__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Buffer Overflow in Multiple Domain Name System (DNS) Libraries [CERT Advisory CA-2002-19] August 13, 2002 20:00 GMT Number M-110 ______________________________________________________________________________ PROBLEM: Multiple implementations of DNS resolver libraries contain a remotely exploitable buffer overflow vulnerability in the way the resolver handles DNS responses. Both BSD (libc) and ISC BIND (libbind) resolver libraries share a common code base and are vulnerable to this problem; any DNS resolver implementation that derives code from either of these libraries may also be vulnerable. Network applications that make use of vulnerable resolver libraries are likely to be affected, therefore this problem is not limited to DNS or BIND servers. PLATFORM: Systems using vulnerable implementations of the Domain Name System (DNS) resolver libraries, which include, but are not limited to: * Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) DNS resolver library (libbind) * Berkeley Software Distribution (BSD) DNS resolver library (libc) * GNU DNS resolver library (glibc) DAMAGE: An attacker who is able to send malicious DNS responses could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service on vulnerable systems. Any code executed by the attacker would run with the privileges of the process that calls the vulnerable resolver function. SOLUTION: Upgrade to a corrected version of the DNS resolver libraries or apply solutions recommended by your system's vendor. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker could exploit this ASSESSMENT: vulnerability to execute arbitrary code or cause a denial of service. An attacker could cause one of the victim's network services to make a DNS request to a DNS server under the attacker's control. This scenerio allows the attacker to remotely exploit this vulnerability. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-110.shtml ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2002-19.html PATCHES: NOTE: PLEASE REVIEW CERT'S BULLETIN APPENDIX A FOR VENDOR PRODUCT UPDATES AND REVISIONS. ______________________________________________________________________________ [***** Start CERT Advisory CA-2002-19 *****] CERTŪ Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries Original release date: June 28, 2002 Last revised: August 9, 2002 Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Applications using vulnerable implementations of the Domain Name System (DNS) resolver libraries, which include, but are not limited to: * Internet Software Consortium (ISC) Berkeley Internet Name Domain (BIND) DNS resolver library (libbind) * Berkeley Software Distribution (BSD) DNS resolver library (libc) * GNU DNS resolver library (glibc) Overview A buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system. I. Description The DNS protocol provides name, address, and other information about Internet Protocol (IP) networks and devices. To access DNS information, a network application uses the resolver to perform DNS queries on its behalf. Resolver functionality is commonly implemented in libraries that are included with operating systems. Multiple implementations of DNS resolver libraries contain a remotely exploitable buffer overflow vulnerability in the way the resolver handles DNS responses. Both BSD (libc) and ISC BIND (libbind) resolver libraries share a common code base and are vulnerable to this problem; any DNS resolver implementation that derives code from either of these libraries may also be vulnerable. Network applications that make use of vulnerable resolver libraries are likely to be affected, therefore this problem is not limited to DNS or BIND servers. VU#803539 lists vendors that have been contacted and provides further information about this vulnerability: http://www.kb.cert.org/vuls/id/803539 This vulnerability has been assigned CAN-2002-0651 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0651 This vulnerability is not the same as the Sendmail DNS issue discussed in VU#814627: http://www.kb.cert.org/vuls/id/814627 NetBSD Security Advisory 2002-006 also explains this vulnerability in detail: ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc VU#542971 describes a specific aspect of this vulnerability as it affects the GNU libc library (glibc): http://www.kb.cert.org/vuls/id/542971 Two sets of responses could trigger buffer overflows in vulnerable DNS resolver libraries: responses for host names or addresses, and responses for network names or addresses. The GNU glibc resolver addressed the vulnerability in handling responses for host resolution in version 2.1.3. However, versions of glibc prior to and including 2.2.5 are vulnerable to responses for network resolution, as explained below in the GNU glibc vendor statement. BSD (libc) and ISC BIND (libbind) resolvers are vulnerable to both types of responses. II. Impact An attacker who is able to send malicious DNS responses could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service on vulnerable systems. Any code executed by the attacker would run with the privileges of the process that calls the vulnerable resolver function. Note that an attacker could cause one of the victim's network services to make a DNS request to a DNS server under the attacker's control. This would permit the attacker to remotely exploit this vulnerability. III. Solution Upgrade to a corrected version of the DNS resolver libraries Note that DNS resolver libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications. Applications that are statically linked must be recompiled using patched resolver libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched resolver libraries. System administrators should consider the following process when addressing this issue: 1. Patch or obtain updated resolver libraries. 2. Restart any dynamically linked services that make use of the resolver libraries. 3. Recompile any statically linked applications using the patched or updated resolver libraries. Use a local caching DNS server Using a local caching DNS server that reconstructs DNS responses can prevent malicious responses from reaching systems using vulnerable DNS resolver libraries. For example, BIND 9 reconstructs responses in this way, with the exception of forwarded dynamic DNS update messages. Note that BIND 8 does not reconstruct all responses; therefore this workaround may not be effective when using BIND 8 as a caching DNS server. [***** End CERT Advisory CA-2002-19 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT Coordination Center for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-100: MS Server Response To SMTP Client EHLO Command M-101: MS Unchecked Buffer in SQL Server 2000 Utilities M-102: MS SQL Server 2000 Resolution Service Buffer Overflow M-103: Multiple Vulnerabilities in OpenSSL M-104: Red Hat Linux Passwork Locking Race Vulnerability M-105: Unchecked Buffer in MDAC Function Vulnerability M-106: Cisco Concentrator RADIUS PAP Authentication Vulnerability M-107: Unchecked Buffer in Content Management Server M-108: Vulnerability in HP Apache Server PHP M-109: Common Desktop Environment (CDE) ToolTalk Buffer Overflow