CERTVU:196945ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.189 Low
EPSS
Percentile
96.3%
Overview
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is a buffer overflow vulnerability in BIND 8.2.x, which may allow remote intruders to gain access to systems running BIND. DNS servers running BIND 8 are responsible for the majority of name resolution services on the Internet.
This vulnerability has been successfully exploited in a laboratory environment and presents a serious threat to the Internet infrastructure.
Description
During the processing of transaction signatures, BIND performs a test for signatures that fail to include a valid key. If a transaction signature is found in the request, but a valid key is not included, BIND skips normal processing of the request and jumps directly to code designed to send an error response. Because this code fails to initialize variables in the same manner as the normal processing, later function calls make invalid assumptions about the size of the request buffer. In particular, the code to add a new (valid) signature to the response may overflow the request buffer and overwrite adjacent memory on the stack or heap. Overwriting this memory can allow an intruder (in conjunction with other buffer overflow exploit techniques) to gain unauthorized access to the vulnerable system.
The flawed program logic is distributed over several function calls within the BIND software. When the attacker sends a UDP request, the packet will be loaded into a buffer on the stack (u.buf) by the function datagram_read(). On the other hand, TCP requests are loaded into a buffer (sp->s_buf) on the heap by the function stream_getmsg(). Regardless of the protocol, each of these functions call dispatch_message(), which in turn calls ns_req().
The ns_req() function handles the request. A call to ns_find_tsig() determines if a transaction signature exists in the request, and find_key() is called thereafter to determine if a valid key has been included. In the case where a transaction signature is found but the key is NULL, msglen is computed to include only the portion of the request before the signature. This is where the problem occurs, because the variables buflen and msglen are assumed through most of the code to add up to the total size of the buffer allocated for holding the request.
BIND uses the same buffer for storing the request and generating the response. Specifically, the response is composed by appending an error code and a transaction signature to the existing request. Since the new transaction signature is supposed to overwrite the signature of the request, msglen was modified to reflect the request length minus the signature length. However, buflen was not modified to reflect the new value of msglen, causing subsequent function calls (specifically ns_sign) to cause BIND to overwrite memory adjacent to the packet buffer.
These overwrites may allow an intruder to create conditions required for the execution of arbitrary code. Because the overflows occur on the stack for UDP requests and on the heap for TCP requests, the specific details of the exploit begin to differ at this point. Both scenarios result in the same impact – the attacker can execute arbitrary code on the vulnerable system.
For more information on transaction signatures, please visit:
<http://www.ietf.org/rfc/rfc2535.txt>
<http://www.ietf.org/rfc/rfc2845.txt>
Impact
This vulnerability may allow an attacker to execute privileged commands or code with the same permissions as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.
Solution
The ISC has released BIND version 8.2.3 to address this security issue as well as others. The CERT/CC strongly recommends that all users of BIND 8.2.x upgrade to 8.2.3 immediately. The ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1.
The BIND 8.2.3 distribution can be downloaded from:
<ftp://ftp.isc.org/isc/bind/src/>
The BIND 9.1 distribution can be downloaded from:
<ftp://ftp.isc.org/isc/bind9/>
Please note that upgrading to BIND 8.2.3 also addresses the information leakage vulnerability discussed in VU#325431.
Vendor Information
196945
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Caldera __ Affected
Notified: January 18, 2001 Updated: January 29, 2001
Status
Affected
Vendor Statement
OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable.
Update packages will be provided at
<ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3>
<ftp://ftp.calderasystems.com/pub/updates/eServer/2.3>
<ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Compaq Computer Corporation __ Affected
Notified: January 18, 2001 Updated: April 04, 2001
Status
Affected
Vendor Statement
COMPAQ COMPUTER CORPORATION
------------------------------------------------------------------------------------
VU#196945 - BIND 8 contains buffer overflow in transaction signature handling code
X-REF: SSRT1-66U, SSRT1-68U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1 -
V5.1 patch: SSRT1-66U_v5.1.tar.Z
Compaq Tru64 UNIX V5.0 & V5.0a -
V5.0 patch: SSRT1-68U_v5.0.tar.Z
V5.0a patch: SSRT1-68U_v5.0a.tar.Z
Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable
TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
Compaq will provide notice of the completion/availability of the patches
through AES services (DIA, DSNlink FLASH), the Security mailing list (**),
and be available from your normal Compaq Support channel.
**You may subscribe to the Security mailing list at:
http://www.support.compaq.com/patches/mailing-list.shtml
Software Security Response Team
COMPAQ COMPUTER CORPORATION
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Conectiva __ Affected
Notified: January 29, 2001 Updated: April 04, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Conectiva Linux has made an announcement regarding this vulnerability; for further information, please see:
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000377
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Debian __ Affected
Notified: January 18, 2001 Updated: April 05, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Debian has made an announcement regarding this vulnerability; for further information, please see:
http://www.debian.org/security/2001/dsa-026
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
FreeBSD __ Affected
Notified: January 18, 2001 Updated: May 11, 2001
Status
Affected
Vendor Statement
No supported version of FreeBSD contains BIND 4.x, so this does not affect us. We currently ship betas of 8.2.3 in the FreeBSD 4.x release branch, and will be upgrading to 8.2.3 once it is released.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
FreeBSD has released the following advisory regarding this issue:
<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
IBM __ Affected
Notified: January 18, 2001 Updated: April 05, 2001
Status
Affected
Vendor Statement
[A fix for this vulnerability] can be downloaded from <ftp://ftp.software.ibm.com/aix/efixes/security>. The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation instructions and other important information are given in the README file that is included in the tarball.
The official fix for the four BIND4 and BIND8 vulnerabilities will be in APAR #IY16182.
AIX Security Response Team
IBM Austin
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
ISC __ Affected
Notified: January 05, 2001 Updated: April 04, 2001
Status
Affected
Vendor Statement
Name:“tsig bug”
Versions:8.2, 8.2-P1, 8.2.1, 8.2.2, 8.2.2-P1, 8.2.2-P2, 8.2.2-P3,
8.2.2-P4, 8.2.2-P5, 8.2.2-P6, 8.2.2-P7 and all 8.2.3 betas.
Severity:CRITICAL
Exploitable:Remotely
Type:Access possible
Description:
It is possible to overflow a buffer handling TSIG signed
queries, thereby obtaining access to the system.
Workarounds:
None.
Active Exploits:
Exploits for this bug exist.
Solution:
Upgrade to BIND 8.2.3-REL or preferably BIND 9.1.
Credits:
Discovery and initial documentation of this vulnerability
was conducted by Anthony Osborne and John McDonald of the
COVERT Labs at PGP Security.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The ISC has posted this information on their web site at:
<http://www.isc.org/products/BIND/bind-security.html>
The source code for ISC BIND can be downloaded from:
<ftp://ftp.isc.org/isc/bind/src/>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Immunix __ Affected
Notified: January 31, 2001 Updated: April 05, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Immunix has made an announcement regarding this vulnerability; for further information, please see:
http://download.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2001-70-001-01
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
MandrakeSoft __ Affected
Notified: February 03, 2001 Updated: April 04, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
MandrakeSoft has made an announcement regarding this vulnerability; for further information, please see:
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-017.php3
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
NetBSD __ Affected
Notified: January 18, 2001 Updated: April 05, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see NetBSD-SA2001-001, “Security vulnerabilities in BIND” at:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-001.txt.asc
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
RedHat __ Affected
Notified: January 18, 2001 Updated: April 04, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
RedHat has released an advisory regarding this vulnerability; for further information, please see RHSA-2001-007 and associated bug reports at:
_<http://www.redhat.com/support/errata/RHSA-2001-007.html>_
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25209
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
SCO __ Affected
Notified: January 18, 2001 Updated: May 01, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Caldera UNIX has published Security Advisory CSSA-2002-SCO.16 to address this issue in their UnixWare product line. For more information, please see:
ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.16/CSSA-2002-SCO.16.txt
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Slackware __ Affected
Notified: February 03, 2001 Updated: April 05, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Slackware has made an announcement regarding this vulnerability; for further information, please see:
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
SuSE __ Affected
Notified: February 03, 2001 Updated: April 05, 2001
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SuSE has made an announcement regarding this vulnerability; for further information, please see:
http://www.suse.com/us/support/security/index.html
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Sun __ Affected
Notified: January 18, 2001 Updated: August 07, 2001
Status
Affected
Vendor Statement
CERT Advisory CA-2001-02 describes four vulnerabilities in certain
versions of BIND. The four vulnerabilities are listed below along with
the affected versions of Solaris and the version of BIND shipped with each
version of Solaris.
VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG)
handling code
Solaris 8 04/01* (BIND 8.2.2-p5)
Solaris 8 Maintenance Update 4* (BIND 8.2.2-p5)
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 2.5.1** (BIND 4.9.3)
VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 2.5.1** (BIND 4.9.3)
VU#325431 - Queries to ISC BIND servers may disclose environment variables
Solaris 2.4, 2.5 (BIND 4.8.3)
Solaris 2.5.1** (BIND 4.9.3 and BIND 4.8.3)
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 7 and 8 (BIND 8.1.2)
* To determine if one is running Solaris 8 04/01 or Solaris 8 Maintenance
Update 4, check the contents of the /etc/release file.
** Solaris 2.5.1 ships with BIND 4.8.3 but patch 103663-01 for SPARC and
103664-01 for x86 upgrades BIND to 4.9.3, current revision for each
patch is -17.
List of Patches
The following patches are available in relation to the above problems.
OS Version Patch ID
__________ _________
SunOS 5.8 109326-04
SunOS 5.8_x86 109327-04
SunOS 5.7 107018-03
SunOS 5.7_x86 107019-03
SunOS 5.6 105755-10
SunOS 5.6_x86 105756-10
SunOS 5.5.1 103663-16
SunOS 5.5.1_x86 103664-16
SunOS 5.5 103667-12
SunOS 5.5_x86 103668-12
SunOS 5.4 102479-14
SunOS 5.4_x86 102480-12
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
For the full text of Sun Microsystems Security Bulletin #204, please visit
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/204&type=0&nav=sec.sba
This document has been archived here
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Apple __ Not Affected
Notified: January 18, 2001 Updated: April 05, 2001
Status
Not Affected
Vendor Statement
Apple plans to include BIND 8.2.3 in Mac OS X. BIND is not enabled by default in Mac OS X or Mac OS X Server.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Hewlett Packard __ Not Affected
Notified: January 18, 2001 Updated: May 10, 2001
Status
Not Affected
Vendor Statement
None of the Bind versions of HP-UX is vulnerable to VU#196945 - problem of buffer overflow in TSIG handling code.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
HP has released a Security Bulletin to address this issue; for further information, please visit <http://itrc.hp.com> and search for “HPSBUX0102-144”. Please note that registration may be required to access this document.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Microsoft __ Not Affected
Notified: January 18, 2001 Updated: January 30, 2001
Status
Not Affected
Vendor Statement
Microsoft’s implementation of DNS is not based on BIND, and is not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
OpenBSD __ Not Affected
Notified: January 18, 2001 Updated: January 30, 2001
Status
Not Affected
Vendor Statement
So we are pretty impressed with ourselves, since it looks like none of these BIND bugs affected us. In '97, a couple of us did some sprintf->snprintf whacking. Probably took about 3 minutes.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
BSDI Unknown
Notified: January 18, 2001 Updated: January 26, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Data General Unknown
Notified: January 18, 2001 Updated: January 26, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Fujitsu Unknown
Notified: January 18, 2001 Updated: January 26, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
NEC Unknown
Notified: January 18, 2001 Updated: January 27, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
NeXT Unknown
Notified: January 18, 2001 Updated: January 27, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
SGI __ Unknown
Notified: January 18, 2001 Updated: April 27, 2001
Status
Unknown
Vendor Statement
SGI’s IRIX ™ operating system contains base BIND 4.9.7 with SGI modifications. IRIX BIND 4.9.7 is vulnerable to buffer overflow in nslookupComplain(). Patches are forth coming and will be released with an advisory to <http://www.sgi.com/support/security/> when available.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SGI has released an advisory regarding this vulnerability. For further information, please visit
ftp://patches.sgi.com/support/free/security/advisories/20010401-01-P
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Sequent Unknown
Notified: January 18, 2001 Updated: January 27, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Siemens Nixdorf Unknown
Notified: January 18, 2001 Updated: January 27, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Sony Unknown
Notified: January 18, 2001 Updated: January 27, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
Unisys Unknown
Notified: January 18, 2001 Updated: January 27, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23196945 Feedback>).
View all 29 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html>
- <http://www.ietf.org/rfc/rfc2535.txt>
- <http://www.ietf.org/rfc/rfc2845.txt>
- <http://www.isi.edu/~bmanning/in-addr-audit.html>
- <http://www.securityfocus.com/bid/2304>
- <http://www.securityfocus.com/news/144>
Acknowledgements
The CERT/CC thanks the COVERT Labs at PGP Security for discovering and analyzing this vulnerability and the Internet Software Consortium for providing a patch to fix it.
This document was written by Cory F Cohen.
Other Information
| CVE IDs: | CVE-2001-0010 |
|---|---|
| CERT Advisory: | CA-2001-02 Severity Metric: |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.189 Low
EPSS
Percentile
96.3%