ISC BIND SIG null pointer dereference denial of service

bind-null-dereference-dos (10333)

Medium Risk

Description:

ISC BIND (Berkeley Internet Name Daemon) is vulnerable to a denial of service attack. A remote attacker in control of a authoritative DNS server could cause vulnerable BIND 8 servers to attempt to cache SIG resource records (RR) with invalid expiry times. These are removed from the BIND internal database, but later improperly referenced, leading to a denial of service.

Consequences:

Denial of Service

Remedy:

Upgrade to the latest version of BIND (9.2.2 or later), available from the Internet Software Consortium Web site. See References.

—OR—

BIND administrators should consider upgrading to BIND 9. Please refer to the Internet Software Consortium Web site for information about updated versions of BIND or patches for BIND 8. See References.

As a workaround for DNS servers that do not need recursive DNS functionality, it is recommended to disable recursion within the BIND configuration file:

BIND 8, named.conf
options {
recursion no;
};
BIND 4, named.boot
options no-recursion

Where disabling recursion is not possible, a temporary workaround exists that may protect perimeter DNS servers from the remote compromise vulnerability. Due to the nature and organization of stack variables, exploitation is much easier if the attack is embedded within TCP DNS traffic. It is unclear at this time if this attack is possible with UDP traffic on certain architectures. The UDP protocol is used for most DNS related queries and responses, except large responses and zone transfers between primary and secondary DNS servers. Therefore, perimeter DNS servers should be protected by filtering TCP port 53. This workaround will block the exploit technique demonstrated by X-Force, but this solution should be examined carefully to determine if it will not affect normal DNS functionality. This workaround is meant as a temporary solution to offer some level of protection before a patch can be applied.

For FreeBSD:
Upgrade to the latest version of FreeBSD (4.7-STABLE or later) or RELENG_4_7 (4.7-RELEASE-p2), or RELENG_4_6 (4.6-RELEASE-p4), or RELENG_4_5 (4.5-RELEASE-p23), or RELENG_4_4 (4.4-RELEASE-p30 dated after 2002-11-14 security branch), as listed in FreeBSD Security Advisory FreeBSD-SA-02:42.resolv. See References.

—OR—

Apply the patch for this vulnerability, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:43.bind. See References.

For SuSE Linux:
Upgrade to the latest Bind8 package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:044 for more information. See References.

SuSE Linux 8.1, 8.0 (Intel): 8.2.4-260 or later
SuSE Linux 7.3 (Intel): 8.2.4-261 or later
SuSE Linux 7.2, 7.1, 7.0 (Intel): 8.2.3-200 or later
SuSE Linux 7.3 (Sparc): 8.2.4-128 or later
SuSE Linux 7.1, 7.0 (Alpha): 8.2.3-139 or later
SuSE Linux 7.3 (Power PC): 8.2.4-200 or later
SuSE Linux 7.1, 7.0 (Power PC): 8.2.3-121 or later

For Linux-Mandrake:
Upgrade to the latest BIND8 and BIND9 packages, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:077 : bind for more information. See References.

BIND8:
Linux-Mandrake 7.2 and Single Network Firewall: 8.3.3-2.1mdk or later

BIND9:
Linux-Mandrake 7.2 and Single Network Firewall: 9.2.1-2.3mdk or later

For Conectiva Linux:
Upgrade to the latest bind package, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:546 for more information. See References.

Conectiva Linux 6.0: 8.2.6-1U60_2cl or later

For Debian GNU/Linux:
Upgrade to the latest bind package, as listed below. Refer to DSA-196-1 for more information. See References.

Debian GNU/Linux 2.2 (potato): 8.2.3-0.potato.3 or later

Debian GNU/Linux 3.0 (woody): 8.3.3-2.0woody1or later

For OpenPKG:
Upgrade to the latest bind package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.011 for more information. See References.

OpenPKG 1.0: 8.2.6-1.0.2 or later

OpenPKG 1.1: 8.3.3-1.1.1 or later

For EnGarde Secure Linux Community Edition:
Upgrade to the latest bind-chroot package (8.2.6-1.0.29 or later), as listed in EnGarde Secure Linux Security Advisory 20021114-029. See References.

For Trustix Secure Linux 1.1, 1.2 and 1.5:
Upgrade to the latest bind package (8.2.6-2tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0076 for more information. See References.

For NetBSD-current:
Upgrade to the latest version of NetBSD-current (dated 2002-11-15 or later), as listed in NetBSD Security Advisory 2002-029. See References.

For NetBSD 1.6:
Upgrade to the latest version of NetBSD 1.6 (dated 2002-11-16 or later), as listed in NetBSD Security Advisory 2002-029. See References.

For NetBSD 1.5, 1.5.1, 1.5.2, and 1.5.3:
Upgrade to the latest version of the NetBSD 1.5 branch (dated 2002-11-16 or later), as listed in NetBSD Security Advisory 2002-029. See References.

For Caldera OpenLinux 3.1 and 3.1.1 (Workstation and Server):
Upgrade to the latest bind package (8.3.4-1 or later), as listed in SCO Security Advisory CSSA-2002-059.0. See References.

For Caldera OpenServer 5.0.5, 5.0.6, and 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory CSSA-2003-SCO.17.1. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• BugTraq Mailing List, 2002-11-12 19:27:53: [Fwd: Notice of serious vulnerabilities in ISC BIND 4 & 8].
• CERT Advisory CA-2002-31: Multiple Vulnerabilities in BIND.
• CIAC Information Bulletin N-013: ISC Remote Vulnerabilities in BIND4 and BIND8.
• Conectiva Linux Announcement CLSA-2002:546: Remote vulnerabilities in the BIND DNS server.
• EnGarde Secure Linux Security Advisory ESA-20021114-029: buffer overflow, DoS attacks.
• FreeBSD Security Advisory FreeBSD-SA-02:43.bind: multiple vulnerabilities in BIND [REVISED].
• Hewlett-Packard Software Security Response Team SSRT2408: Potential BIND Security Vulnerabilities.
• Internet Security Systems Security Advisory, November 12, 2002: Multiple Remote Vulnerabilities in BIND4 and BIND8.
• Internet Software Consortium (ISC) Web site: Internet Software Consortium: BIND Vulnerabilities.
• Internet Software Consortium (ISC) Web site: Internet Software Consortium - BIND.
• NetBSD Security Advisory 2002-029: named(8) multiple denial of service and remote execution of code.
• SCO Security Advisory CSSA-2002-059.0: Linux: multiple vulnerabilities in BIND (CERT CA-2002-31).
• SCO Security Advisory CSSA-2003-SCO.17.1: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Multiple Remote Vulnerabilities in BIND. (From LinuxSecurity archive)
• SCO Security Advisory CSSA-2003-SCO.2: UnixWare 7.1.1 : multiple vulnerabilities in BIND (CERT CA-2002-31).
• Trustix Secure Linux Security Advisory #2002-0076: Remote exploit.
• BID-6159: ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability
• CVE-2002-1221: BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference.
• DSA-196: bind -- several vulnerabilities
• MDKSA-2002:077: Updated bind packages fix remote compromise and DoS vulnerabilities
• OpenPKG-SA-2002.011: BIND
• SUSE-SA:2002:044: bind8: remote command execution
• US-CERT VU#581682: ISC BIND 8 fails to properly dereference cache SIG RR elements with invalid expiry times from the internal database

Platforms Affected:

• Conectiva Linux 6.0
• Debian Debian Linux 2.2
• Debian Debian Linux 3.0
• EngardeLinux Secure Linux
• EngardeLinux Secure Professional
• FreeBSD FreeBSD
• ISC BIND 8.1
• ISC BIND 8.1.1
• ISC BIND 8.1.2
• ISC BIND 8.2
• ISC BIND 8.2.1
• ISC BIND 8.2.2 P3
• ISC BIND 8.2.2 P5
• ISC BIND 8.2.2 P7
• ISC BIND 8.2.2
• ISC BIND 8.2.3
• ISC BIND 8.2.4
• ISC BIND 8.2.5
• ISC BIND 8.2.6
• ISC BIND 8.3.0
• ISC BIND 8.3.1
• ISC BIND 8.3.2
• ISC BIND 8.3.3
• MandrakeSoft Mandrake Linux 7.2
• MandrakeSoft Mandrake Single Network Firewall 7.2
• NetBSD NetBSD 1.5
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.5.3
• NetBSD NetBSD 1.6
• NetBSD NetBSD CURRENT
• Novell SuSE Linux Enterprise Server 7.0
• OpenPKG OpenPKG 1.0
• OpenPKG OpenPKG 1.1
• SCO Caldera OpenLinux Server 3.1
• SCO Caldera OpenLinux Server 3.1.1
• SCO Caldera OpenLinux Workstation 3.1
• SCO Caldera OpenLinux Workstation 3.1.1
• SCO Caldera OpenServer 5.0.5
• SCO Caldera OpenServer 5.0.6
• SCO Caldera OpenServer 5.0.7
• SuSE SuSE eMail Server III
• SUSE SuSE Linux 7.0
• SUSE SuSE Linux 7.1
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• SUSE SuSE Linux 8.0
• SUSE SuSE Linux 8.1
• SuSE SuSE Linux Connectivity Server
• SuSE SuSE Linux Database Server
• SuSE SuSE Linux Office Server
• Trustix Secure Linux 1.1
• Trustix Secure Linux 1.2
• Trustix Secure Linux 1.5

Reported:

Nov 12, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page