Bind Security Vulnerabilities Roundup

1) Original advisory on this topic
2) Vendor response (Internet Software Consortium)
3) Security advisories by Linux vendors
4) Additional information

Original advisory on this topic

Brief description: ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). BIND is the most common implementation of the DNS (Domain Name Service) protocol, which is used on the vast majority of DNS servers on the Internet. DNS is a vital Internet protocol that maintains a database of easy-to-remember domain names (host names) and their corresponding numerical IP addresses.

Vulnerability descriptions can be seen from the ISS X-Force advisory:
http://www.net-security.org/vuln.php?id=2215

Affected Versions:

BIND SIG Cached RR Overflow Vulnerability

BIND 8, versions up to and including 8.3.3-REL
BIND 4, versions up to and including 4.9.10-REL

BIND OPT Denial of Service Vulnerability

BIND 8, versions 8.3.0 up to and including 8.3.3-REL

BIND SIG Expiry Time Denial of Service Vulnerability

BIND 8, versions up to and including 8.3.3-REL

Vendor response (Internet Software Consortium)

Name: “BIND: Remote Execution of Code”
Versions affected: BIND 4.9.5 to 4.9.10
BIND 8.1, 8.2 to 8.2.6, 8.3.0 to 8.3.3
Severity: SERIOUS
Exploitable: Remotely
Type: Possibility to execute arbitrary code.

Description:
When constructing a response containing SIG records a incorrect space allows a write buffer overflow. It is then possible to execute code with the privileges of named.

Workarounds:
Disable recursion if possible.

Patches:

BIND 8.3.3 – bind833.diff
BIND 8.2.6 – bind826.diff
BIND 4.9.10 – bind4910.diff

CERT Advisory

CERT Advisory CA-2002-31 – Multiple Vulnerabilities in BIND

http://www.net-security.org/advisory.php?id=1277

Security advisories by Linux vendors

FreeBSD (FreeBSD-SA-02:43.bind)
http://www.net-security.org/advisory.php?id=1270
(see “Additional Information” section for changed patching steps)

FreeBSD (FreeBSD-SA-02:43.bind – revised)
http://www.net-security.org/advisory.php?id=1293
(this is the revised FreeBSD advisory that fixes the patching steps mentioned above)

Engarde Secure Linux (ESA-20021114-029)
http://www.net-security.org/advisory.php?id=1273

SuSE Linux (SuSE-SA:2002:044)
http://www.net-security.org/advisory.php?id=1278

Red Hat Linux (Security Alert)
http://www.net-security.org/advisory.php?id=1279

Conectiva Linux (CLA-2002:546)
http://www.net-security.org/advisory.php?id=1280

Debian Linux (DSA 196-1)
http://www.net-security.org/advisory.php?id=1281

Mandrake Linux (MDKSA-2002:077)
http://www.net-security.org/advisory.php?id=1282

Trustix Secure Linux (#2002-0076)
http://www.net-security.org/advisory.php?id=1300

OpenPKG (OpenPKG-SA-2002.011)
http://www.net-security.org/advisory.php?id=1295

NetBSD (2002-029)
http://www.net-security.org/advisory.php?id=1314

OpenBSD (Patches available)

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/005_named.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/019_named.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/036_named.patch

Additional information

Crispin Cowan, Chief Scientist at WireX said on Immunix-users mailing list: “Those lovely folks at ISC (who maintain BIND) and ISS (who discovered the bug) decided that it was a good idea to release this security advisory a week ahead of releasing the patches, and without revealing what the problems actually are. We will release RPMs and an analysis of how vulnerable Immunix versions are, as soon as it is possible.”

Alexandr Kovalenko noted on freebsd-security mailing list that some of the instructions noted in FreeBSD’s security advisory are incorrect. The steps should go like this:

# cd /usr/src
# patch < /patch/to/patch
# cd /usr/src/lib/libbind
# make depend && make && make install
# cd /usr/src/lib/libisc
# make depend && make && make install
# cd /usr/src/usr.sbin/named
# make depend && make && make install
# cd /usr/src/libexec/named-xfer
# make depend && make && make install

Openwall Project web site (www.openwall.com) notes that BIND 4.9.10-OW2 includes the patch provided by ISC and is likely to become 4.9.11-OW1 once BIND 4.9.11 is officially released.

Alan Olsen from Wirex send a post to immunix-users mailing list that he built new Bind 9 RPM’s but they are not tested and should be used at your own risk:

“They are built off of the latest patched Redhat RPMs, so they should work. But be warned that if they cause your cat to go bald, paint to peel off your house or you mother-in-law to move in with you, well…

http://download.immunix.org/ImmunixOS/7+-beta/contrib/

bind-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 1.7M
bind-9.2.1-0.70.2_imnx_1.src.rpm 13-Nov-2002 14:44 3.8M
bind-devel-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 860k
bind-utils-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 601k

They are not gpg signed at the moment. They probably should be. They are not official, so I have not signed them… That may change, depending on the feedback I get.”

Olaf Kirch from SuSE Linux team noted on BugTraq that “…I believe ISC have been sitting on this for almost a month. The CVE IDs were assigned October 16, and I have reason to believe that they learned of this no later than October 23.” Read his opinion over at Neohapsis archives.