SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   BIND Vendors:   ISC (Internet Software Consortium)
(NetBSD Issues Fix) BIND4 and BIND8 Multiple Bugs Let Remote Users Crash the Service or Execute Arbitrary Code
SecurityTracker Alert ID:  1005667
SecurityTracker URL:  http://securitytracker.com/id/1005667
CVE Reference:   CVE-2002-1219, CVE-2002-1220, CVE-2002-1221   (Links to External Site)
Date:  Nov 20 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.3.3-REL and prior; 4.9.10-REL and prior
Description:   Several vulnerabilities were reported in BIND4 and BIND8 implementations of the Domain Name Service (DNS) protocol. A remote user can cause the service to crash. A remote user may be able to execute arbitrary code on the server.

Internet Security Systems reported that a remote user can cause the DNS service to execute arbitrary code or to crash, due to a buffer overflow vulnerability and two denial of service vulnerabilities.

A remote user with control of an authoritative DNS server may be able to cause BIND to cache certain DNS information if recursion is enabled on the target DNS server. According to the report, recursion is enabled by default. The remote user can then generate DNS responses containing malformed SIG resource records (RR) that can trigger a buffer overflow on the target server, executing the remote user's arbitrary code.

A remote user can also cause a BIND 8 server to crash when configured for recursion, due to two separate flaws; one due to a large OPT payload and one due to a null pointer deference.

A remote user can reportedly request a DNS lookup on a nonexistent sub-domain of a valid domain name and attach an large OPT resource record to trigger the crash. Queries performed against domains with unreachable authoritative DNS servers may also cause the target server to crash.

A remote user with control of an authoritative name server can try to cause a target DNS server to cache SIG RR elements that have invalid expiry times. According to the report, these elements will be removed from the BIND internal database, but may be improperly referenced later, causing a denial of service condition.

According to the report, BIND9 is not affected.

Impact:   A remote user could execute arbitrary code on the server. A remote user could cause the server to crash.
Solution:   NetBSD has released a fix.

For NetBSD-current:

Systems running NetBSD-current dated from before 2002-11-15 should be upgraded to NetBSD-current dated 2002-11-15 or later.

The following directories need to be updated from the netbsd-current CVS branch (aka HEAD):
dist/bind
usr.sbin/bind

To update from CVS, re-build, and re-install named:
# cd src
# cvs update -d -P dist/bind usr.sbin/bind

# cd usr.sbin/bind
# make obj dependall
# make install


For NetBSD 1.6:

Systems running NetBSD 1.6 dated from before 2002-11-16 should be upgraded to NetBSD 1.6 dated 2002-11-16 or later.

The following directories need to be updated from the netbsd-1-6 CVS branch:
dist/bind
usr.sbin/bind

To update from CVS, re-build, and re-install named:
# cd src
# cvs update -d -P -r netbsd-1-6 dist/bind usr.sbin/bind

# cd usr.sbin/bind
# make obj dependall
# make install


For NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

Systems running NetBSD 1.5, 1.5.1, 1.5.2 or 1.5.3 dated from before 2002-11-16 should be upgraded to NetBSD 1.5 dated 2002-11-16 or later.

The following directories need to be updated from the netbsd-1-5 CVS branch:
dist/bind
usr.sbin/bind

To update from CVS, re-build, and re-install named:
# cd src
# cvs update -d -P -r netbsd-1-5 dist/bind usr.sbin/bind

# cd usr.sbin/bind
# make obj dependall
# make install


For pkgsrc:

bind-4.9.10 and prior, as well as bind-8.3.3 and prior are vulnerable. Upgrade to bind-4.9.10nb1, or bind-8.3.3nb1 (or later).

Vendor URL:  www.isc.org/products/BIND/ (Links to External Site)
Cause:   Boundary error, Input validation error, State error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  1.6, 1.5.3, 1.5.2, 1.5.1, 1.5

Message History:   This archive entry is a follow-up to the message listed below.
Nov 12 2002 BIND4 and BIND8 Multiple Bugs Let Remote Users Crash the Service or Execute Arbitrary Code



 Source Message Contents

Subject:  NetBSD Security Advisory 2002-029: named(8) multiple denial of service and remote execution of code


-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-029
		 =================================

Topic:		named(8) multiple denial of service and remote execution of code

Version:	NetBSD-current:	November 15, 2002
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:	bind-4.9.10 and prior, bind-8.3.3 and prior

Severity:	Remote root compromise

Fixed:		NetBSD-current:		November 15, 2002
		NetBSD-1.6 branch:	November 16, 2002
		NetBSD-1.5 branch:	November 16, 2002
		pkgsrc:	bind-4.9.10nb1, bind-8.3.3nb1


Abstract
========

named(8) version 8.3.3, which is shipped with NetBSD, is vulnerable to
remote execution of malicious code, and multiple denial of service attacks. 


Technical Details
=================

http://www.isc.org/products/BIND/bind-security.html
See the sections named:	BIND: Remote Execution of Code"
			and "BIND: Multiple Denial of Service


Solutions and Workarounds
=========================

If you are not running named(8), your system is not affected.

BIND 9 is not affected by these vulnerabilities.  Upgrading to BIND 9 is
recommended. BIND 9 is available in the NetBSD Pkgsrc Collection
(pkgsrc/net/bind9).

onfiguration files differ between BIND 8 and 9. Plan such a migration
appropriately.

BIND 8 servers with recursion disabled are not vulnerable to the `BIND SIG
Cached RR Overflow Vulnerability' nor to the `BIND SIG Expiry Time DoS'.
to disable recursion, edit the BIND 8 configuration file (default path
/etc/namedb/named.conf) to add `recursion no;' and `fetch-glue no;' to
the options statement as shown:

                options {
                    recursion no;
                    fetch-glue no;
                   /* ... other options ... */
                };



The following instructions describe how to upgrade your named
binaries by updating your source tree and rebuilding and
installing a new version of named.

Be sure to restart running instance of named(8) after installation.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-11-15
	should be upgraded to NetBSD-current dated 2002-11-15 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		dist/bind
		usr.sbin/bind

	To update from CVS, re-build, and re-install named:
		# cd src
		# cvs update -d -P dist/bind usr.sbin/bind

		# cd usr.sbin/bind
		# make obj dependall
		# make install


* NetBSD 1.6:

	Systems running NetBSD 1.6 dated from before 2002-11-16 should
	be upgraded to NetBSD 1.6 dated 2002-11-16 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		dist/bind
		usr.sbin/bind

	To update from CVS, re-build, and re-install named:
		# cd src
		# cvs update -d -P -r netbsd-1-6 dist/bind usr.sbin/bind

		# cd usr.sbin/bind
		# make obj dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5, 1.5.1, 1.5.2 or 1.5.3 dated from before
	2002-11-16 should be upgraded to NetBSD 1.5 dated 2002-11-16 or
	later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		dist/bind
		usr.sbin/bind

	To update from CVS, re-build, and re-install named:
		# cd src
		# cvs update -d -P -r netbsd-1-5 dist/bind usr.sbin/bind

		# cd usr.sbin/bind
		# make obj dependall
		# make install


* pkgsrc

	bind-4.9.10 and prior, as well as bind-8.3.3 and prior are vulnerable.
	Upgrade to bind-4.9.10nb1, or bind-8.3.3nb1 (or later).


Thanks To
=========

FreeBSD Security-Officer, for portions of the workaround text.


Revision History
===============

	2002-11-20	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-029.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-029.txt,v 1.7 2002/11/19 17:09:59 david Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPdpxjj5Ru2/4N2IFAQH26AP/Zn+HG+u0Lwryq/fflxUJLO3Ib3QXZH14
hD/SWfkCExbZmd/5kkDdcMRfe33VTvSqZRw0IRGacErkO8cC8sbUUA9RYxAsxmpG
VMVNGMTaYlFDzGKPzyVmt9/4lAPvtR/Rd/bfJSUEfOIygNcQIvCpYN895aAFBWzl
gL8QNrRO7LY=
=1XM+
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC