[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : CERT Advisory CA-2000-20 Mulitple Denial-of-Service Problems in ISC BIND

Title: CERT Advisory CA-2000-20 Mulitple Denial-of-Service Problems in ISC BIND
Released by: CERT
Date: 13th November 2000
Printable version: Click here


-----BEGIN PGP SIGNED MESSAGE-----



CERT Advisory CA-2000-20 Mulitple Denial-of-Service Problems in ISC BIND



   Original release date: November 13, 2000

   Source: CERT/CC

   

   A complete revision history is at the end of this file.

   

Systems Affected



     * Systems running Internet Software Consortium (ISC) BIND version

       8.2 through 8.2.2-P6

     * Systems running name servers derived from BIND version 8.2 through

       8.2.2-P6

       

Overview



   The CERT Coordination Center has recently learned of two serious

   denial-of-service vulnerabilities in the Internet Software

   Consortium's (ISC) BIND software.

   

   The first vulnerability is referred to by the ISC as the "zxfr bug"

   and affects ISC BIND version 8.2.2, patch levels 1 through 6. The

   second vulnerability, the "srv bug", affects ISC BIND versions 8.2

   through 8.2.2-P6. Derivatives of the above code sets should also be

   presumed vulnerable unless proven otherwise.

   

I. Description



   The Internet Software Consortium, the maintainer of BIND, the software

   used to provide domain name resolution services, has recently posted

   information about several denial-of-service vulnerabilities. If

   exploited, any of these vulnerabilities could allow remote intruders

   to cause site DNS services to be stopped.

   

   For more information about these vulnerabilities and others, please

   see

   

   http://www.isc.org/products/BIND/bind-security.html

          

   Two vulnerabilities in particular have been categorized by both the

   ISC and the CERT/CC as being serious.

   

The "zxfr bug"



   Using this vulnerability, attackers on sites which are permitted to

   request zone transfers can force the named daemon running on

   vulnerable DNS servers to crash, disrupting name resolution service

   until the named daemon is restarted. The only preconditions for this

   attack to succeed is that a compressed zone transfer (ZXFR) request be

   made from a site allowed to make any zone transfer request (not just

   ZXFR), and that a subsequent name service query of an authoritative

   and non-cached record be made. The time between the attack and the

   crash of named may vary from system to system.

   

   This vulnerability has been discussed in public forums. The ISC has

   confirmed that all platforms running version 8.2.2 of the BIND

   software prior to patch level 7 are vulnerable to this attack.

   

The "srv bug"



   This vulnerability can cause affected DNS servers running named to go

   into an infinite loop, thus preventing further name requests to be

   handled. This can happen if an SRV record (defined in RFC2782) is sent

   to the vulnerable server.

   

   Microsoft's Windows 2000 Active Directory service makes extensive use

   of SRV records and is reportedly capable of triggering this bug in the

   course of normal operations. This is not, however, a vulnerability in

   Microsoft Active Directory. Any network client capable of sending SRV

   records to vulnerable name server systems can exercise this

   vulnerability.

   

   The CERT/CC has not received any direct reports of either of these

   vulnerabilities being exploited to date.

   

   Both vulnerabilities can be used by malicious users to break the DNS

   services being offered at all exposed sites on the Internet. System

   administrators are strongly recommended to upgrade their DNS software

   with either ISC's current distribution or their vendor-supplied

   software. See the Solution and Vendor Information sections of this

   document for more details.

   

II. Impact



   Domain name resolution services (DNS) can be disabled on affected

   servers from arbitrary remote hosts.

   

III. Solution



Apply a patch from your vendor



   The CERT/CC recommends that all users of ISC BIND upgrade to the

   recently-released BIND 8.2.2-P7, which patches both of the

   vulnerabilities discussed in this document. Sites running

   vendor-specific distributions of domain name resolution software

   should check the Vendor Information section below for more specific

   information on how to upgrade to non-vulnerable software.

   

Restrict zone transfers to trusted hosts



   If it is not possible to immediately upgrade systems affected by the

   "zxfr bug", the ISC suggests not allowing zone transfers from

   untrusted hosts. This action, however, will not mitigate against the

   effects of an attack using the "srv bug".

   

   Although it has been reported that not allowing recursive queries may

   help mitigate against the "zxfr" vulnerability, ISC has indicated that

   this is not the case.

   

Appendix A. Vendor Information



The Internet Software Consortium



   For the latest information regarding these vulnerabilities, please

   consult the ISC web site at:

   

   http://www.isc.org/products/BIND/bind-security.html

          

Caldera



   Our advisory will be available [at]:

   

   http://www.calderasystems.com/support/security/advisories/CSSA-2000-040.0.txt

          

   Updated packages will be available from

   OpenLinux Desktop 2.3

   http://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current

   9d8429f25c5fb3bebe2d66b1f9321e61 RPMS/bind-8.2.2p7-1.i386.rpm

   0e958eb01f40826f000d779dbe6b8cb3 RPMS/bind-doc-8.2.2p7-1.i386.rpm

   866ff74c77e9c04a6abcddcc11dbe17b RPMS/bind-utils-8.2.2p7-1.i386.rpm

   6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm

   OpenLinux eServer 2.3

   http://ftp.calderasystems.com/pub/updates/eServer/2.3/current

   379c4328604b4491a8f3d0de44e42347 RPMS/bind-8.2.2p7-1.i386.rpm

   b428b824c8b67f2d8d4bf53738a3e7e0 RPMS/bind-doc-8.2.2p7-1.i386.rpm

   28311d630281976a870d38abe91f07fb RPMS/bind-utils-8.2.2p7-1.i386.rpm

   6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm

   OpenLinux eDesktop 2.4

   http://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current

   c37b6673cc9539e592013ac114846940 RPMS/bind-8.2.2p7-1.i386.rpm

   bbe0d7e317fde0d47cba1384f6d4b635 RPMS/bind-doc-8.2.2p7-1.i386.rpm

   5c28dd5641a4550c03e9859d945a806e RPMS/bind-utils-8.2.2p7-1.i386.rpm

   6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm

   

Compaq Computer Corporation



   SOURCE: Compaq Computer Corporation

   Compaq Services

   Software Security Response Team USA

   

   Compaq Tru64/UNIX Operating Systems Software are not vulnerable to

   these reported problems.

   

Conectiva



   Please see Conectiva Linux Security Announcement CLSA-2000:339 at:

   

   http://listserv.securityportal.com/SCRIPTS/WA-SECURITYPORTAL.EXE?A1=ind0011&L=linux-security#27

          

   Note: Conectiva Linux Security Announcement CLSA-2000:338, also

   regarding this issue, had a packaging error in it. Users who

   downloaded updates based on CLSA-2000:338 should see CLSA-2000:339 for

   further information.

   

Debian



   Please see Debian Security notice 20001112, bind at:

   

   http://www.debian.org/security/2000/20001112

          

FreeBSD



   All versions of FreeBSD after 4.0-RELEASE (namely 4.1-RELEASE,

   4.1.1-RELEASE and the forthcoming 4.2-RELEASE) are not vulnerable to

   this bug since they include versions of BIND 8.2.3. FreeBSD

   4.0-RELEASE and earlier are vulnerable to the reported problems since

   they include an older version of BIND, and an update to a

   non-vulnerable version is scheduled to be committed to FreeBSD

   3.5.1-STABLE in the next few days.

   

Hewlett-Packard



   HP is vulnerable to these problems and is working to correct them.

   

MandrakeSoft



   Please see "MDKSA-2000:067: bind" at:

   

   http://www.linux-mandrake.com/en/security/MDKSA-2000-067.php3

          

Microsoft Corporation



   Microsoft is currently investigating these issues.

   

NetBSD



   NetBSD is believed to be vulnerable to these problems; in response,

   NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7 will be

   present in the forthcoming NetBSD 1.5 release.

   

RedHat



   Please see "RHSA-2000:107-01: Updated bind packages fixing DoS

   attack", soon to be available at:

   

   http://www.redhat.com/support/errata/

          

Slackware



   Updated Slackware distributions for bind may be found at:

   

   http://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz



   ______________________________________________________________________   



   The CERT Coordination Center thanks Mark Andrews, David Conrad, and

   Paul Vixie of the ISC for developing a solution and assisting in the

   preparation of this advisory. We would also recognize the contribution

   of Olaf Kirch in helping us understand the exact nature of the "zxfr

   bug" vulnerability.

   ______________________________________________________________________



   Author: This document was written by Jeffrey S. Havrilla and Jeffrey

   P. Lanza. Feedback on this advisory is appreciated.

   ______________________________________________________________________

   

   This document is available from:

   http://www.cert.org/advisories/CA-2000-20.html

   ______________________________________________________________________

   

CERT/CC Contact Information



   Email: cert@cert.org

          Phone: +1 412-268-7090 (24-hour hotline)

          Fax: +1 412-268-6989

          Postal address:

          CERT Coordination Center

          Software Engineering Institute

          Carnegie Mellon University

          Pittsburgh PA 15213-3890

          U.S.A.

          

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)

   Monday through Friday; they are on call for emergencies during other

   hours, on U.S. holidays, and on weekends.

   

Using encryption



   We strongly urge you to encrypt sensitive information sent by email.

   Our public PGP key is available from

   

   http://www.cert.org/CERT_PGP.key

       

   If you prefer to use DES, please call the CERT hotline for more

   information.

   

Getting security information



   CERT publications and other security information are available from

   our web site

   

   http://www.cert.org/

       

   To subscribe to the CERT mailing list for advisories and bulletins,

   send email to majordomo@cert.org. Please include in the body of your

   message

   

   subscribe cert-advisory

   

   * "CERT" and "CERT Coordination Center" are registered in the U.S.

   Patent and Trademark Office.

   ______________________________________________________________________

   

   NO WARRANTY

   Any material furnished by Carnegie Mellon University and the Software

   Engineering Institute is furnished on an "as is" basis. Carnegie

   Mellon University makes no warranties of any kind, either expressed or

   implied as to any matter including, but not limited to, warranty of

   fitness for a particular purpose or merchantability, exclusivity or

   results obtained from use of the material. Carnegie Mellon University

   does not make any warranty of any kind with respect to freedom from

   patent, trademark, or copyright infringement.

   _________________________________________________________________

   

   Conditions for use, disclaimers, and sponsorship information

   

   Copyright 2000 Carnegie Mellon University.

   

   Revision History

   November 13, 2000:  Initial release





-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQCVAwUBOhBkogYcfu8gsZJZAQHhKQP+Pd9/Qay+mubBlOQxVXPtfm5JmKj8dYfJ

DnxcIT9qXQFUrq1nVs48fLYhwNtA/fisjZKY6KMkYaw+r+nJVYMz1veP+//sVo7P

GDBMPUyrWmAGXVfUfIS3zjfWybqCm5+u4a4jDCWTy+n0oSyZ3ExBRPIZbPn1rUL5

RcqWcCJU5uY=

=jikH

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.