__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN BIND Vulnerabilities January 29, 2008 19:00 GMT Number S-131 ______________________________________________________________________________ PROBLEM: There are multiple vulnerabilities in BIND. PLATFORM: BIND 8 (all versions) BIND 9.0 (all versions) BIND 9.1 (all versions) BIND 9.2 (all versions) BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4 BIND 9.4.0, 9.4.1, 9.4.2 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5, 9.5.0a6, 9.5.0a7, 9.5.0b1 DAMAGE: Could lead to a denial-of-service or potentially code execution. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could lead to a denial-of-service or ASSESSMENT: potentially code execution. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-131.shtml ORIGINAL BULLETIN: http://www.isc.org/index.pl?/sw/bind/bind-security.php CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-0122 ______________________________________________________________________________ [****** Start BIND Bulletin Here ******] BIND Vulnerabilities ISC has discovered or has been notified of several bugs which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC. Upgrading to the latest BIND version is strongly recommended. See the BIND Vulnerability matrix at the bottom of this document for an overview of which versions are subject to specified vulnerabilities. -------------------------------------------------------------------------------- BIND: buffer overflow in inet_network() [Added 2008.01.18] CVE: CVE-2008-0122 CERT: VU#203611 Versions affected: BIND 8 (all versions) BIND 9.0 (all versions) BIND 9.1 (all versions) BIND 9.2 (all versions) BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4 BIND 9.4.0, 9.4.1, 9.4.2 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5, 9.5.0a6, 9.5.0a7, 9.5.0b1 Severity: Low Description: An off-by-one error in the inet_network() function in libbind could lead to memory corruption with certain inputs. Impact: Applications linked against libbind which call inet_network() with untrusted inputs could lead to a denial-of-service or potentially code execution. Note that none of the applications shipped with BIND 8 or BIND 9 call inet_network(). Solution: Upgrade to 9.3.5, 9.4.3, 9.5.0b2 or later when released. Otherwise, apply the patch below to: BIND 9: lib/bind/inet/inet_network.c BIND 8: lib/inet/inet_network.c Index: inet_network.c diff -u inet_network.c:1.5 inet_network.c:1.6 --- inet_network.c:1.5 Wed Apr 27 04:56:21 2005 +++ inet_network.c Tue Jan 15 04:02:01 2008 @@ -84,9 +84,9 @@ } if (!digit) return (INADDR_NONE); + if (pp >= parts + 4 || val > 0xffU) + return (INADDR_NONE); if (*cp == '.') { - if (pp >= parts + 4 || val > 0xffU) - return (INADDR_NONE); *pp++ = val, cp++; goto again; } Questions should be addressed to bind9-bugs@isc.org. Acknowledgements: ISC would like to thank Nate Eldredge for reporting this. BIND 8: cryptographically weak DNS query IDs [Added 2007.08.29] CVE: CVE-2007-2930 CERT: VU#927905 Versions affected: BIND 8.x.x (all versions) Description: ISC (Internet Systems Consortium) BIND 8 generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches. This bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers. The DNS query id generation is vulnerable to analysis which provides a high chance of guessing the next query id. This can be used to perform cache poisoning by an attacker. All users are encouraged to upgrade. Impact: A remote attacker could predict DNS query IDs and respond with arbitrary answers, thus poisoning DNS caches. Solution: Upgrade or Patch This issue is addressed in ISC BIND 8.4.7-P1, available as patch that can be applied to BIND 8.4.7. The more definitive solution is to upgrade to BIND 9. BIND 8 is being declared "end of life" by ISC due to multiple architectural issues. Please see ISC's website at www.isc.org/sw/bind/bind8-eol.php for additional information and tools. Note that BIND 8.x.x is End of Life as of August 2007. Users who obtain BIND 8 from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors. Acknowledgements: Thanks to Amit Klein from Trusteer (www.trusteer.com) for reporting this. -------------------------------------------------------------------------------- BIND 9: allow-query-cache/allow-recursion default acls not set. [Added 2007.07.24] CVE: CVE-2007-2925 Versions affected: BIND 9.4.0, 9.4.1 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5 Severity: Medium Exploitable: Remotely Description: The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents. Workaround: Explicitly set allow-query-cache and allow-recursion acl's if not already set to: { localnets; localhost; };If recursion is supposed to be allowed to local clients (default). options { recursion yes; // default allow-recursion { localnets; localhost; }; allow-query-cache { localnets; localhost; }; ... }; If recursion is disallowed. options { recursion no; allow-query-cache { localnets; localhost; }; ... }; -------------------------------------------------------------------------------- BIND 9: cryptographically weak query ids. [Added 2007.07.24] CVE: CVE-2007-2926 Versions affected: BIND 9.0 (all versions) BIND 9.1 (all versions) BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8 BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4 BIND 9.4.0, 9.4.1 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5 Severity: Medium Exploitable: Remotely Description: The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of guessing the next query id for 50% of the query ids. This can be used to perform cache poisoning by an attacker. This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers. All users are encouraged to upgrade. Workaround: None. Fix: Upgrade to BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Amit Klein from Trusteer (www.trusteer.com) found this vulnerability. -------------------------------------------------------------------------------- BIND 9: query_addsoa DoS [Added 2007.04.30] CVE: CVE-2007-2241 Versions affected: BIND 9.4.0 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3 [BIND 9.5.0* have only been released to BIND Forum members] Severity: High Exploitable: Remotely Description: A sequence of queries can cause a recursive nameserver to exit. While it is unlikely these will occur in normal operation, an attack can use them to cause the affected versions to exit. This attack is a denial of service, and does not allow an attacker to gain control of affected systems. Workaround: Disable recursion ('recursion no;' set in named.conf) if it is not required by your configuration. Fix: Upgrade to BIND 9.4.1 or BIND 9.5.0a4. -------------------------------------------------------------------------------- Name: "BIND 9: dereferencing freed fetch context" [Added 2007.01.30] CVE: CVE-2007-0493 Versions affected: BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1 BIND 9.5.0a1 (Bind Forum only) Severity: Low Exploitable: Remotely Description: It is possible for the named to dereference (read) a freed fetch context. This can cause named to exit unintentionally. Workaround: Disable / restrict recursion (to limit exposure). Fix: Upgrade to BIND 9.2.8, BIND 9.3.4 or BIND 9.4.0rc2. Additionally this will be fixed in the upcoming BIND 9.5.0a2. -------------------------------------------------------------------------------- Name: "BIND 9: DNSSEC Validation" [Added 2007.01.30] CVE: CVE-2007-0494 Versions affected: BIND 9.0.x (all versions of BIND 9.0) (at end-of-life) BIND 9.1.x (all versions of BIND 9.1) (at end-of-life) BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7 BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1 9.4.0b2, 9.4.0b3, 9.4.0b4, 9.4.0rc1 BIND 9.5.0a1 (Bind Forum only) Severity: Low Exploitable: Remotely Description: When validating responses to type * (ANY) queries that return multiple RRsets in the answer section it is possible to trigger assertions checks. To be vulnerable you need to have enabled dnssec validation in named.conf by specifying trusted-keys. Workaround: Disable / restrict recursion (to limit exposure). Disable DNSSEC validation (remove all trusted-keys from named.conf). Fix: Upgrade to BIND 9.2.8, BIND 9.3.4 or BIND 9.4.0rc2. Additionally this will be fixed in the upcoming BIND 9.5.0a2. Note: It is recommended that anyone using DNSSEC upgrade to BIND 9.3 as the DNSSEC implementation in BIND 9.2 has been obsoleted. -------------------------------------------------------------------------------- Name: "BIND: Multiple DoS vulnerabilities [Added 2006.09.06] CVE: CVE-2006-4095, CVE-2006-4096 Versions affected: All previous releases of BIND 9.3.x and 9.4.x. See note regarding BIND 9.2.x Severity: HIGH Exploitable: Remotely Type: Denial of Service Description: SIG Query Processing: Recursive servers: Queries for SIG records will trigger a assertion failure if more than one SIG (covered) RRset is returned. Exposure can be minimized by restricting sources that can ask for recursion. Authoritative servers: If a nameserver is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where the are multiple SIG(covered) RRsets (e.g. a zone apex) then named will trigger a assertion failure when it trys to construct the response. Excessive Recursive Queries INSIST failure: It is possible to trigger a INSIST failure by sending enough recursive queries that the response to the query arrives after all the clients looking for the response have left the recursion queue. Exposure can be minimized by restricting sources that canask for recursion. Note for BIND 9.2.x: Code handling this path for 9.2.x has been determined to be wrong, though ISC has not been able to detect an execution path that would trigger the erroneous code in 9.2.x. Nonetheless a patch is provided. Workarounds: None Active Exploits: None known Fix: Upgrade to BIND 9.4.0b2, BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1 or BIND 9.2.6-P1 (or later). http://www.isc.org/sw/bind/ ISC would like to thank The Measurement Factory for bringing this to our attention. -------------------------------------------------------------------------------- Name: "BIND: Self Check Failing [Added 2005.25.01] CVE: CVE-2005-0034 Versions affected: BIND 9.3.0 Severity: LOW Exploitable: Remotely Type: Denial of Service Description: An incorrect assumption in the validator (authvalidated) can result in a REQUIRE (internal consistancy) test failing and named exiting. Workarounds: Turn off dnssec validation (off by default) at the options/view level. dnssec-enable no; Active Exploits: None known Fix: Upgrade to BIND 9.3.1 http://www.isc.org/sw/bind/ -------------------------------------------------------------------------------- Name: "BIND: q_usedns array overrun [Added 2005.25.01] CVE: CVE-2005-0033 Versions affected: BIND 8.4.4 and 8.4.5 *only* Severity: LOW Exploitable: Remotely Type: Denial of Service Description: It is possible to overrun the q_usedns array which is used to track nameservers / addresses that have been queried. Workarounds: Disable recursion and glue fetching. Active Exploits: None known Fix: Upgrade to BIND 8.4.6 http://www.isc.org/sw/bind/ -------------------------------------------------------------------------------- Name: "BIND: Negative Cache DOS" A/K/A "negcache" [Added 2004.02.04] CVE: CVE-2003-0914 Versions affected: All BIND 8 versions prior to 8.4.3, 8.3.7. Except vendor-only releases 8.1.3, 8.2.2-P8, 8.2.4-P1, 8.2.5-P1. Severity: SERIOUS Exploitable: Remotely Type: Denial of Service Description: An attacker must configure a name server to return authoritative negative responses for a given target domain. Then, the attacker must convince a victim user to query the attacker's maliciously configured name server. When the attacker's name server receives the query, it will reply with an authoritative negative response containing a large TTL (time-to-live) value. If the victim's site runs a vulnerable version of BIND 8, it will cache the negative response and render the target domain unreachable until the TTL expires. Workarounds: Disable recursion if possible, or limit recursion to specific clients. Active Exploits: None known -------------------------------------------------------------------------------- Name: "BIND: Remote Execution of Code" A/K/A "sigrec" [Added 2002.11.12] CVE: CVE-2002-1219 Versions affected: BIND 4.9.5 to 4.9.10 BIND 8.1, 8.2 to 8.2.6, 8.3.0 to 8.3.3 Severity: SERIOUS Exploitable: Remotely Type: Possibility to execute arbitrary code. Description: When constructing a response containing SIG records a incorrect space allows a write buffer overflow. It is then possible to execute code with the privileges of named. Workarounds: Disable recursion if possible, or limit recursion to specific clients. Active Exploits: None known ISC would like to thank Internet Security Systems for bringing this to our attention. -------------------------------------------------------------------------------- Name: "BIND: Multiple Denial of Service" A/K/A "DoS_multi" [Added 2002.11.12] CVE: CVE-2002-1220, CVE-2002-1221 Versions affected: 1. BIND 8.3.0 - 8.3.3 2. BIND 8.2 - 8.2.6, BIND 8.3.0 - 8.3.3 Severity: SERIOUS Exploitable: Remotely Type: Possibility to execute arbitrary code. Description: 1. When constructing a response a NXDOMAIN response to a ENDS query with a large UDP size it is possible to trigger an assertion. 2. It is possible to de-reference a NULL pointer for certain signature expire values. In both cases, the service will shutdown. Workarounds: 2. Disable recursion if possible. Active Exploits: None known ISC would like to thank Internet Security Systems for bringing this to our attention. -------------------------------------------------------------------------------- Name: "LIBRESOLV: buffer overrun" [Added 2002.11.12] CVE: CVE-2002-0029 Versions affected: BIND 4.9.2 to 4.9.10 Severity: SERIOUS Exploitable: Remotely Type: Possibility to execute arbitrary code. Description: When looking up network names or address (getnetbyname(), getnetbyaddr()) there are potential write buffer overflows of stack elements. THIS DOES NOT AFFECT THE NAMESERVER. THIS CAN BE TRANSMITTED THROUGH CACHES. BIND 8 is NOT affected. BIND 9 is NOT affected. BIND 4 up to and including BIND 4.9.1 is NOT affected. Workarounds: None. Upgrade and re-linking required BIND 4 is officially deprecated. Only security fixes will be issued for BIND 4. Active Exploits: None known -------------------------------------------------------------------------------- Name: "OpenSSL buffer overflow" Versions affected: BIND 9.1. BIND 9.2 if built with OpenSSL (configure --with-openssl). Severity: Medium Exploitable: Remotely Type: Potential execution of arbitrary code via buffer overflow. Description: BIND 9.1.x ship with a copy of the vulnerable sections of OpenSSL crypto library (obj_dat.c and asn1_lib.c). Vendors shipping product based on BIND 9.1 should contact bind9-bugs@isc.org. BIND 9.2.x is vulnerable if linked against a vulnerable library. By default BIND 9.2 does not link against OpenSSL. Workarounds: Disable DNSSEC validation of responses by commenting out any trusted keys in named.conf. Fix: Upgrade BIND 9.1.x to BIND 9.2.1 and/or link with fixed OpenSSL library e.g. configure --with-openssl=/path/to/fixed/openssl Link BIND 9.2.x with a fixed OpenSSL library. Active Exploits: None known -------------------------------------------------------------------------------- Name: "libbind buffer overflow" CVE: CVE-2002-0651 Versions affected: All versions of the stub resolver library from BIND 4 prior to 4.9.9. All versions of the stub resolver library from BIND 8 prior to 8.2.6. The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2. The BIND 8 compatibility stub resolver library (NOT the lwres library) from BIND versions 9.2.0, 9.2.1. (Disabled by default in BIND 9, enabled if you added --enable-libbind to the configure statement) Severity: SERIOUS Exploitable: Remotely Type: Potential for execution of arbitrary code via buffer overflow. Description: It is possible to construct a response to a DNS query issued by an application linked to vulnerable versions of the stub resolver library included in the BIND distributions mentioned above that may potentially result in a buffer overflow of a few bytes. This bug does NOT affect the name server (named) itself, but rather applications linked to the resolver library. NOTE: Upgrading the name server DOES NOT remove this vulnerability. To remove this vulnerability, ALL applications linked to a vulnerable version of the stub resolver library must be re-linked with a non-vulnerable version. Note that if static libraries were used, the the static library must be updated and all applications must be relinked. If shared libraries were used, then upgrading the shared library will suffice. Workarounds: None. Fix: Update libbind to a version that is not affected and relink all applications that use it. Active Exploits: None known -------------------------------------------------------------------------------- Name: "DoS internal consistency check" A/K/A "DoS_findtype" CVE: CVE-2002-0400 Versions affected: All BIND 9 version prior to 9.2.1 Severity: SERIOUS Exploitable: Remotely Type: Denial of Service Description: When chasing additional data chains in a response it is possible to trigger an internal consistency check. Workarounds / fix: Upgrade to 9.2.1. -------------------------------------------------------------------------------- Name: "tsig bug" CVE: CVE-2001-0010 Versions affected: 8.2, 8.2-P1, 8.2.1, 8.2.2-P1, 8.2.2-P2, 8.2.2-P3, 8.2.2-P4, 8.2.2-P5, 8.2.2-P6, 8.2.2-P7, and all 8.2.3-betas Severity: CRITICAL Exploitable: Remotely Type: Access possible. Description: It is possible to overflow a buffer handling TSIG signed queries, thereby obtaining access to the system. Workarounds: None. Active Exploits: Exploits for this bug exist. -------------------------------------------------------------------------------- Name: "infoleak" CVE: CVE-2001-0012 Versions affected: 4.8, 4.8.3, 4.9.3, 4.9.4, 4.9.5, 4.9.5-P1, 4.9.6, 4.9.7, 8.1, 8.1.1, 8.1.2, 8.2, 8.2-P1, 8.2.1, 8.2.2-P1, 8.2.2-P2, 8.2.2-P3, 8.2.2-P4, 8.2.2-P5, 8.2.2-P6, 8.2.2-P7, possibly earlier versions of BIND 4.9.x and BIND 4.9 Severity: MODERATE Exploitable: Remotely Type: Information leak. Description: It is possible to construct a inverse query that allows the stack to be read remotely exposing environment variables. Workarounds: None. Active Exploits: Exploits for this bug exist. -------------------------------------------------------------------------------- Name: "complain bug" CVE: CVE-2001-0011, CVE-2001-0013 Versions affected: 4.9.3, 4.9.4, 4.9.5, 4.9.5-P1, 4.9.6, 4.9.7, possible earlier versions of BIND 4.9.x and BIND 4.9. Severity: SERIOUS Exploitable: Remotely Type: Stack corruption, possible remote access. Description: It is possible to overflow the buffer used by sprintf in nslookupComplain(). Workarounds: None. Active Exploits: Exploits for this bug exist. -------------------------------------------------------------------------------- Name: "zxfr bug" CVE: CVE-2000-0887 Versions affected: 8.2.2, 8.2.2 patchlevels 1 through 6 Severity: SERIOUS Exploitable: Remotely Type: Denial of service Description: A bug in code intended to provide support for the transfer of compressed zone files can result in the name server crashing. Workarounds: A partial workaround can be implemented by disallowing zone transfers except from trusted hosts. Note that if the trusted hosts are compromised, name servers with this bug will be vulnerable to denial of service attacks. Active Exploits: This attack can be implemented using utilities provided with the BIND package (named-xfer and dig). -------------------------------------------------------------------------------- Name: "sigdiv0 bug" Versions affected: 8.2, 8.2 patchlevel 1, 8.2.2 patchlevels 1 through 5 Severity: MODERATE Exploitable: Remotely Type: Denial of service Description Improper argument checking while verifying signatures may cause a divide by zero error which will cause the name server to crash. This bug can only be encountered in signed zones. Workarounds: Do not sign zones for use with servers susceptible to this bug. Active Exploits: ISC is not aware of any active exploits of this bug at this time. -------------------------------------------------------------------------------- Name: "srv bug" CVE: CVE-2000-0888 Versions affected: 8.2, 8.2 patchlevel 1, 8.2.1, 8.2.2, 8.2.2 patchlevels 1 - 6 Severity: SERIOUS Exploitable: Remotely Type: Denial of Service Description: A bug in the handling of the compression pointer tables can result in the name server entering an infinite loop. This bug has been known to occur in the standard processing of SRV records used with Windows 2000 Active Directory. Workarounds: None. Active Exploits: ISC is not aware of any intentional active exploits of this bug at this time. -------------------------------------------------------------------------------- Name: "nxt bug" CVE: CVE-1999-0833 Versions affected: 8.2, 8.2 patchlevel 1, 8.2.1 Severity: CRITICAL Exploitable: Remotely Type: Access possible Description: A bug in the processing of NXT records can theoretically allow an attacker to gain access to the system running the DNS server at whatever privilege level the DNS server runs at. Workarounds: None. Active Exploits: Scripts are available which can implement this attack. -------------------------------------------------------------------------------- Name: "solinger bug" CVE: CVE-1999-0837 Versions affected: 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1 Severity: SERIOUS Exploitable: Remotely Type: Denial of service Description: It is possible to remotely cause BIND to "pause" for intervals of up to 120 seconds using an abnormal TCP session. Workarounds: In some systems, it is possible to set the system wide SO_LINGER timeout to a lower value, however this may have unexpected consequences with other applications. Active Exploits: Scripts are available which can implement this attack. -------------------------------------------------------------------------------- Name: "fdmax bug" CVE: CVE-2000-0848 Versions affected: 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1 Severity: SERIOUS Exploitable: Remotely Type: Denial of service Description A bug in the handling of file descriptors results in a vulnerability that will crash the DNS server when more than FD_SETSIZE descriptors are consumed. Workarounds: Set { files #; } where # is less than FD_SETSIZE (as typically found in /usr/ include/sys/select.h) in in the "options" section of named.conf Active Exploits: Scripts are available which can implement this attack. -------------------------------------------------------------------------------- Name: "sig bug" CVE: CVE-1999-0835 Versions affected: 4.9.5, 4.9.5 patchlevel 1, 4.9.6, 8.1, 8.1.1, 8.2, 8.2 patchlevel 1, 8.2.1 Severity: SERIOUS Exploitable: Remotely Type: Denial of service Description Improper validation of SIG record contents can trigger the DNS server crashing resulting in a denial of service attack. Workarounds: None. Active Exploits: At this time, ISC is unaware of any active exploits of this vulnerability. -------------------------------------------------------------------------------- Name: "naptr bug" CVE: CVE-1999-0851 Versions affected: 4.9.5, 4.9.5 patchlevel 1, 4.9.6, 4.9.7, 4.9.8, 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1, 8.2.2, 8.2.2 patchlevel 1 Severity: MINOR Exploitable: Locally Type: Denial of service Description Improper validation of zone data for the NAPTR record being loaded from disk can result in the DNS server crashing. Zone data read from the network cannot trigger this bug. Given the privilege level to modify the zone data is typically the same as running the DNS server, this bug is unlikely to result in an exploit unless zone files have unusual permissions. Workarounds: Insure permission level required to modify zone files is the same or higher than that of the DNS server. Active Exploits: At this time, ISC is unaware of any active exploits of this vulnerability. -------------------------------------------------------------------------------- Name: "maxdname bug" CVE: CVE-1999-0849 Versions affected: 4.9.5, 4.9.5 patchlevel 1, 4.9.6, 4.9.7, 4.9.8, 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1, 8.2.2, 8.2.2 patchlevel 1 Severity: MINOR Exploitable: Remotely Type: Denial of service Description The use of sprintf() with data from the network can result in a buffer overflow condition which may result in unexpected behavior. Because of the placement of the buffer which might be overflowed, it is unlikely this bug will result in serious consequences, however the possibility of a remotely triggered server crash cannot be ruled out. Workarounds: None. Active Exploits: At this time, ISC is unaware of any active exploits of this vulnerability. -------------------------------------------------------------------------------- BIND Vulnerability matrix The following table summarizes the vulnerability to the bugs mentioned for all versions of BIND distributed by ISC. The numbers listed in the first row are the CVE references and are hyperlinked to the CVE website, and also listed in a separate table below, with a short description. ver/CVE 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 8.2.0 + + + + + + + + + + + + + + + 8.2.1 + + + + + + + + + + + + + + + 8.2.2 + + + + + + + + + + + + 8.2.3 + + + + + + 8.2.4 + + + + + + 8.2.5 + + + + + + 8.2.6 + + + + + 8.2.7 + + + 8.3.0 + + + + + + + 8.3.1 + + + + + + 8.3.2 + + + + + + 8.3.3 + + + + + 8.3.4 + + + 8.3.5 + + + 8.3.6 + + + 8.3.7 + + 8.4.0 + + + + 8.4.1 + + + + 8.4.2 + + + + 8.4.3 + + 8.4.4 + + + + 8.4.5 + + + + 8.4.6 + + 8.4.7 + + 8.4.7-P1 + 9.0.0 + + + 9.0.1 + + + + 9.1.0 + + + + 9.1.1 + + + + 9.1.2 + + + + 9.1.3 + + + + 9.2.0 + + + + + + + + + 9.2.1 + + + + + + + 9.2.2 + + + + + + 9.2.3 + + + + + + 9.2.4 + + + + + + 9.2.5 + + + + + + 9.2.6 + + + + + + 9.2.7 + + + + 9.2.8 + + 9.2.8-P1 + 9.3.0 + + + + + + + + 9.3.1 + + + + + + + 9.3.2 + + + + + + + 9.3.3 + + + + 9.3.4 + + 9.3.4-P1 + 9.3.5b1 + 9.4.0 + + + + 9.4.1 + + + 9.4.1-P1 + 9.4.2 + 9.5.0a5 + + + 9.5.0a6 + 9.5.0a7 + 9.5.0b1 + Legend: # CVE number short description 0 1999-0833 Buffer overflow via NXT records. 1 1999-0835 Denial of service via malformed SIG records. 2 1999-0837 Denial of service by improperly closing TCP sessions via so_linger. 3 1999-0848 Denial of service named via consuming more than "fdmax" file descriptors. 4 1999-0849 Denial of service via maxdname. 5 1999-0851 Denial of service via naptr. 6 2000-0887 Denial of service by compressed zone transfer (ZXFR) request. 7 2000-0888 Denial of service via SRV record. 8 2001-0010 Buffer overflow in TSIG code allows root privileges. 9 2001-0011 Buffer overflow in nslookupComplain allows root privileges. 10 2001-0012 Ability to access sensitive information such as environment variables. 11 2001-0013 Format string vulnerability in nslookupComplain allows root privileges. 12 2002-0029 Buffer overflows in resolver library allows execution of arbitrary code. 13 2002-0400 Denial of service via malformed DNS packet. 14 2002-0651 Buffer overflow in resolver code may cause a DoS and arbitrary code execution. 15 2002-1220 Denial of service via request for nonexistent subdomain using large OPT RR. 16 2002-1221 Denial of service via SIG RR elements with invalid expiry times. 17 2003-0914 Cache poisoning via negative responses with a large TTL value. 18 2005-0033 Buffer overflow in recursion and glue code allows denial of service. 19 2005-0034 Denial of service via crafted DNS packets causing internal self-check to fail. 20 2006-4095 Denial of service via certain SIG queries that return multiple RRsets. 21 2006-4096 Denial of service via a flood of recursive queries causing INSIST failure. 22 2007-0493 Denial of service via unspecified vectors that cause named to "dereference a freed fetch context." 23 2007-0494 Denial of service via ANY query response containing multiple RRsets. 24 2007-2241 Sequence of queries can cause a recursive nameserver to exit. 25 2007-2925 allow-query-cache/allow-recursion default acls not set. 26 2007-2926 cryptographically weak query ids 27 2007-2930 cryptographically weak query ids (BIND 8) 28 2008-0122 inet_network() off-by-one buffer overflow [****** End BIND Bulletin Here ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Internet Systems Consortium for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-121: Linux Kernel VFS Vulnerability S-122: Cisco Unified Communications Manager CTL Provider Vulnerability S-123: xorg-x11-server Security Update S-124: XFree86 Security Update S-125: Citrix Presentation Server IMA Vulnerability S-126: Members Area System 'view_func.php' Vulnerability S-127: GradMan 'info.php' Vulnerability S-128: AcuraCMS 'stat.php' Vulnerability S-129: Mantis Vulnerability S-130: ELOG Vulnerabilities