__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN ISC BIND Vulnerabilities November 14, 2000 18:00 GMT Number L-019 ______________________________________________________________________________ PROBLEM: Internet Software Consortium (ISC) reported nine bugs in ISC's BIND. Some of the bugs can lead to denial-of-service incidents. PLATFORM: Platforms running ISC's BIND versions 4.9.5 through 8.2.2 patchlevel 6. DAMAGE: ISC listed eight bugs that can lead to denial-of-service incidents, and one that would allow unauthorized access to the server. SOLUTION: Apply the workarounds or patches as directed by ISC. See CIAC note that precedes the CERT/CC advisory. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Active exploits exist for four of the nine ASSESSMENT: bugs. ______________________________________________________________________________ [ Start of CIAC Note ] Not all of the affected versions of BIND have workarounds. The most comprehensive fix is to upgrade to either version 8.2.2 patchlevel 7 or to version 9.0.0. Consult the table at the end of ISC's announcement at http://www.isc.org/products/BIND/bind-security.html [ End of CIAC Note ] [ Start CERT/CC Advisory ] CERT Advisory CA-2000-20 Mulitple Denial-of-Service Problems in ISC BIND Original release date: November 13, 2000 Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Internet Software Consortium (ISC) BIND version 8.2 through 8.2.2-P6 * Systems running name servers derived from BIND version 8.2 through 8.2.2-P6 Overview The CERT Coordination Center has recently learned of two serious denial-of-service vulnerabilities in the Internet Software Consortium's (ISC) BIND software. The first vulnerability is referred to by the ISC as the "zxfr bug" and affects ISC BIND version 8.2.2, patch levels 1 through 6. The second vulnerability, the "srv bug", affects ISC BIND versions 8.2 through 8.2.2-P6. Derivatives of the above code sets should also be presumed vulnerable unless proven otherwise. I. Description The Internet Software Consortium, the maintainer of BIND, the software used to provide domain name resolution services, has recently posted information about several denial-of-service vulnerabilities. If exploited, any of these vulnerabilities could allow remote intruders to cause site DNS services to be stopped. For more information about these vulnerabilities and others, please see http://www.isc.org/products/BIND/bind-security.html Two vulnerabilities in particular have been categorized by both the ISC and the CERT/CC as being serious. The "zxfr bug" Using this vulnerability, attackers on sites which are permitted to request zone transfers can force the named daemon running on vulnerable DNS servers to crash, disrupting name resolution service until the named daemon is restarted. The only preconditions for this attack to succeed is that a compressed zone transfer (ZXFR) request be made from a site allowed to make any zone transfer request (not just ZXFR), and that a subsequent name service query of an authoritative and non-cached record be made. The time between the attack and the crash of named may vary from system to system. This vulnerability has been discussed in public forums. The ISC has confirmed that all platforms running version 8.2.2 of the BIND software prior to patch level 7 are vulnerable to this attack. The "srv bug" This vulnerability can cause affected DNS servers running named to go into an infinite loop, thus preventing further name requests to be handled. This can happen if an SRV record (defined in RFC2782) is sent to the vulnerable server. Microsoft's Windows 2000 Active Directory service makes extensive use of SRV records and is reportedly capable of triggering this bug in the course of normal operations. This is not, however, a vulnerability in Microsoft Active Directory. Any network client capable of sending SRV records to vulnerable name server systems can exercise this vulnerability. The CERT/CC has not received any direct reports of either of these vulnerabilities being exploited to date. Both vulnerabilities can be used by malicious users to break the DNS services being offered at all exposed sites on the Internet. System administrators are strongly recommended to upgrade their DNS software with either ISC's current distribution or their vendor-supplied software. See the Solution and Vendor Information sections of this document for more details. II. Impact Domain name resolution services (DNS) can be disabled on affected servers from arbitrary remote hosts. III. Solution Apply a patch from your vendor The CERT/CC recommends that all users of ISC BIND upgrade to the recently-released BIND 8.2.2-P7, which patches both of the vulnerabilities discussed in this document. Sites running vendor-specific distributions of domain name resolution software should check the Vendor Information section below for more specific information on how to upgrade to non-vulnerable software. Restrict zone transfers to trusted hosts If it is not possible to immediately upgrade systems affected by the "zxfr bug", the ISC suggests not allowing zone transfers from untrusted hosts. This action, however, will not mitigate against the effects of an attack using the "srv bug". Although it has been reported that not allowing recursive queries may help mitigate against the "zxfr" vulnerability, ISC has indicated that this is not the case. Appendix A. Vendor Information The Internet Software Consortium For the latest information regarding these vulnerabilities, please consult the ISC web site at: http://www.isc.org/products/BIND/bind-security.html Caldera Our advisory will be available [at]: http://www.calderasystems.com/support/security/advisories/CSSA-2000-040.0.txt Updated packages will be available from OpenLinux Desktop 2.3 ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current 9d8429f25c5fb3bebe2d66b1f9321e61 RPMS/bind-8.2.2p7-1.i386.rpm 0e958eb01f40826f000d779dbe6b8cb3 RPMS/bind-doc-8.2.2p7-1.i386.rpm 866ff74c77e9c04a6abcddcc11dbe17b RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm OpenLinux eServer 2.3 ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current 379c4328604b4491a8f3d0de44e42347 RPMS/bind-8.2.2p7-1.i386.rpm b428b824c8b67f2d8d4bf53738a3e7e0 RPMS/bind-doc-8.2.2p7-1.i386.rpm 28311d630281976a870d38abe91f07fb RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm OpenLinux eDesktop 2.4 ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current c37b6673cc9539e592013ac114846940 RPMS/bind-8.2.2p7-1.i386.rpm bbe0d7e317fde0d47cba1384f6d4b635 RPMS/bind-doc-8.2.2p7-1.i386.rpm 5c28dd5641a4550c03e9859d945a806e RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm Compaq Computer Corporation SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team USA Compaq Tru64/UNIX Operating Systems Software are not vulnerable to these reported problems. Conectiva Please see Conectiva Linux Security Announcement CLSA-2000:339 at: http://listserv.securityportal.com/SCRIPTS/WA- SECURITYPORTAL.EXE?A1=ind0011&L=linux-security#27 Note: Conectiva Linux Security Announcement CLSA-2000:338, also regarding this issue, had a packaging error in it. Users who downloaded updates based on CLSA-2000:338 should see CLSA-2000:339 for further information. Debian Please see Debian Security notice 20001112, bind at: http://www.debian.org/security/2000/20001112 FreeBSD All versions of FreeBSD after 4.0-RELEASE (namely 4.1-RELEASE, 4.1.1-RELEASE and the forthcoming 4.2-RELEASE) are not vulnerable to this bug since they include versions of BIND 8.2.3. FreeBSD 4.0-RELEASE and earlier are vulnerable to the reported problems since they include an older version of BIND, and an update to a non-vulnerable version is scheduled to be committed to FreeBSD 3.5.1-STABLE in the next few days. Hewlett-Packard HP is vulnerable to these problems and is working to correct them. MandrakeSoft Please see "MDKSA-2000:067: bind" at: http://www.linux-mandrake.com/en/security/MDKSA-2000-067.php3 Microsoft Corporation Microsoft is currently investigating these issues. NetBSD NetBSD is believed to be vulnerable to these problems; in response, NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7 will be present in the forthcoming NetBSD 1.5 release. RedHat Please see "RHSA-2000:107-01: Updated bind packages fixing DoS attack", soon to be available at: http://www.redhat.com/support/errata/ Slackware Updated Slackware distributions for bind may be found at: ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz ______________________________________________________________________ The CERT Coordination Center thanks Mark Andrews, David Conrad, and Paul Vixie of the ISC for developing a solution and assisting in the preparation of this advisory. We would also recognize the contribution of Olaf Kirch in helping us understand the exact nature of the "zxfr bug" vulnerability. ______________________________________________________________________ Author: This document was written by Jeffrey S. Havrilla and Jeffrey P. Lanza. Feedback on this advisory is appreciated. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2000-20.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University. Revision History November 13, 2000: Initial release [ End CERT/CC Advisory ] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT/CC for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-009: Red Hat Linux "ypbind" Vulnerability L-010: Microsoft IIS "Cookie Marking" Vulnerability L-011: HP-UX bdf & df Vulnerabilities L-012: Cisco IOS HTTP Server Query Vulnerability L-013: Revocation of Sun Microsystems Browser Certificates L-014: AIX Format String Vulnerability L-015: Tcpdump Remote Buffer Overflows L-016: Microsoft Netmon Protocol Parsing L-017: HP-UX dtterm misuse L-018: Microsoft "Web Server File Request Parsing" Vulnerability