||Home : Advisories : BIND remotely exploitable buffer overflow|
||BIND remotely exploitable buffer overflow
||31st January 2001
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-01:18 Security Advisory
Topic: BIND remotely exploitable buffer overflow
Category: core, ports
Credits: COVERT Labs
Affects: All released versions of FreeBSD 3.x, 4.x.
FreeBSD 3.5-STABLE prior to the correction date.
FreeBSD 4.2-STABLE prior to the correction date.
Ports collection prior to the correction date.
Corrected: 2001-01-30 (FreeBSD 3.5-STABLE)
2001-01-29 (FreeBSD 4.2-STABLE)
2001-01-29 (Ports collection)
Vendor status: Updated version released
FreeBSD only: NO
BIND is an implementation of the Domain Name Service (DNS) protocols.
II. Problem Description
An overflowable buffer related to the processing of transaction
signatures (TSIG) exists in all versions of BIND prior to
8.2.3-RELEASE. The vulnerability is exploitable regardless of
configuration options and affects both recursive and non-recursive DNS
Additional vulnerabilities allow the leaking of environment variables
and the contents of the program stack. These vulnerabilities may
assist the ability of attackers to exploit the primary vulnerability
described above, and make provide additional information about the
state or configuration of the system.
All previous versions of BIND 8, such as the beta versions included in
FreeBSD 4.x prior to the correction date (designated the version
number BIND 8.2.3-T<#>B) are vulnerable to this problem. Systems
running versions of BIND 9.x (available in the FreeBSD ports
collection) are unaffected.
Further information about the vulnerabilities is contained in the CERT
advisory located at:
Note that this advisory also describes vulnerabilities in the BIND 4.x
software, which is not included in any recent version of FreeBSD.
All versions of FreeBSD 3.x and 4.x prior to the correction date
including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this
problem, if they have been configued to run named (this is not enabled
by default). In addition, the bind8 port in the ports collection
(versions prior to 8.2.3) is also vulnerable.
To check whether a DNS server is running a vulnerable version of BIND,
perform the following command as any user:
% dig @serverip version.bind. CHAOS TXT
The following segment of output indicates a non-vulnerable server
running BIND 8.2.3-RELEASE:
;; ANSWER SECTION:
VERSION.BIND. 0S CHAOS TXT "8.2.3-REL"
Malicious remote users can cause arbitrary code to be executed as the
user running the named daemon. This is often the root user, although
FreeBSD provides built-in support for the execution of named as an
unprivileged 'bind' user, which greatly limits the scope of the
vulnerability should a successful penetration take place.
There is no known practical workaround to prevent the vulnerability
from being exploited, short of upgrading the software. A partial
workaround to limit the impact of the vulnerability should it be
exploited is to run named as an unprivileged user.
Add the following line to /etc/rc.conf:
named_flags="-u bind -g bind" # Flags for named
Add the following line to your /etc/namedb/named.conf file, in the
See the named.conf(5) manual page for more details about configuring
Perform the following commands as root:
Create a directory writable by the bind user where named can store its
# mkdir /var/named
# chown bind:bind /var/named
Shut down the DNS server:
# ndc stop
Restart it using the non-privileged user and group:
# ndc -p /var/named/named.pid start -u bind -g bind
Note that when not running as the root user, named will lose the
ability to re-bind to interfaces which change address, or which are
added to the system after named has been started. If such an event
takes place, named will need to be stopped and restarted in order to
re-bind to the interface(s). See the ndc(8) manual page for more
information about how to do this.
Use of the -t option to named will also increase security when run as
a non-privileged user by confining the named process to a chroot
environment and thereby partially limiting the access it has to the
rest of the system. Configuration of these options is beyond the
scope of the advisory. The following website contains information
which may be useful to administrators wishing to perform this step:
Note that this tutorial does not specifically relate to FreeBSD, and
the information contained therein may need to be modified for FreeBSD
Note that such a penetration of the unprivileged bind user may still
allow the attacker to take advantage of a local security vulnerability
or misconfiguration to further increase privileges. Therefore this
should only be considered a temporary workaround while preparations
can be made to upgrade permanently.
It is recommended that all affected users upgrade their systems
immediately as described in the following section.
Note that BIND 8.2.3-RELEASE is more strict about invalid zone file
syntax than older versions. DNS zones which contain errors may need
to be corrected before the new version can be run.
Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the respective correction dates.
A binary tarball containing the updated BIND files may be released in
a few days, but is being held back for quality assurance reasons. In
the meantime an unofficial tarball is available from the following
location. Users are advised that the following tarball has not been
tested on a production system, and those wishing to perform an upgrade
without upgrading the entire OS are advised to use the bind8 port as
To fetch and install it, perform the following actions as root:
# fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz
# fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc
Verify the detached PGP signature using your PGP utility.
# cd /
# tar xvfz /path/to/bind-8.2.3-4.x.tgz
Stop and restart the named process as shown:
# ndc restart
See the note in the previous section about how to restart ndc as a
non-privileged user if it has been configued to run that way.
If you have chosen to install BIND from the ports collection and are
using it instead of the version in the base system, perform one of the
1) Update your entire ports collection and rebuild the bind8 port.
If you are installing the port for the first time, be sure to edit the
named_program variable in /etc/rc.conf to point to the installed
location of the named executable.
The bind8 port can be configured to install itself in /usr and read
configuration data from /etc so that it is drop-in compatible with the
system version of BIND. Install the port as follows:
# cd /usr/ports/net/bind8
# make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \
DESTRUN=/var/run all install clean
If you install the BIND port over the top of the system version in
this way, be sure to add the following line to /etc/make.conf to
prevent the future rebuilding of the system version during 'make
NO_BIND= true # do not build BIND
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
NOTE: It may be several days before updated packages are available.
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) download a new port skeleton for the bind8 port from:
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----