__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN BIND Vulnerabilities December 28, 1998 18:00 GMT Number I-044A ______________________________________________________________________________ PROBLEM: Three vulnerabilities have been identified in BIND. 1) Improperly or maliciously formatted inverse query on a TCP stream. 2) Improperly or maliciously formatted DNS message. 3) Self-referential CNAMEs. PLATFORM: 1 & 2) BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2. 3) BIND 8. DAMAGE: 1) If exploited, a remote user may cause a buffer overrun or gain root access. 2 & 3) These two vulnerabilities could lead to Denial-of- Service. SOLUTION: Apply patches or workarounds as listed below. ______________________________________________________________________________ VULNERABILITY At the time this advisory was released, not all vendor ASSESSMENT: information was complete. If your vendor's workaround or patches are not listed, you should check with your vendor directly. ______________________________________________________________________________ [ Appended on Dec 28, 1998 with additional patch information from Sun Microsystems, Inc. ] [ Appended on Aug 21, 1998 with additional information from Hewlett-Packard ] [ Updated on May 27, 1998 with additional information from CERT ] [ Start CERT Advisory ] ============================================================================= CERT* Advisory CA-98.05 Original issue date: April 08, 1998 Last Revised: May 21, 1998 Updates were made to the following portions of this advisory: III. Solutions Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases 1.C. What To Do Fixing the Inverse Query Code, Bind 8 and Bind 4.9 Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases 2.C. What To Do Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases 3.C. What To Do Fixing the Problem Appendix A - Updated vendor information for Internet Software Consortium A complete revision history is at the end of this file. Topic: Multiple Vulnerabilities in BIND Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases Denial-of-Service Vulnerability in BIND 8 Releases I. Description This advisory describes three distinct problems in BIND. Topic 1 describes a vulnerability that may allow a remote intruder to gain root access on your name server or to disrupt normal operation of your name server. Topics 2 and 3 deal with vulnerabilities that can allow an intruder to disrupt your name server. Detailed descriptions of each problem and its solutions are included in the individual sections on each topic. II. Impact Topic 1: A remote intruder can gain root-level access to your name server. Topics 2 and 3: A remote intruder is able to disrupt normal operation of your name server. III. Solution All three problems can be fixed by upgrading to the latest version of BIND, which may be available from your vendor (see Appendix A of this advisory). Questions about the availability of patches from your vendor should be directed to your vendor. Additionally, the Internet Software Consortium has announced new publicly available versions of BIND on the BIND WWW page (http://www.isc.org/bind.html) and on the USENET newsgroup comp.protocols.dns.bind. Additionally, patches are provided for Topics 1 and 3, along with steps to take until you can apply the patch or upgrade to the latest version of BIND. Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases 1.A. Description BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream can crash the server or allow an attacker to gain root privileges. 1.B. Determining if your system is vulnerable The inverse query feature is disabled by default, so only the systems that have been explicitly configured to allow it are vulnerable. BIND 8 Look at the "options" block in the configuration file (typically /etc/named.conf). If there is a "fake-iquery yes;" line, then the server is vulnerable. BIND 4.9 Look at the "options" lines in the configuration file (typically /etc/named.boot). If there is a line containing "fake-iquery", then the server is vulnerable. In addition, unlike BIND 8, inverse query support can be enabled when the server is compiled. Examine conf/options.h in the source. If the line #defining INVQ is not commented out, then the server is vulnerable. 1.C. What To Do To address this problem, you can disable inverse queries, upgrade to BIND 8.1.2 now that it is available, or apply the patch (see below for more information on the patch). We urge you to disable inverse queries until you can take one of the other steps. Disabling inverse queries BIND 8 Disable inverse queries by editing named.conf so that either there is no "fake-iquery" entry in the "options" block or the entry is "fake-iquery no;" BIND 4.9 Disable inverse queries by editing named.boot, removing any "fake-iquery" entries on "options" lines. Look at conf/options.h in the source. If INVQ has been defined, comment it out and then rebuild and reinstall the server. Note: Disabling inverse query support can break ancient versions of nslookup. If nslookup fails, replace it with a version from any BIND 4.9 or BIND 8 distribution. Fixing the Inverse Query Code BIND 8 Upgrade to BIND 8.1.2 now that it is available (http://www.isc.org/new-bind.html) or apply the patch at this URL: ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND8_patch.txt This file is not PGP signed. It has the following MD5 checksum: MD5 (CA-98.05_Topic.1_BIND8_patch.txt) = 12fc9d395ff987b1aad17a882ccd7840 BIND 4.9 Upgrade to BIND 4.9.7 now that it is available (http://www.isc.org/new-bind.html) or apply the patch at this URL: ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND4.9_patch.txt This file is not PGP signed. It has the following MD5 checksum: MD5 (CA-98.05_Topic.1_BIND4.9_patch.txt) = 32da0db1c27e4d484e6fcb7901267c2f Notes: We are asking sites to retrieve the patches via FTP rather than including them in the advisory since our experience is that some mail handling systems translate tabs into spaces. This prevents the patch(1) program from working properly. We have not PGP signed the files since our experience is that some implementations of PGP during the extraction process will strip spaces from some lines containing whitespace only. This may prevent the patch(1) program from working Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases 2.A. Description BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check many memory references in the server and the resolver. An improperly or maliciously formatted DNS message can cause the server to read from invalid memory locations, yielding garbage record data or crashing the server. Many DNS utilities that process DNS messages (e.g., dig, nslookup) also fail to do proper bounds checking. 2.B. Determining if your system is vulnerable Any system running BIND 4.9 prior to 4.9.7 or BIND 8 prior to 8.1.2 is vulnerable. 2.C. What To Do There are no workarounds for these problems. BIND 8 Upgrade to BIND 8.1.2 now that it is available. BIND 4.9 Upgrade to BIND 4.9.7 now that it is available. Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases 3.A. Description Assume that the following self-referential resource record is in the cache on a name server: foo.example. IN A CNAME foo.example. The actual domain name used does not matter; the important thing is that the target of the CNAME is the same name. The record could be in the cache either because the server was authoritative for it or because the server is recursive and someone asked for it. Once this record is in the cache, issuing a zone transfer request using its name (e.g., "dig @my_nameserver foo.example. axfr") will cause the server to abort(). Most sites will not contain such a record in their configuration files. However, it is possible for an attacker to engineer such a record into the cache of a vulnerable nameserver and thus cause a denial of service. 3.B. Determining if your system is vulnerable If the BIND 8 server is not recursive and does not fetch glue, then the problem can be exploited only if the self-referential resource record is in a zone for which the server is authoritative. If the global zone transfer ACL in the options block has been set to deny access and has no self-referential CNAMEs in its authoritative zones, then the server is not vulnerable. Otherwise, the server is vulnerable. The nameserver is recursive by default, fetches glue by default, and the default global transfer ACL allows all hosts; so many BIND 8 servers will be vulnerable to this problem. (Note: the in.named(8) man page mentions that sending a SIGINT to the in.named process will dump the current data base and cache to, by default, /var/tmp/named_dump.db. Some sites may find this useful in looking for self-referential CNAMEs. Please see the in.named(8) man page for further details.) 3.C. What To Do To address this problem, you can apply the workaround described below, upgrade to BIND 8.1.2, or apply the patch provided at the end of this section. Until you can upgrade or apply the patch, we urge you to use the workaround. Workaround First set the global zone transfer ACL to deny access to all hosts by adding the following line to the "options" block: allow-transfer { none; }; Next, explicitly authorize zone transfers for each authoritative zone. For example, if the server was authoritative for "example", adding allow-transfer { any; }; to the "zone" statement for "example" would allow anyone to transfer "example". None of the domains for which the server is authoritative should have self-referential CNAMEs. Fixing the Problem Upgrade to BIND 8.1.2, now that it is available, or apply the patch available from the following URL to the BIND 8.1.1 source: ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.3_BIND8.1.1_patch.txt This file is not PGP signed. It has the following MD5 checksum: MD5 (CA-98.05_Topic.3_BIND8.1.1_patch.txt) = 33f9dc2eaf221dd48553f490259c2a8b Notes: We are asking sites to retrieve the patches via FTP rather than including them in the advisory since our experience is that some mail handling systems translate tabs into spaces. This prevents the patch(1) program from working properly. We have not PGP signed the files since our experience is that some implementations of PGP during the extraction process will strip spaces from some lines containing whitespace only. This may prevent the patch(1) program from working properly. Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) BSD/OS 3.0/3.1 AS SHIPPED is not vulnerable. Sites wishing to enable fake-iquery can install mod M310-025, available at http://www.bsdi.com BSDI will issue a 3.1 mod when a fix is available. BSD/OS is not vulnerable, since we ship bind 4.9. Caldera Corporation Workaround for Topic 1: Disable inverse queries by editing named.conf so that either there is no "fake-iquery" entry in the "options" block, or so that the entry is "fake-iquery no;" Workaround for Topic 2: A workaround is to set the global zone transfer ACL to deny access to all hosts by adding the following line to the "options" block allow-transfer { none; }; Next, explicitly authorize zone transfers for each authoritative zone. For example, if the server was authoritative for "example", adding allow-transfer { any; }; to the "zone" statement for "example" would allow anyone to transfer "example". None of the domains the server is authoritative for should have self-referential CNAMEs. Correction for both Topics: The proper solution is to Upgrade to the bind-8.1.1-5 packages. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/006/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/006/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: b63ace6eab6eee5cf0608c8a245b5e27 bind-8.1.1-5.i386.rpm 4123b0167f5d5769a87cd2d9542a74b4 bind-doc-8.1.1-5.i386.rpm e1d506cbcc87d7c1de915d94d03281b1 bind-utils-8.1.1-5.i386.rpm eec24c0f816244c4729281867fcebbab bind-8.1.1-5.src.rpm Upgrade with the following commands: rpm -q bind && rpm -U bind-8.1.1-5.i386.rpm rpm -q bind-utils && rpm -U bind-utils-8.1.1-5.i386.rpm rpm -q bind-doc && rpm -U bind-doc-8.1.1-5.i386.rpm This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ Digital Equipment Corporation Digital is investigating this problem. FreeBSD, Inc. We ship with INVQ not defined. This makes us resistent against the first vulnerability. This is true for all release after 2.2.0 (2.1.* releases are vulnerable but should be upgraded anyway). As we do not yet ship BIND 8, we are also not vulnerable to the 3rd vulnerability. We advise everyone to upgrade to BIND 4.9.7. Hewlett-Packard Company HP is Vulnerable. Patches in process. Watch for the release of the associated HP Security Bulletin. Hewlett Packard's HP-UX patches/Security Bulletins/Security patches are available via email and/or WWW (via the browser of your choice) on HP's Electronic Support Center (ESC). To subscribe to automatically receive future NEW HP Security Bulletins from the HP ESC Digest service via electronic mail, do the following: 1) From your Web browser, access the URL: http://us-support.external.hp.com (US,Canada,Asia-Pacific, and Latin-America) http://europe-support.external.hp.com (Europe) Login with your user ID and password, or register for one (remember to save the User ID assigned to you, and your password). Once you are on the Main Menu, Click on the Technical Knowledge Database, and it will connect to a HP Search Technical Knowledge DB page. Near the bottom is a hyperlink to our Security Bulletin archive. Once in the archive there is another link to our current security patch matrix. Updated daily, this matrix is categorized by platform/OS release, and by bulletin topic. To subscribe to receive future Security Bulletins be email, look for the subscription section on the Technical Knowledge Database page. IBM Corporation The version of bind shipped with AIX is vulnerable and the following APARs will be available soon: AIX 4.1.x: IX76958 (fix for Topic 1 only) AIX 4.2.x: IX76959 (fix for Topic 1 only) AIX 4.3.x: IX76960 (fix for Topic 1 and 3 only) AIX 4.3.x: IX76962 (fix for Topic 1, 2, and 3. This is bind 8.1.2.) Until the official fixes are available, a temporary patch can be found at: ftp://aix.software.ibm.com/aix/efixes/security File sum md5 ==================================================================== named.415.tar.Z 64980 157 0e795380b84bf29385d2d946d10406cb named.421.tar.Z 44963 157 15a9a006abf4a9d0a0d3210f16d619e5 named4.430.tar.Z 48236 115 8377b14f74e207707154a9677906f20a named8.430.tar.Z 51175 160 e2db14b7055a7424078456bfbfd9bf2d Detached PGP signatures are also available with a ".asc" extension. IBM and AIX are registered trademarks of International Business Machines Corporation. Internet Software Consortium The Internet Software Consortium has announced BIND version 8.1.2 and BIND version 4.9.7. If you are running BIND 8.1.1 or 8.1 you want to upgrade to 8.1.2. If you are still running BIND-4 rather than BIND-8, you need the security patches contained in 4.9.7. But, you should really just run BIND-8. The security fixes included in these releases fix a stack overrun that could occur if inverse query support was enabled, and a number of denial of service attacks where malformed packets could cause the server to crash. Links to the kits are available at: http://www.isc.org/new-bind.html. NEC Corporation Topic1 - Some systems are vulnerable. Patches will be available soon, especially for UX/4800 R11.x and R13.x. Topic2 - Some systems are vulnerable. Patches will be available soon after the release of bind-4.9.7, especially for UX/4800 R11.x and R13.x. Topic3 - We do not ship BIND 8 with our products so we are not vulnerable to this problem. Patches will be available from ftp://ftp.meshnet.or.jp/pub/48pub/security. The NetBSD Project The first problem can be fixed in NetBSD 1.3, 1.3.1, and -current prior to 19980408 with the supplied BIND 4.9.6 patch. A patch will be made available for the second problem shortly (alternatively, upgrading to BIND 4.9.7 or 8.1.2 when available will also solve this problem.) NetBSD is not affected by the third problem. Red Hat Software, Inc. Red Hat fixes will be available at: Red Hat 5.0 i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/bind-4.9.6-7.i386.rpm alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/bind-4.9.6-7.alpha.rpm Red Hat 4.2 i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/bind-4.9.6-1.1.i386.rpm alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/bind-4.9.6-1.1.alpha.rpm SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/bind-4.9.6-1.1.sparc.rpm The Santa Cruz Operation, Inc. The following SCO products are vulnerable: SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4 SCO OpenServer 5.0 (also SCO Internet FastStart) SCO UnixWare 2.1 SCO UnixWare 7 SCO CMW+ 3.0 is not vulnerable as BIND/named is not supported on CMW+ platforms. Binary versions of BIND 4.9.7 will be available shortly from the SCO ftp site: cover letter - ftp://ftp.sco.com/SSE/sse012.ltr replacement binaries - ftp://ftp.sco.com/SSE/sse012.tar.Z The fix includes binaries for the following SCO operating systems: SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4 SCO OpenServer 5.0 SCO UnixWare 2.1 SCO UnixWare 7 For the latest security bulletins and patches for SCO products, please refer to http://www.sco.com/security/ . Silicon Graphics, Inc. At this time, Silicon Graphics does not have any public information for the DNS issue. Silicon Graphics is in communication with CERT and other external parties and is actively investigating this issue. Additional information, is expected shortly. When more Silicon Graphics information (including patch information) is available for release, that information will be released via the SGI security mailing list, wiretap. For subscribing to the wiretap mailing list and other SGI security related information, please refer to the Silicon Graphics Security Headquarters website located at: ttp://www.sgi.com/Support/security Sun Microsystems, Inc. Topic 1: Patches will be produced for Solaris 5.3, 5.4, 5.5, 5.5.1 and 5.6. Topic 2: Patches will be produced for Solaris 5.3, 5.4, 5.5, 5.5.1 and 5.6. Topic 3: Bug fix will be integrated in the upcoming release of Solaris. The CERT Coordination Center thanks Bob Halley and Paul Vixie of Vixie Enterprises, who provided most of the text of this advisory. Reminder: The Internet Software Consortium will announce new publicly available versions of BIND on the BIND WWW page (http://www.isc.org/bind.html) and on the USENET newsgroup comp.protocols.dns. Revision History May 21, 1998 Updates were made to the following portions of this advisory: III. Solutions Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases 1.C. What To Do Fixing the Inverse Query Code, Bind 8 and Bind 4.9 Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases 2.C. What To Do Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases 3.C. What To Do Fixing the Problem Appendix A - Updated vendor information for Internet Software Consortium Apr. 16, 1998 Appendix A - Updated vendor information for Caldera Corporation. - ----------------------------------------------------------------------------- [ End CERT Advisory ] [ Start Hewlett-Packard Advisory ] Document ID: HPSBUX9808-083 Date Loaded: 19980819 Title: Security Vulnerability in BIND on HP-UX ------------------------------------------------------------------------- **REVISED 01** HEWLETT-PACKARD SECURITY BULLETIN: #00083, 19 August 1998 Last Revised: 20 August 1998 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett Packard will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: Security vulnerability in the BIND executable PLATFORM: HP9000 Series 700/800 running HP-UX releases 9.X, 10.X & 11.00. DAMAGE: May allow remote users to gain root access or to disrupt normal operation on the name server. SOLUTION: Install patches (below) which upgrade BIND to version 4.9.7. AVAILABILITY: All patches are available now, except as noted. CHANGE SUMMARY: Added patch for HP-UX release 10.16. ------------------------------------------------------------------------- I. A. Background The CERT Advisory CA-98.05 discusses two vulnerabilities which affect HP-UX. Detailed descriptions of each problem and its solutions are included in the advisory, available from: www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems B. Fixing the problem The problems can be fixed by installing the necessary patch. **REVISED 01** HP-UX release 9.0, 9.01, 9.03, 9.04, 9.05, & 9.07: PHNE_13187 HP-UX release 10.00, 10.01, 10.10 and 10.20: PHNE_14617 --->>> HP-UX release 10.16: *PHNE_16232 HP-UX release 10.24: **PHNE_16204 HP-UX release 11.00: PHNE_12957 NOTE: ** Patch for VVOS (10.24) is expected to be available after 26 Aug. 98 --->>> * Patch for CMW (10.16) is expected to be available --->>> after 26 Aug. 98 C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following: Use your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID assigned to you, and your password. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review- bulletins already released from the main Menu, click on the "Technical Knowledge Database (Security Bulletins only)". Near the bottom of the next page, click on "Browse the HP Security Bulletin Archive". Once in the archive there is another link to our current Security Patch Matrix. Updated daily, this matrix is categorizes security patches by platform/OS release, and by bulletin topic. D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ -----End of Document ID: HPSBUX9808-083-------------------------------------- [ End Hewlett-Packard Advisory ] [ Start Sun Microsystems Advisory ] ________________________________________________________________________________ Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00180 Date: December 17, 1998 Cross-Ref: CERT Advisory CA-98.05 Title: BIND ________________________________________________________________________________ The information contained in this Security Bulletin is provided "AS IS." Sun makes no warranties of any kind whatsoever with respect to the information contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction. ________________________________________________________________________________ 1. Background The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS). CERT Advisory CA-98.05 describes three vulnerabilities in certain versions of BIND. The first vulnerability, Inverse Query Buffer Overrun, can be exploited by a remote attacker to gain root access to a DNS name server. The second vulnerability, Denial-of-Service Vulnerabilities, is concerned with buffer overflows that can be exploited to corrupt DNS record data or crash the DNS server. SunOS(tm) and Solaris(tm) are not vulnerable to third vulnerability described in the CERT advisory. For more information about the vulnerabilities, please see the CERT advisory at: http://www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems A vulnerability has also been discovered in SunOS and Solaris's implementation of BIND with their use of temporary files. This vulnerability can be exploited to overwrite arbitrary files. 2. Affected Supported Versions Solaris(tm) versions: 2.6, 2.6_x86, 2.5.1, 2.5.1_x86, 2.5, 2.5_x86, 2.4, 2.4_x86 and 2.3 SunOS(tm) versions: 4.1.4 and 4.1.3_U1 3. Recommendations Sun recommends that you install the respective patches immediately on vulnerable systems including both DNS clients and servers. Operating System Patch ID _________________ _________ Solaris 2.6 105755-07 Solaris 2.6_x86 105756-07 Solaris 2.5.1 103663-15 Solaris 2.5.1_x86 103664-15 Solaris 2.5 103667-11 Solaris 2.5_x86 103668-11 Solaris 2.4 102479-13 Solaris 2.4_x86 102480-11 Solaris 2.3 101359-10 SunOS 4.1.4 106866-02 SunOS 4.1.3_U1 106865-02 _______________________________________________________________________________ APPENDICES A. Patches listed in this bulletin are available to all Sun customers via World Wide Web at: B. Checksums for the patches listed in this bulletin are available via World Wide Web at: C. Sun security bulletins are available via World Wide Web at: D. Sun Security Coordination Team's PGP key is available via World Wide Web at: E. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert@sun.com F. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert@sun.com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken _______ _________________________________ help An explanation of how to get information key Sun Security Coordination Team's PGP key list A list of current security topics query [topic] The email is treated as an inquiry and is forwarded to the Security Coordination Team report [topic] The email is treated as a security report and is forwarded to the Security Coordination Team. Please encrypt sensitive mail using Sun Security Coordination Team's PGP key send topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): send #138 subscribe Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): subscribe cws your-email-address Note that your-email-address should be substituted by your email address. unsubscribe Sender is removed from the CWS mailing list. ________________________________________________________________________________ Copyright 1998 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. This Security Bulletin may be reproduced and distributed, provided that this Security Bulletin is not modified in any way and is attributed to Sun Microsystems, Inc. and provided that such reproduction and distribution is performed for non-commercial purposes. [ End Sun Microsystems Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT and Hewlett-Packard for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) I-034: Internet Cookies I-035: SGI Vulnerabilities (startmidi/stopmidi, datman/cdman, cdplayer) I-036: FreeBSD Denial-of Service LAND Attacks I-037: FreeBSD mmap Vulnerability I-038: Ascend Routing Hardware Vulnerabilities I-039: HP-UX inetd Vulnerability I-040: SGI Netscape Navigator Vulnerabilities I-041: Performer API Search Tool 2.2 pfdispaly.cgi Vulnerability I-042: SGI IRIX lp(1) Security Vulnerability I-043: SGI IRIX mailcap Vulnerability