CERT Advisory <cert-advisory@cert.org> writes:
> CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
> 
>    Original release date: January 29, 2001
>    Last revised: --
>    Source: CERT/CC
> 
>    A complete revision history can be found at the end of this file.
> 
> Systems Affected
> 
>    Domain Name System (DNS) Servers running various versions of ISC BIND
>    (including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is
>    not affected) and derivatives. Because the normal operation of most
>    services on the Internet depends on the proper operation of DNS
>    servers, other services could be impacted if these vulnerabilities are
>    exploited.
> 
> Overview
> 
>    The CERT/CC has recently learned of four vulnerabilities spanning
>    multiple versions of the Internet Software Consortium's (ISC) Berkeley
>    Internet Name Domain (BIND) server. BIND is an implementation of the
>    Domain Name System (DNS) that is maintained by the ISC. Because the
>    majority of name servers in operation today run BIND, these
>    vulnerabilities present a serious threat to the Internet
>    infrastructure.
> 
>    Three of these vulnerabilities (VU#196945, VU#572183, and VU#868916)
>    were discovered by the COVERT Labs at PGP Security, who have posted an
>    advisory regarding these issues at
> 
>           http://www.pgp.com/research/covert/advisories/047.asp
> 
>    The fourth vulnerability (VU#325431) was discovered by Claudio
>    Musmarra.
> 
>    The Internet Software Consortium has posted information about all four
>    vulnerabilities at
> 
>           http://www.isc.org/products/BIND/bind-security.html
> 
> I. Description
> 
>    VU#196945 - ISC BIND 8 contains buffer overflow in transaction
>    signature (TSIG) handling code
> 
>    During the processing of a transaction signature (TSIG), BIND 8 checks
>    for the presence of TSIGs that fail to include a valid key. If such a
>    TSIG is found, BIND skips normal processing of the request and jumps
>    directly to code designed to send an error response. Because the
>    error-handling code initializes variables differently than in normal
>    processing, it invalidates the assumptions that later function calls
>    make about the size of the request buffer.
> 
>    Once these assumptions are invalidated, the code that adds a new
>    (valid) signature to the responses may overflow the request buffer and
>    overwrite adjacent memory on the stack or the heap. When combined with
>    other buffer overflow exploitation techniques, an attacker can gain
>    unauthorized privileged access to the system, allowing the execution
>    of arbitrary code. 
> 
>    VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
> 
>    The vulnerable buffer is a locally defined character array used to
>    build an error message intended for syslog. Attackers attempting to
>    exploit this vulnerability could do so by sending a specially
>    formatted DNS query to affected BIND 4 servers. If properly
>    constructed, this query could be used to disrupt the normal operation
>    of the DNS server process, resulting in either denial of service or
>    the execution of arbitrary code. 
> 
>    VU#868916 - ISC BIND 4 contains input validation error in
>    nslookupComplain()
> 
>    The vulnerable buffer is a locally defined character array used to
>    build an error message intended for syslog. Attackers attempting to
>    exploit this vulnerability could do so by sending a specially
>    formatted DNS query to affected BIND 4 servers. If properly
>    constructed, this query could be used to disrupt the normal operation
>    of the DNS server process, resulting in the execution of arbitrary
>    code.
> 
>    This vulnerability was patched by the ISC in an earlier version of
>    BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence
>    to suggest that some third party vendors who redistribute BIND 4 have
>    not included these changes in their BIND packages. Therefore, the
>    CERT/CC recommends that all users of BIND 4 or its derivatives base
>    their distributions on BIND 4.9.8. 
> 
>    VU#325431 - Queries to ISC BIND servers may disclose environment
>    variables
> 
>    This vulnerability is an information leak in the query processing code
>    of both BIND 4 and BIND 8 that allows a remote attacker to access the
>    program stack, possibly exposing program and/or environment variables.
>    This vulnerability is triggered by sending a specially formatted query
>    to vulnerable BIND servers.
> 
> II. Impact
> 
>    VU#196945 - ISC BIND 8 contains buffer overflow in transaction
>    signature (TSIG) handling code
> 
>    This vulnerability may allow an attacker to execute code with the same
>    privileges as the BIND server. Because BIND is typically run by a
>    superuser account, the execution would occur with superuser
>    privileges. 
> 
>    VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
> 
>    This vulnerability can disrupt the proper operation of the BIND server
>    and may allow an attacker to execute code with the privileges of the
>    BIND server. Because BIND is typically run by a superuser account, the
>    execution would occur with superuser privileges. 
> 
>    VU#868916 - ISC BIND 4 contains input validation error in
>    nslookupComplain()
> 
>    This vulnerability may allow an attacker to execute code with the
>    privileges of the BIND server. Because BIND is typically run by a
>    superuser account, the execution would occur with superuser
>    privileges. 
> 
>    VU#325431 - Queries to ISC BIND servers may disclose environment
>    variables
> 
>    This vulnerability may allow attackers to read information from the
>    program stack, possibly exposing environment variables. In addition,
>    the information obtained by exploiting this vulnerability may aid in
>    the development of exploits for VU#572183 and VU#868916.
> 
> III. History
> 
>    Since 1997, the CERT/CC has published twelve documents describing
>    vulnerabilities or exploitation of vulnerabilities in BIND with
>    information and advice on upgrading and preventing compromises.
>    Unfortunately, many system and network administrators still have not
>    upgraded their versions of BIND, making them susceptible to a number
>    of vulnerabilities. Prior vulnerabilities in BIND have been widely
>    exploited by intruders.
> 
>    For example, on November 10, 1999, the CERT/CC published CA-1999-14,
>    which detailed multiple vulnerabilities in BIND. The CERT/CC continued
>    to receive reports of compromises based on those vulnerabilities
>    through December 2000. On April 8, 1998, the CERT/CC published
>    CA-1998-05; reports of compromises based on the vulnerabilities
>    described therein continued through November of 1998.
> 
>    The following graph shows the number of incidents reported to the
>    CERT/CC regarding BIND NXT record (VU#16532) exploits after the
>    publication of CA-1999-14:
> 
>        Incidents By Month Involving the BIND NXT Record Vulnerability
>                                 (VU#16532) 
> 
>    Based on this past experience, the CERT/CC expects that intruders will
>    quickly begin developing and using intruder tools to compromise
>    machines. It is important for IT and security managers to ensure that
>    their organizations are properly protected before the expected
>    wide-spread exploitation happens.
> 
> Exploitation
> 
>    The vulnerabilities described in VU#196945, VU#572183, and VU#868916
>    have been successfully exploited by COVERT Labs in a laboratory
>    environment. To the best of our knowledge, no exploits have been
>    released to the public.
> 
> IV. Solution
> 
> Apply a patch from your vendor
> 
>    The ISC has released BIND versions 4.9.8 and 8.2.3 to address these
>    security issues. The CERT/CC recommends that users of BIND 4.9.x or
>    8.2.x upgrade to BIND 4.9.8, BIND 8.2.3, or BIND 9.1.
> 
>    Because BIND 4 is no longer actively maintained, the ISC recommends
>    that users affected by this vulnerability upgrade to either BIND 8.2.3
>    or BIND 9.1. Upgrading to one of these versions will also provide
>    functionality enhancements that are not related to security.
> 
>    The BIND 4.9.8 and 8.2.3 distributions can be downloaded from
> 
>           ftp://ftp.isc.org/isc/bind/src/
> 
>    The BIND 9.1 distribution can be downloaded from
> 
>           ftp://ftp.isc.org/isc/bind9/
> 
>    Appendix A contains information supplied by ISC and distributors of
>    BIND. Depending on your local processes, procedures, and expertise,
>    you may wish to obtain updates from the ISC or from an operating
>    system vendor who redistributes BIND.
> 
> Use Strong Cryptography to Authenticate Services
> 
>    Services and transactions that rely exclusively on the DNS system for
>    authentication are inherently weak. We encourage organizations to use
>    strong cryptography to authenicate services and transactions where
>    possible. One common use of strong cryptography is the use of SSL in
>    authenticating and encrypting electronic commerce transactions over
>    the web. In addition to this use, we encourage organizations to use
>    SSL, PGP, S/MIME, SSH, and other forms of strong cryptography to
>    distribute executable content, secure electronic mail, distribute
>    important information, and protect the confidentiality of all kinds of
>    data traversing the Internet.
> 
> Use Split Horizon DNS to Minimize Impact
> 
>    It may also be possible to minimize the impact of the exploitation of
>    these vulnerabilities by configuring your DNS environment to separate
>    DNS servers used for the public dissemination of information about
>    your hosts from the DNS servers used by your internal hosts to connect
>    to other hosts on the Internet. Frequently, different security polices
>    can be applied to these servers such that even if one server is
>    compromised the other server will continue to function normally. Split
>    horizon DNS configuration may also have other security benefits.
> 
> References
> 
>    To read more about the vulnerabilities described in this document,
>    please visit the CERT/CC Vulnerability Notes Database:
> 
>    VU#196945 - ISC BIND 8 contains buffer overflow in transaction
>           signature (TSIG) handling code
>           http://www.kb.cert.org/vuls/id/196945
> 
>    VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
>           http://www.kb.cert.org/vuls/id/572183
> 
>    VU#868916 - ISC BIND 4 contains input validation error in
>           nslookupComplain()
>           http://www.kb.cert.org/vuls/id/868916
> 
>    VU#325431 - Queries to ISC BIND servers may disclose environment
>           variables
>           http://www.kb.cert.org/vuls/id/325431
> 
>    To cross-reference CERT/CC VU numbers with other vendor documents via
>    CVE, please visit
> 
>    VU#196945 - ISC BIND 8 contains buffer overflow in transaction
>           signature (TSIG) handling code
>           http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0010
> 
>    VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
>           http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0011
> 
>    VU#868916 - ISC BIND 4 contains input validation error in
>           nslookupComplain()
>           http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0013
> 
>    VU#325431 - Queries to ISC BIND servers may disclose environment
>           variables
>           http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0012
> 
>    For information on historical issues involving BIND vulnerabilities
>    and compromises, please visit
> 
>    CERT Advisory CA-2000-20 Multiple Denial-of-Service Problems in ISC
>           BIND
>           http://www.cert.org/advisories/CA-2000-20.html
> 
>    CERT Advisory CA-2000-03 Continuing Compromises of DNS servers
>           http://www.cert.org/advisories/CA-2000-03.html
> 
>    CERT Advisory CA-1999-14 Multiple Vulnerabilities in BIND
>           http://www.cert.org/advisories/CA-1999-14.html
> 
>    CERT Advisory CA-1998-05 Multiple Vulnerabilities in BIND
>           http://www.cert.org/advisories/CA-1998-05.html
> 
>    CERT Advisory CA-1997-22 BIND - The Berkeley Internet Name Daemon
>           http://www.cert.org/advisories/CA-1997-22.html
> 
>    CERT Summary CS-2000-02
>           http://www.cert.org/summaries/CS-2000-02.html
> 
>    CERT Summary CS-2000-01
>           http://www.cert.org/summaries/CS-2000-01.html
> 
>    CERT Summary CS-1999-04
>           http://www.cert.org/summaries/CS-99-04.html
> 
>    CERT Summary CS-1998-07
>           http://www.cert.org/summaries/CS-98.07.html
> 
>    CERT Summary CS-1998-06
>           http://www.cert.org/summaries/CS-98.06.html
> 
>    CERT Summary CS-1998-05
>           http://www.cert.org/summaries/CS-98.05.html
> 
>    CERT Summary CS-1998-04
>           http://www.cert.org/summaries/CS-98.04.html
> 
>    For more information on transaction signatures, please visit
> 
>    RFC 2535: Domain Name System Security Extensions
>           http://www.ietf.org/rfc/rfc2535.txt
> 
>    RFC 2845: Secret Key Transaction Authentication for DNS (TSIG)
>           http://www.ietf.org/rfc/rfc2845.txt
> 
> Appendix A. - Vendor Information
> 
>    This appendix contains information provided by vendors for this
>    advisory. When vendors report new information to the CERT/CC, we
>    update this section and note the changes in our revision history. If a
>    particular vendor is not listed below, we have not received their
>    comments.
> 
> Caldera Systems
> 
>    OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable.
> 
>    Update packages will be provided at
> 
>           ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3
>           ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3
>           ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4
> 
> Compaq Computer Corporation
> 
> COMPAQ COMPUTER CORPORATION
> -------------------------------------------------------------------------------
> -----
>  VU#325431  INFOLEAK
> -------------------------------------------------------------------------------
> -----
>  Compaq Tru64 UNIX V5.1 and V5.0 *evaluation incomplete
>  Compaq Tru64 UNIX V4.0D/F/G      *evaluation incomplete
> 
> -------------------------------------------------------------------------------
> -----
>  VU#572183 - buffer overflow in nslookupComplain()
>  VU#868916 - input validation error in nslookupComplain()
> -------------------------------------------------------------------------------
> -----
>  Compaq Tru64 UNIX V5.1 and V5.0  - Not Vulnerable
>  Compaq Tru64 UNIX V4.0D/F/G        - *evaluation incomplete.
> 
> -------------------------------------------------------------------------------
> -----
>  VU#196945 -  BIND 8 contains buffer overflow in transaction signature handling
>  code
> -------------------------------------------------------------------------------
> -----
>  Compaq Tru64 UNIX V5.1 and V5.0  - *evaluation incomplete
>  Compaq Tru64 UNIX V4.0D/F/G        - Not Vulnerable
> 
> * At the time of writing this document, the problems identified are
> currently still under evaluation by engineering.  Compaq will provide
> notice of the completion/availability of the patches through AES
> services (DIA, DSNlink FLASH), the ** Security mailing list, and be
> available from your normal Compaq Support channel.
> 
> **You may subscribe to the Security mailing list at:
> 
> http://www.support.compaq.com/patches/mailing-list.shtml
> 
> COMPAQ COMPUTER CORPORATION
> -------------------------------------------------------------------------------
> -----
> 
> FreeBSD, Inc.
> 
>    No supported version of FreeBSD contains BIND 4.x, so this does not
>    affect us. We current ship betas of 8.2.3 in the FreeBSD 4.x release
>    branch, and will be upgrading to 8.2.3 once it is released.
> 
> Hewlett-Packard Company
> 
>    None of the Bind versions of HP-UX is vulnerable to VU#196945 -
>    problem of buffer overflow in TSIG handling code.
> 
>    HP's Bind 8.1.2 is vulnerable to VU#325183 (infoleak problem). Bind
>    4.9.7 is vulnerable to both VU#572183 (infoleak problem) and VU#325183
>    (nslookupComplain() buffer overflow).
> 
>    Fixes are in process.
> 
> IBM Corporation
> 
>    VU#325431 - Queries to ISC BIND servers may disclose environment
>    variables
> 
>    IBM's AIX operating system may be vulnerable to this "inverse query"
>    exploitation. We are working to understand the technical nature of
>    this exploit; when done, we expect to verify AIX's vulnerability. We
>    will provide updates to this page as we progress [in] studying this
>    exploit.
> 
>    VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
> 
>    IBM's AIX operating system is vulnerable to this potential exploit in
>    named4. We are working to fix this quickly and we intend to post an
>    emergency fix ASAP.
> 
>    VU#868916 - ISC BIND 4 contains input validation error in
>    nslookupComplain()
> 
>    IBM's AIX operating system is vulnerable to this potential exploit,
>    and is working quickly toward a fix.
> 
> Sun Microsystems, Inc.
> 
>    Solaris(tm) versions 2.4, 2.5, 2.5.1 and 2.6 contain revisions of BIND
>    4
> 
>    Solaris(tm) versions 7 and 8 contain BIND 8.1.2
> 
>    Sun is working to address the issues in VU#868916, VU#572183 and
>    VU#325431 and will be issuing a Sun Security Bulletin when further
>    information is available.
> 
>    VU#196945 is not present in currently supported versions of Solaris.
>      _________________________________________________________________
> 
>    The CERT/CC thanks the COVERT Labs at PGP Security for discovering and
>    analyzing three of these vulnerabilities (VU#196945, VU#572183, and
>    VU#868916) and Claudio Musmarra for discovering the infoleak
>    vulnerability (VU#325431). We also thank the Internet Software
>    Consortium for providing patches to fix the vulnerabilities.
>      _________________________________________________________________
> 
>    This document was written by Jeffrey P. Lanza, Cory Cohen, Ian Finlay,
>    and Shawn Hernan.
>    ______________________________________________________________________
> 
>    This document is available from:
>    http://www.cert.org/advisories/CA-2001-02.html
>    ______________________________________________________________________
> 
> CERT/CC Contact Information
> 
>    Email: cert@cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
> 
>    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
>    Monday through Friday; they are on call for emergencies during other
>    hours, on U.S. holidays, and on weekends.
> 
> Using encryption
> 
>    We strongly urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
> 
>    http://www.cert.org/CERT_PGP.key
> 
>    If you prefer to use DES, please call the CERT hotline for more
>    information.
> 
> Getting security information
> 
>    CERT publications and other security information are available from
>    our web site
> 
>    http://www.cert.org/
> 
>    To subscribe to the CERT mailing list for advisories and bulletins,
>    send email to majordomo@cert.org. Please include in the body of your
>    message
> 
>    subscribe cert-advisory
> 
>    * "CERT" and "CERT Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
> 
>    NO WARRANTY
>    Any material furnished by Carnegie Mellon University and the Software
>    Engineering Institute is furnished on an "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied as to any matter including, but not limited to, warranty of
>    fitness for a particular purpose or merchantability, exclusivity or
>    results obtained from use of the material. Carnegie Mellon University
>    does not make any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>      _________________________________________________________________
> 
>    Conditions for use, disclaimers, and sponsorship information
> 
>    Copyright 2001 Carnegie Mellon University.
> 
>    Revision History
> January 29, 2001:  Initial release
> 
>