CERT-SEI

Multiple Vulnerabilities in BIND

Original release date: January 29, 2001
Last revised: August 07, 2001
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Domain Name System (DNS) Servers running various versions of ISC BIND (including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is not affected) and derivatives. Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be impacted if these vulnerabilities are exploited.

Overview

The CERT/CC has recently learned of four vulnerabilities spanning multiple versions of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. BIND is an implementation of the Domain Name System (DNS) that is maintained by the ISC. Because the majority of name servers in operation today run BIND, these vulnerabilities present a serious threat to the Internet infrastructure.

Three of these vulnerabilities (VU#196945, VU#572183, and VU#868916) were discovered by the COVERT Labs at PGP Security, who have posted an advisory regarding these issues at

http://www.pgp.com/research/covert/advisories/047.asp

The fourth vulnerability (VU#325431) was discovered by Claudio Musmarra.

The Internet Software Consortium has posted information about all four vulnerabilities at

http://www.isc.org/products/BIND/bind-security.html

I. Description

VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code

During the processing of a transaction signature (TSIG), BIND 8 checks for the presence of TSIGs that fail to include a valid key. If such a TSIG is found, BIND skips normal processing of the request and jumps directly to code designed to send an error response. Because the error-handling code initializes variables differently than in normal processing, it invalidates the assumptions that later function calls make about the size of the request buffer.

Once these assumptions are invalidated, the code that adds a new (valid) signature to the responses may overflow the request buffer and overwrite adjacent memory on the stack or the heap. When combined with other buffer overflow exploitation techniques, an attacker can gain unauthorized privileged access to the system, allowing the execution of arbitrary code.

VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()

The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND 4 servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in either denial of service or the execution of arbitrary code.

VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()

The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND 4 servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in the execution of arbitrary code.

This vulnerability was patched by the ISC in an earlier version of BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence to suggest that some third party vendors who redistribute BIND 4 have not included these changes in their BIND packages. Therefore, the CERT/CC recommends that all users of BIND 4 or its derivatives base their distributions on BIND 4.9.8.

VU#325431 - Queries to ISC BIND servers may disclose environment variables

This vulnerability is an information leak in the query processing code of both BIND 4 and BIND 8 that allows a remote attacker to access the program stack, possibly exposing program and/or environment variables. This vulnerability is triggered by sending a specially formatted query to vulnerable BIND servers.

NOTE: Frequently asked questions regarding these vulnerabilities can be found in Appendix B.

II. Impact

VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code

This vulnerability may allow an attacker to execute code with the same privileges as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.

VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()

This vulnerability can disrupt the proper operation of the BIND server and may allow an attacker to execute code with the privileges of the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.

VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()

This vulnerability may allow an attacker to execute code with the privileges of the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.

VU#325431 - Queries to ISC BIND servers may disclose environment variables

This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables. In addition, the information obtained by exploiting this vulnerability may aid in the development of exploits for VU#572183 and VU#868916.

III. History

Since 1997, the CERT/CC has published twelve documents describing vulnerabilities or exploitation of vulnerabilities in BIND with information and advice on upgrading and preventing compromises. Unfortunately, many system and network administrators still have not upgraded their versions of BIND, making them susceptible to a number of vulnerabilities. Prior vulnerabilities in BIND have been widely exploited by intruders.

For example, on November 10, 1999, the CERT/CC published CA-1999-14, which detailed multiple vulnerabilities in BIND. The CERT/CC continued to receive reports of compromises based on those vulnerabilities through December 2000. On April 8, 1998, the CERT/CC published CA-1998-05; reports of compromises based on the vulnerabilities described therein continued through November of 1998.

The following graph shows the number of incidents reported to the CERT/CC regarding BIND NXT record (VU#16532) exploits after the publication of CA-1999-14:

Incidents By Month Involving the BIND NXT Record Vulnerability (VU#16532)

Based on this past experience, the CERT/CC expects that intruders will quickly begin developing and using intruder tools to compromise machines. It is important for IT and security managers to ensure that their organizations are properly protected before the expected wide-spread exploitation happens.

Exploitation

The vulnerabilities described in VU#196945, VU#572183, and VU#868916 have been successfully exploited by COVERT Labs in a laboratory environment. To the best of our knowledge, these vulnerabilities have not been publicly exploited.

IV. Solution

Apply a patch from your vendor

The ISC has released BIND versions 4.9.8 and 8.2.3 to address these security issues. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x upgrade to BIND 4.9.8, BIND 8.2.3, or BIND 9.1.

Because BIND 4 is no longer actively maintained, the ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1. Upgrading to one of these versions will also provide functionality enhancements that are not related to security.

The BIND 4.9.8 and 8.2.3 distributions can be downloaded from

ftp://ftp.isc.org/isc/bind/src/

The BIND 9.1 distribution can be downloaded from

ftp://ftp.isc.org/isc/bind9/

Appendix A contains information supplied by ISC and distributors of BIND. Depending on your local processes, procedures, and expertise, you may wish to obtain updates from the ISC or from an operating system vendor who redistributes BIND.

Use Strong Cryptography to Authenticate Services

Services and transactions that rely exclusively on the DNS system for authentication are inherently weak. We encourage organizations to use strong cryptography to authenticate services and transactions where possible. One common use of strong cryptography is the use of SSL in authenticating and encrypting electronic commerce transactions over the web. In addition to this use, we encourage organizations to use SSL, PGP, S/MIME, SSH, and other forms of strong cryptography to distribute executable content, secure electronic mail, distribute important information, and protect the confidentiality of all kinds of data traversing the Internet.

Use Split Horizon DNS to Minimize Impact

It may also be possible to minimize the impact of the exploitation of these vulnerabilities by configuring your DNS environment to separate DNS servers used for the public dissemination of information about your hosts from the DNS servers used by your internal hosts to connect to other hosts on the Internet. Frequently, different security polices can be applied to these servers such that even if one server is compromised the other server will continue to function normally. Split horizon DNS configuration may also have other security benefits.

References

CERT/CC Vulnerability Notes

To read more about the vulnerabilities described in this document, please visit the CERT/CC Vulnerability Notes Database:

VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
http://www.kb.cert.org/vuls/id/196945
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
http://www.kb.cert.org/vuls/id/572183
VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()
http://www.kb.cert.org/vuls/id/868916
VU#325431 - Queries to ISC BIND servers may disclose environment variables
http://www.kb.cert.org/vuls/id/325431

Common Vulnerabilities and Exposures

To cross-reference CERT/CC VU numbers with other vendor documents via CVE, please visit

VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0010
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0011
VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0013
VU#325431 - Queries to ISC BIND servers may disclose environment variables
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0012

Historical References

For information on historical issues involving BIND vulnerabilities and compromises, please visit

CERT Advisory CA-2000-20 Multiple Denial-of-Service Problems in ISC BIND
http://www.cert.org/advisories/CA-2000-20.html
CERT Advisory CA-2000-03 Continuing Compromises of DNS servers
http://www.cert.org/advisories/CA-2000-03.html
CERT Advisory CA-1999-14 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-1999-14.html
CERT Advisory CA-1998-05 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-1998-05.html
CERT Advisory CA-1997-22 BIND - The Berkeley Internet Name Daemon
http://www.cert.org/advisories/CA-1997-22.html

Rob Thomas's Secure BIND Template

Rob Thomas has published the "Secure BIND Template Version 2.0," a document providing guidelines to help network and system administrators build and maintain secure BIND configurations. For more information, please visit

http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html

Transaction Signatures

For more information on transaction signatures, please visit

RFC 2535: Domain Name System Security Extensions
http://www.ietf.org/rfc/rfc2535.txt
RFC 2845: Secret Key Transaction Authentication for DNS (TSIG)
http://www.ietf.org/rfc/rfc2845.txt

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Caldera Systems

OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable.

Update packages will be provided at

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4

Compaq Computer Corporation

COMPAQ COMPUTER CORPORATION
------------------------------------------------------------------------------------
  VU#325431 - INFOLEAK: servers may disclose environment variables
            X-REF: SSRT1-66U, SSRT1-68U, SSRT1-69U
------------------------------------------------------------------------------------
    Compaq Tru64 UNIX V5.1 -
               V5.1  patch:    SSRT1-66U_v5.1.tar.Z
   
    Compaq Tru64 UNIX V5.0 & V5.0a  -
           V5.0  patch: SSRT1-68U_v5.0.tar.Z     
           V5.0a patch: SSRT1-68U_v5.0a.tar.Z   
   
    Compaq Tru64 UNIX V4.0D/F/G  -
           V4.0d patch: SSRT1-69U_v4.0d.tar.Z
           V4.0f patch: SSRT1-69U_v4.0f.tar.Z    
           V4.0g patch: SSRT1-69U_v4.0g.tar.Z    
   
    TCP/IP Services for Compaq OpenVMS - Not Vulnerable
   
------------------------------------------------------------------------------------
  VU#572183 - BIND 4 Buffer overflow in nslookupComplain()
            X-REF: SSRT1-69U
  VU#868916 - BIND 4 Input validation error in nslookupComplain()
            X-REF: SSRT1-69U
------------------------------------------------------------------------------------
    Compaq Tru64 UNIX V5.1, V5.0, V5.0a  - Not Vulnerable
    Compaq Tru64 UNIX V4.0D/F/G -
           V4.0d patch: SSRT1-69U_v4.0d.tar.Z
           V4.0f patch: SSRT1-69U_v4.0f.tar.Z    
           V4.0g patch: SSRT1-69U_v4.0g.tar.Z    
    TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
  VU#196945 - BIND 8 contains buffer overflow in transaction signature handling code  
            X-REF: SSRT1-66U, SSRT1-68U
------------------------------------------------------------------------------------
    Compaq Tru64 UNIX V5.1 -
           V5.1  patch:  SSRT1-66U_v5.1.tar.Z     
    Compaq Tru64 UNIX V5.0 & V5.0a -
           V5.0  patch: SSRT1-68U_v5.0.tar.Z     
           V5.0a patch: SSRT1-68U_v5.0a.tar.Z   
   
    Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable
   
        TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
    Compaq will provide notice of the completion/availability of the
    patches through AES services (DIA, DSNlink FLASH), the Security
    mailing list (**), and be available from your normal Compaq Support
    channel.
    **You may subscribe to the Security mailing list at:
             
        http://www.support.compaq.com/patches/mailing-list.shtml
    Software Security Response Team
    COMPAQ COMPUTER CORPORATION
------------------------------------------------------------------------------------

djbdns

djbdns has none of these bugs, has never used any BIND-derived code, and is covered by a security guarantee. See http://cr.yp.to/djbdns.html.

FreeBSD, Inc.

No supported version of FreeBSD contains BIND 4.x, so this does not affect us. We current ship betas of 8.2.3 in the FreeBSD 4.x release branch, and will be upgrading to 8.2.3 once it is released.

[CERT/CC Addendum: FreeBSD has published an advisory regarding this issue at ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc]

Hewlett-Packard Company

Patches are available, see HP Security Bulletin #144.

[CERT/CC Addendum: To locate this HP Security Bulletin online, please visit http://itrc.hp.com and search for "HPSBUX0102-144". Please note that registration may be required to access this document.]

IBM Corporation

IBM has posted an emergency fix for all four of the vulnerabilities described in this Advisory.

This fix can be downloaded from ftp://ftp.software.ibm.com/aix/efixes/security. The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation instructions and other important information are given in the README file that is included in the tarball.

The official fix for the four BIND4 and BIND8 vulnerabilities will be in APAR #IY16182.

AIX Security Response Team
IBM Austin

Microsoft Corporation

Microsoft's implementation of DNS is not based on BIND, and is not affected by this vulnerability.

NetBSD

Please see NetBSD-SA2001-001, "Security vulnerabilities in BIND" at:

ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-001.txt.asc

OpenBSD

Please see OpenBSD 2.8 release errata "018: SECURITY FIX: Jan 29, 2001" at

http://www.openbsd.org/errata.html#named

RedHat

Please see RHSA-2001-007 and associated bug reports at:

http://www.redhat.com/support/errata/RHSA-2001-007.html
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25209


SGI

SGI's IRIX (tm) operating system contains base BIND 4.9.7 with SGI modifications. IRIX BIND 4.9.7 is vulnerable to buffer overflow in nslookupComplain() [VU#572183]. Patches are forth coming and will be released with an advisory to http://www.sgi.com/support/security/ when available.

Sun Microsystems, Inc.

CERT Advisory CA-2001-02 describes four vulnerabilities in certain
versions of BIND.  The four vulnerabilities are listed below along with
the affected versions of Solaris and the version of BIND shipped with each
version of Solaris.
VU#196945 - ISC BIND 8 contains buffer overflow in transaction
            signature (TSIG) handling code
    Solaris 8 04/01* (BIND 8.2.2-p5)
    Solaris 8 Maintenance Update 4* (BIND 8.2.2-p5)
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
    Solaris 2.6 (BIND 4.9.4-P1)
    Solaris 2.5.1** (BIND 4.9.3)
VU#868916 - ISC BIND 4 contains input validation error in
            nslookupComplain()
    Solaris 2.6 (BIND 4.9.4-P1)
    Solaris 2.5.1** (BIND 4.9.3)
VU#325431 - Queries to ISC BIND servers may disclose environment variables
    Solaris 2.4, 2.5 (BIND 4.8.3)
    Solaris 2.5.1** (BIND 4.9.3 and BIND 4.8.3)
    Solaris 2.6 (BIND 4.9.4-P1)
    Solaris 7 and 8 (BIND 8.1.2)
*  To determine if one is running Solaris 8 04/01 or Solaris 8 Maintenance
   Update 4, check the contents of the /etc/release file.
** Solaris 2.5.1 ships with BIND 4.8.3 but patch 103663-01 for SPARC and
   103664-01 for x86 upgrades BIND to 4.9.3, current revision for each
   patch is -17.
List of Patches
The following patches are available in relation to the above problems.
OS Version               Patch ID
__________               _________
SunOS 5.8                109326-04
SunOS 5.8_x86            109327-04
SunOS 5.7                107018-03
SunOS 5.7_x86            107019-03
SunOS 5.6                105755-10
SunOS 5.6_x86            105756-10
SunOS 5.5.1              103663-16
SunOS 5.5.1_x86          103664-16
SunOS 5.5                103667-12
SunOS 5.5_x86            103668-12
SunOS 5.4                102479-14
SunOS 5.4_x86            102480-12

Appendix B. - Frequently Asked Questions

This appendix addresses questions that have been raised since this advisory was originally published.

What is the Berkeley Internet Name Domain (BIND)?

BIND is the most commonly used implementation of DNS software. Every organization attached to the Internet depends on the DNS system to allow users to access services. When users connect to web sites, transfer files, or send email, they use domain names, such as "cert.org". Their computers, using DNS servers, translate those host names into IP addresses, such as 10.21.30.5, in order for the computers to communicate.

To whom is this advisory directed?

This advisory is primarily directed to IT managers and system administrators responsible for running DNS services with BIND software.

I'm a home user - do I need to worry about this advisory?

Home users are affected by this problem, but they typically rely upon an ISP for DNS service. These users may wish to contact their service provider to draw attention to these issues.

However, users running Linux or other UNIX variants on their machines need to verify if a vulnerable version of BIND is installed; if so they need to disable or upgrade this software. Several UNIX/Linux operating systems install DNS servers by default. Thus, some users might be running this service, even if they did not specifically configure it.

Is this vulnerability being actively exploited?

We are not aware of any active exploitation of these BIND vulnerabilities. However, based on past experience, we expect that intruders will quickly begin developing and using intruder tools to compromise machines.

Is the timing of your advisory in any way related to the problems at Microsoft's site?

No, we believe that the recent activity at Microsoft is unrelated. You should contact Microsoft if you have any questions related to their systems and services.

Should I switch from BIND to another type of DNS software?

As a federally funded research and development center (FFRDC), we cannot recommend products and services. We encourage each organization to choose and test products best suited to their needs.


The CERT/CC thanks the COVERT Labs at PGP Security for discovering and analyzing three of these vulnerabilities (VU#196945, VU#572183, and VU#868916) and Claudio Musmarra for discovering the infoleak vulnerability (VU#325431). We also thank the Internet Software Consortium for providing patches to fix the vulnerabilities.


This document was written by Jeffrey P. Lanza, Cory Cohen, Roman Danyliw, Ian Finlay, Shawn Hernan, and Quinn R. Peyton.

Copyright 2001 Carnegie Mellon University.

Revision History

Jan 29, 2001: Initial release
Jan 30, 2001: Added Microsoft vendor statement
Jan 30, 2001: Added OpenBSD vendor statement
Feb 02, 2001: Added revised IBM vendor statement
Feb 02, 2001: Modified exploitation comments
Feb 02, 2001: Added reference Secure BIND Template
Feb 02, 2001: Added Frequently Asked Questions as Appendix B
Feb 05, 2001: Added information about djbdns
Feb 06, 2001: Updated and added several vendor statements
Feb 15, 2001: Removed initial OpenBSD vendor statement
Feb 15, 2001: Added several vendor statements: NetBSD, OpenBSD, RedHat, SGI
Apr 04, 2001: Updated Compaq vendor statement
May 10, 2001: Updated HP statement
Aug 07, 2001: Updated Sun vendor statement