 700/800 running HP-UX releases 11.00 and 11.11 (11i) with products using DNS resolver libraries, including, but not limited to, BINDv920.INETSVCS-BIND.

This bulletin is available from the HP IT Resource Center page at: http://itrc.hp.com "Maintenance and Support" then "Support Information Digests" and then "hp security bulletins archive" search for bulletin HPSBUX0208-209.

reference id: VU#542971
describes a specific aspect of this vulnerability as it affects the GNU libc library (glibc):

The glibc resolver used by HP Secure OS Software for Linux is vulnerable. Please see Hewlett-Packard Company Security Bulletin HPSBTL0207-053 for more information.

IBM Corporation

IBM is vulnerable to the above DNS stub resolver issues in both the 4.3 and 5.1 releases of AIX. A temporary patch is available through an efix pacakge. Efixes are available from ftp.software.ibm.com/aix/efixes/security. See the README file in this directory for additional information on the efixes.

The following APARs will be available in the near future:

AIX 4.3.3: IY32719

AIX 5.1.0: IY32746

Internet Software Consortium

All versions of BIND 4 from 4.8.1 prior to BIND 4.9.9 are vulnerable.
All versions of BIND 8 prior to BIND 8.2.6 are vulnerable.
All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable.
BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable.

The status of BIND 4.8 is unknown, assume that it is vulnerable.

BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable.

'named' itself is not vulnerable.

Updated releases can be found at:

ftp://ftp.isc.org/isc/bind/src/4.9.9/
ftp://ftp.isc.org/isc/bind/src/8.2.6/
ftp://ftp.isc.org/isc/bind/src/8.3.3/
ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.3.3/

BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind). This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the meantime please use the original in BIND 8.3.3.

Vendors wishing additional patches should contact bind-bugs@isc.org.
Query about BIND 4 and BIND 8 should be addressed to bind-bugs@isc.org.
Query about BIND 9 should be addressed to bind9-bugs@isc.org.

Juniper Networks

All versions of Juniper Networks JUNOS software released prior to June 27, 2002, are potentially vulnerable to this bug. This includes JUNOS versions 4.x, 5.0R1 through 5.0R4, 5.1R1 through 5.1R4, 5.2R1 through 5.2R3, and 5.3R1 through 5.3R2. (All releases of JUNOS software with version 5.4 or higher are NOT vulnerable.) The bug has been corrected as of June 27, 2002, and all future software releases will contain the correction. All Juniper Networks customers are encouraged to contact JTAC, the Juniper Networks Technical Assistance Center by telephone at 1-888-314-JTAC, or by E-mail at support@juniper.net for details on the availability of corrected software.

MetaSolv

The resolver code embedded in the DNS Server (Based on ISC BIND 8.2.3) on both MetaSolv Policy Services 4.1 and 4.2 are vulnerable to CERT/CC Advisory CA-2002-19. This issue is being tracked by MetaSolv under Case #28230. The ISC Sanctioned Patches to 8.2.3 for this advisory have been compiled and applied, and will be available in Policy Services 4.2 Service Pack 1. Please contact MetaSolv Global Customer Care (supporthd@metasolv.com) for availability and assistance.

MandrakeSoft

Please see MandrakeSoft Security Advisory MDKSA-2002:043 (BIND) and MDKSA-2002:050 (glibc).

Microsoft

Microsoft products do not use the libraries in question. Microsoft products are not affected by this issue.

NetBSD

NetBSD has released NetBSD Security Advisory 2002-006:

ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc

Network Appliance

Some NetApp systems are vulnerable to this problem. Check NOW (http://now.netapp.com) for information on whether your system is vulnerable and the appropriate patch release that you should install.

Nortel Networks

The following Nortel Networks products are potentially affected by the vulnerability identified in CERT/CC Advisory CA-2002-19:

• NetID. A bulletin entitled "NetID BIND Bulletin", dated 7-12-02 has been issued and is available from the following Nortel Networks support contacts:
  

  North America: 1-8004NORTEL or 1-800-466-7835
  
  Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
  
  Contacts for other regions are available at www.nortelnetworks.com/help/contact/global/

• Optivity NMS, which uses Sun Solaris operating systems supplied by third parties. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification. Implementing such practices will not adversely impact this Nortel Networks product.


• Also, the former Nortel Networks product Preside Policy Server divested to MetaSolv Software, Inc. in February 2002 uses BIND 8 and may be potentially affected.

OpenBSD

[T]he resolver libraries in question got copied far and wide. They used to have a hell of a lot of bugs in them.

Now might be a good time for people to compare each others' libraries to each other. I would urge them to compare against the OpenBSD ones, where we've spent a lot of time on, but of course we still missed this. But perhaps people can then share some around. Not everyone is going to move to the bind9 stuff, since it is very different.

OpenPKG

Please see OpenPKG Security Advisory OpenPKG-SA-2002.006.

Openwall Project

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for this vulnerability, originally developed by Jun-ichiro itojun Hagino of NetBSD. The updated patches are available at the usual location:

http://www.openwall.com/bind/

The BIND 4.9.x-OW patches provide certain security features which are not a part of ISC's now deprecated BIND 4 and are recommended for use by sites which chose to stick with BIND 4 for a little longer for whatever reason. They aren't a part of Owl.

[VU#542971]

No release or branch of Openwall GNU/*/Linux (Owl) is affected in default configuration as the "dns" NSS module isn't enabled for network lookups in our default /etc/nsswitch.conf file.

The defect in "dns" module has been corrected in Owl-current on 2002/07/04 and that fix is included in the snapshot from 2002/07/07.

Red Hat Inc.

Please see Red Hat Security Advisory RHSA-2002:139 (glibc) and RHSA-2002:133 (libbind).

Secure Computing Corporation

This is the official Secure Computing response to CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries. Note that we are currently supporting three different firewalls with different solutions to this vulnerability.

GAUNTLET (tm) FIREWALL & VPN (5.X and 6.0)
Gauntlet software users should contact their operating system vendor for a revised version of the library (on Solaris it is libresolv.so, on HP-UX it is libnss_dns.1) in question and apply it as soon as it is available.

GAUNTLET E-PPLIANCE FIREWALL & VPN (EPL 1.X and 2.0)
Gauntlet e-ppliance would be vulnerable to this theoretical attack. Secure Computing engineering is currently examining the issue in preparation for a patch for the e-ppliance 300 and 1000 (all versions).

SIDEWINDER(tm) FIREWALL & VPN (all releases including Sidewinder Appliance)
This buffer overflow vulnerability can not be exploited to gain access to, or gain any valuable information from a Sidewinder. An attack against one of the Sidewinder components using this vulnerability would yield no special privileges (such as root access, shell access, configuration information, etc.) due to Sidewinder's SecureOS(tm) Type Enforcement(tm) technology (TE).

None of Sidewinder's critical services (proxies, ACL engine, etc.) do direct DNS processing. Resolution is done by 'self contained' DNS resolver processes which are not granted Type Enforcement access to any of the services configuration data, nor could it access the data contained by the service sessions, nor even execute a shell. This process has no access to any system resources useful to an attacker. And of course, there is no useful concept of root privilege on Sidewinder.

Sendmail

Sendmail uses the BIND resolver API, and is commonly linked with the BIND resolver library (libbind). As a result, Sendmail could be leveraged to exploit this vulnerability.

Note that the DNS map problem that was addressed in Sendmail 8.12.5 is a different issue, which is described in VU#814627:

http://www.kb.cert.org/vuls/id/814627

The announcement for Sendmail 8.12.5 also references the DNS map problem:

http://www.sendmail.org/8.12.5.html

SGI

SGI IRIX is not vulnerable. Please see SGI Security Advisory 20020701-01-I for more information.

Sun Microsystems

The Solaris DNS resolver library (libresolv.so) is affected by this issue in all currently supported versions of Solaris:

Solaris 2.5.1, 2.6, 7, 8, and 9

Sun has released patches as specified in Sun Alert ID 46042.

Sun Security Bulletins are available from:

http://sunsolve.sun.com/security

SuSE

Please see SuSE Security Announcement SuSE-SA:2002:026.

Trustix

Please see Trustix Secure Linux Security Advisory #2002-0061.

The CERT Coordination Center thanks Joost Pol of PINE-CERT, the FreeBSD Project, the NetBSD Project, and David Conrad of Nominum for information used in this document.

Feedback can be directed to the authors: Art Manion and Jason A. Rafail.

Appendix B. - References

1. http://www.pine.nl/advisories/pine-cert-20020601.asc
2. ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc
3. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28.resolv.asc
4. http://www.gnu.org/manual/glibc-2.2.5/html_node/Name-Service-Switch.html#Name%20Service%20Switch

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2002 Carnegie Mellon University.

Revision History

June 28, 2002: Initial release
June 29, 2002: Updated NetBSD references, addded Sendmail statement, reformatted vendor statements, added CVE reference, added Juniper statement
June 30, 2002: Updated ISC statement
July 1, 2002: Added Apple, Sun, and Openwall statements
July 10, 2002: Added IBM statement and GNU glibc statements
July 18, 2002: Added reference to VU#542971, added description of network and host responses and glibc vulnerability, added Secure Computing statement, updated Thanks statement, added Name Service Switch reference
July 25, 2002: Added djbns, Nortel, HP, Trustix, SGI, Conectiva, SuSE, Red Hat, OpenPKG, and Guardian Digital statements, updated IBM statement
July 26, 2002: Added MetaSolv statement, updated HP statement
August 9, 2002: Updated Red Hat statement
August 14, 2002: Changed title to reflect plural "overflows", changed references to plural "vulnerabilities", re-ordered Description section, added firewall statement to caching DNS server workaround, updated HP, Conectiva, and Openwall statements, added SuSE URL, added Debian and MandrakeSoft statements, re-formatted fixed-width text
August 27, 2002: Deprecated caching DNS server workaround, updated Caldera statement
August 28, 2002: Updated ISC and Sun statements
September 9, 2002: Updated Compaq statement