ISC BIND SIG cached resource records (RR) heap buffer overflow

bind-sig-rr-bo (10304)

High Risk

Description:

ISC BIND (Berkeley Internet Name Daemon) is vulnerable to a heap buffer overflow in the code that handles SIG resource records. A remote attacker in control of an authoritative DNS Server could exploit this vulnerability by sending a response containing multiple SIG resource records (RR) to cause the server to crash or gain complete control over the system.

Consequences:

Gain Access

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
BindSigRrBo
bind-sig-rr-bo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
DNS_Bind_SIG_Overflow

Block or restrict the following Ports in the ISS Protection Platform as appropriate to the environment:
Port 53 - Note: blocking this port may break zone transfers

For Manual Protection:

Upgrade to the latest version of BIND (9.2.2 or later), available from the Internet Software Consortium Web site. See References.

—OR—

BIND administrators should consider upgrading to BIND 9. Please refer to the Internet Software Consortium Web site for information about updated versions of BIND or patches for BIND 4 and 8. See References.

As a workaround, for DNS servers that do not need recursive DNS functionality, it is recommended to disable recursion within the BIND configuration file:

BIND 8, named.conf
options {
recursion no;
};
BIND 4, named.boot
options no-recursion

Where disabling recursion is not possible, a temporary workaround exists that may protect perimeter DNS servers from the remote compromise vulnerability. Due to the nature and organization of stack variables, exploitation is much easier if the attack is embedded within TCP DNS traffic. It is unclear at this time if this attack is possible with UDP traffic on certain architectures. The UDP protocol is used for most DNS related queries and responses, except large responses and zone transfers between primary and secondary DNS servers. Therefore, perimeter DNS servers should be protected by filtering TCP port 53. This workaround will block the exploit technique demonstrated by X-Force, but this solution should be examined carefully to determine if it will not affect normal DNS functionality. This workaround is meant as a temporary solution to offer some level of protection before a patch can be applied.

For FreeBSD:
Upgrade to the latest version of FreeBSD (4.7-STABLE or later) or to the RELENG_4_7 (4.7-RELEASE-p2), RELENG_4_6 (4.6-RELEASE-p4), or RELENG_4_5 (4.5-RELEASE-p23) or RELENG_4_4 (4.4-RELEASE-p30) dated after 2002-11-14 security branch, as listed in FreeBSD Security Advisory FreeBSD-SA-02:42.resolv. See References.

—OR—

Apply the patch for this vulnerability, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:43.bind. See References.

For SuSE Linux:
Upgrade to the latest Bind8 package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:044 for more information. See References.

SuSE Linux 8.1, 8.0 (Intel): 8.2.4-260 or later
SuSE Linux 7.3 (Intel): 8.2.4-261 or later
SuSE Linux 7.2, 7.1, 7.0 (Intel): 8.2.3-200 or later
SuSE Linux 7.3 (Sparc): 8.2.4-128 or later
SuSE Linux 7.1, 7.0 (Alpha): 8.2.3-139 or later
SuSE Linux 7.3 (Power PC): 8.2.4-200 or later
SuSE Linux 7.1, 7.0 (Power PC): 8.2.3-121 or later

For EnGarde Secure Linux Community Edition:
Upgrade to the latest bind-chroot package (8.2.6-1.0.29 or later), as listed in EnGarde Secure Linux Security Advisory 20021114-029. See References.

For Linux-Mandrake:
Upgrade to the latest BIND8 and BIND9 packages as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:077 : bind for more information. See References.

BIND8:
Linux-Mandrake 7.2 and Single Network Firewall: 8.3.3-2.1mdk or later

BIND9:
Linux-Mandrake 7.2 and Single Network Firewall: 9.2.1-2.3mdk or later

For Conectiva Linux containing the bind package:
Upgrade to the latest bind package, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:546 for more information. See References.

Conectiva Linux 6.0: 8.2.6-1U60_2cl or later

For Debian Linux:
Upgrade to the latest bind package, as listed below. Refer to DSA-196-1 for more information. See References.

Debian GNU/Linux 2.2 (potato): 8.2.3-0.potato.3 or later
Debian GNU/Linux 3.0 (woody): 8.3.3-2.0woody1or later

OpenPKG 1.0: 8.2.6-1.0.2 or later
OpenPKG 1.1: 8.3.3-1.1.1 or later

For Trustix Secure Linux 1.1, 1.2 and 1.5:
Upgrade to the latest bind package (8.2.6-2tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0076 for more information. See References.

For NetBSD-current:
Upgrade to the latest version of NetBSD-current (dated 2002-11-15 or later), as listed in NetBSD Security Advisory 2002-029. See References.

For NetBSD 1.6:
Upgrade to the latest version of NetBSD 1.6 (dated 2002-11-16 or later), as listed in NetBSD Security Advisory 2002-029. See References.

For NetBSD 1.5, 1.5.1, 1.5.2, and 1.5.3:
Upgrade to the latest version of the NetBSD 1.5 branch (dated 2002-11-16 or later), as listed in NetBSD Security Advisory 2002-029. See References.

For Caldera OpenLinux 3.1 and 3.1.1 (Workstation and Server):
Upgrade to the latest bind package (8.3.4-1 or later), as listed in SCO Security Advisory CSSA-2002-059.0. See References.

For Caldera OpenServer 5.0.5, 5.0.6, and 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory CSSA-2003-SCO.17.1. See References.

or other distributions:
Contact your vendor for upgrade or patch information.

References:

• BugTraq Mailing List, 2002-11-12 19:27:53: [Fwd: Notice of serious vulnerabilities in ISC BIND 4 & 8].
• CERT Advisory CA-2002-31: Multiple Vulnerabilities in BIND.
• CIAC Information Bulletin N-013: ISC Remote Vulnerabilities in BIND4 and BIND8.
• Conectiva Linux Announcement CLSA-2002:546: Remote vulnerabilities in the BIND DNS server.
• EnGarde Secure Linux Security Advisory ESA-20021114-029: buffer overflow, DoS attacks.
• FreeBSD Security Advisory FreeBSD-SA-02:43.bind: multiple vulnerabilities in BIND.
• FreeBSD Security Advisory FreeBSD-SA-02:43.bind: multiple vulnerabilities in BIND [REVISED].
• Full-Disclosure Mailing List, Tue Nov 19 2002 - 11:23:26 CST: named(8) multiple denial of service and remote execution of code.
• Hewlett-Packard Company Software Security Response Team SSRT2408: Potential BIND Security Vulnerabilities. (From Neohapsis archive.)
• Internet Security Systems Security Advisory, November 12, 2002: Multiple Remote Vulnerabilities in BIND4 and BIND8.
• Internet Software Consortium (ISC) Web site: Internet Software Consortium: BIND Vulnerabilities.
• Internet Software Consortium (ISC) Web site: Internet Software Consortium - BIND.
• National Infrastructure Protection Center Advisory 02-009: "Multiple Vulnerabilities in ISC BIND versions 4 and 8".
• SCO Security Advisory CSSA-2002-059.0: Linux: multiple vulnerabilities in BIND (CERT CA-2002-31).
• SCO Security Advisory CSSA-2003-SCO.17.1: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Multiple Remote Vulnerabilities in BIND. (From LinuxSecurity archive)
• Sun Alert ID: 48818: Security vulnerabilities in BIND and libresolv (CERT CA-2002-31).
• Trustix Secure Linux Security Advisory #2002-0076: Remote exploit.
• BID-6160: ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability
• CVE-2002-1219: Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR).
• DSA-196: bind -- several vulnerabilities
• MDKSA-2002:077: Updated bind packages fix remote compromise and DoS vulnerabilities
• OpenPKG-SA-2002.011: BIND
• SUSE-SA:2002:044: bind8: remote command execution
• US-CERT VU#852283: Cached malformed SIG record buffer overflow

Platforms Affected:

• Conectiva Linux 6.0
• Debian Debian Linux 2.2
• Debian Debian Linux 3.0
• EngardeLinux Secure Linux
• EngardeLinux Secure Professional
• FreeBSD FreeBSD
• HP HP-UX 10.20
• HP HP-UX 11
• IBM AIX 4
• ISC BIND 4.9.10
• ISC BIND 4.9.5
• ISC BIND 4.9.6
• ISC BIND 4.9.7
• ISC BIND 4.9.8
• ISC BIND 4.9.9
• ISC BIND 8.2
• ISC BIND 8.2.1
• ISC BIND 8.2.2
• ISC BIND 8.2.3
• ISC BIND 8.2.4
• ISC BIND 8.2.5
• ISC BIND 8.2.6
• ISC BIND 8.3.0
• ISC BIND 8.3.1
• ISC BIND 8.3.2
• ISC BIND 8.3.3
• MandrakeSoft Mandrake Linux 7.2
• MandrakeSoft Mandrake Single Network Firewall 7.2
• NetBSD NetBSD 1.5
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.5.3
• NetBSD NetBSD 1.6
• NetBSD NetBSD CURRENT
• Novell SuSE Linux Enterprise Server 7.0
• OpenPKG OpenPKG 1.0
• OpenPKG OpenPKG 1.1
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.2
• RedHat Linux 7.3
• SCO Caldera OpenLinux Server 3.1
• SCO Caldera OpenLinux Server 3.1.1
• SCO Caldera OpenLinux Workstation 3.1
• SCO Caldera OpenLinux Workstation 3.1.1
• SCO Caldera OpenServer 5.0.5
• SCO Caldera OpenServer 5.0.6
• SCO Caldera OpenServer 5.0.7
• Sun Solaris 2.6
• Sun Solaris 7.0
• Sun Solaris 8
• SuSE SuSE eMail Server III
• SUSE SuSE Linux 7.0
• SUSE SuSE Linux 7.1
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• SUSE SuSE Linux 8.0
• SUSE SuSE Linux 8.1
• SuSE SuSE Linux Connectivity Server
• SuSE SuSE Linux Database Server
• SuSE SuSE Linux Office Server
• Trustix Secure Linux 1.1
• Trustix Secure Linux 1.2
• Trustix Secure Linux 1.5

Reported:

Nov 12, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page