Queries to ISC BIND servers may disclose environment variables

Overview

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is an information leakage vulnerability in BIND 4.9.x and 8.2.x, which may allow remote intruders to obtain information from systems running BIND. Although BIND 4.9.x is no longer officially maintained by ISC, various versions are still widely deployed on the Internet.

This vulnerability has been exploited in a laboratory environment and presents a moderate threat to the Internet infrastructure.

Description

There is a vulnerability in ISC BIND that allows a remote attacker to access the program stack, possibly exposing program and/or environment variables. This vulnerability affects both BIND 4 and BIND 8, and can be triggered by sending a specially formatted query to vulnerable BIND servers.

---

Impact

This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables.

---

Solution

The ISC has released BIND versions 4.9.8 and 8.2.3 to address this security issue. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x upgrade to BIND 4.9.8 or BIND 8.2.3, respectively. Because BIND 4 is no longer actively maintained, the ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1. Upgrading to one of these two version will also provide functionality enhancements that are not related to security.

The BIND 4.9.8 and 8.2.3 distributions can be downloaded from:

<ftp://ftp.isc.org/isc/bind/src/&gt;
The BIND 9.1 distribution can be downloaded from:

<ftp://ftp.isc.org/isc/bind9/&gt;
Please note that upgrading to BIND 4.9.8 also addresses the vulnerabilities discussed in VU#572183 and VU#868916, while upgrading to 8.2.3 will address the vulnerability discussed in VU#196945.

Vendor Information

325431

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Caldera __ Affected

Notified: January 03, 2001 Updated: January 29, 2001

Status

Affected

Vendor Statement

OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable.

Update packages will be provided at

<ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3&gt;
<ftp://ftp.calderasystems.com/pub/updates/eServer/2.3&gt;
<ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Compaq Computer Corporation __ Affected

Notified: January 03, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

------------------------------------------------------------------------------------

VU#325431 - INFOLEAK: servers may disclose environment variables
X-REF: SSRT1-66U, SSRT1-68U, SSRT1-69U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1 -
V5.1 patch: SSRT1-66U_v5.1.tar.Z

Compaq Tru64 UNIX V5.0 & V5.0a -
V5.0 patch: SSRT1-68U_v5.0.tar.Z
V5.0a patch: SSRT1-68U_v5.0a.tar.Z

Compaq Tru64 UNIX V4.0D/F/G -
V4.0d patch: SSRT1-69U_v4.0d.tar.Z
V4.0f patch: SSRT1-69U_v4.0f.tar.Z
V4.0g patch: SSRT1-69U_v4.0g.tar.Z

TCP/IP Services for Compaq OpenVMS - Not Vulnerable
------------------------------------------------------------------------------------
Compaq will provide notice of the completion/availability of the patches
through AES services (DIA, DSNlink FLASH), the Security mailing list (**),
and be available from your normal Compaq Support channel.

**You may subscribe to the Security mailing list at:

http://www.support.compaq.com/patches/mailing-list.shtml

Software Security Response Team
COMPAQ COMPUTER CORPORATION

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Conectiva __ Affected

Notified: January 29, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva Linux has made an announcement regarding this vulnerability; for further information, please see:

http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000377

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Debian __ Affected

Notified: January 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian has made an announcement regarding this vulnerability; for further information, please see:

http://www.debian.org/security/2001/dsa-026

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

FreeBSD __ Affected

Notified: January 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

No supported version of FreeBSD contains BIND 4.x, so this does not affect us. We currently ship betas of 8.2.3 in the FreeBSD 4.x release branch, and will be upgrading to 8.2.3 once it is released.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Hewlett Packard __ Affected

Notified: January 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

HP’s Bind 8.1.2 is vulnerable to VU#325183 (infoleak problem).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP has released a Security Bulletin to address this issue; for further information, please visit <http://itrc.hp.com> and search for “HPSBUX0102-144”. Please note that registration may be required to access this document.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

IBM __ Affected

Notified: January 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

[A fix for this vulnerability] can be downloaded from <ftp://ftp.software.ibm.com/aix/efixes/security&gt;. The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation instructions and other important information are given in the README file that is included in the tarball.

The official fix for the four BIND4 and BIND8 vulnerabilities will be in APAR #IY16182.

AIX Security Response Team
IBM Austin

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

ISC __ Affected

Notified: January 03, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

Name:“infoleak”
Versions:4.8, 4.8.3, 4.9.3, 4.9.4, 4.9.5, 4.9.5-P1, 4.9.6, 4.9.7,
8.1, 8.1.1, 8.2, 8.2-P1, 8.2.1, 8.2.2, 8.2.2-P1, 8.2.2-P2,
8.2.2-P3, 8.2.2-P4, 8.2.2-P5, 8.2.2-P6, 8.2.2-P7,
possibly earlier version of BIND 4.9.x and BIND 4.9.
Severity:MODERATE
Exploitable:Remotely
Type:Information leak

Description:

It is possible to construct a inverse query that allows the stack to
be read remotely exposing environment variables.

Workarounds:

None.

Active Exploits.

Exploits of this bug exist.

Solution:

Upgrade to BIND 9, BIND 8.2.3 or BIND 4.9.8

Credits:

We wish to thank Claudio Musmarra <[email protected]>
for bring this to our attention.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The ISC has posted this information on their web site at:

<http://www.isc.org/products/BIND/bind-security.html&gt;
The source code for ISC BIND can be downloaded from:

<ftp://ftp.isc.org/isc/bind/src/&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Immunix __ Affected

Notified: January 31, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Immunix has made an announcement regarding this vulnerability; for further information, please see:

http://download.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2001-70-001-01

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

MandrakeSoft __ Affected

Notified: February 03, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has made an announcement regarding this vulnerability; for further information, please see:

http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-017.php3

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

NetBSD __ Affected

Notified: January 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see NetBSD-SA2001-001, “Security vulnerabilities in BIND” at:

ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-001.txt.asc

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

RedHat __ Affected

Notified: January 03, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

RedHat has released an advisory regarding this vulnerability; for further information, please see RHSA-2001-007 and associated bug reports at:

_<http://www.redhat.com/support/errata/RHSA-2001-007.html&gt;_
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25209

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

SCO __ Affected

Notified: January 03, 2001 Updated: May 01, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera UNIX has published Security Advisory CSSA-2002-SCO.16 to address this issue in their UnixWare product line. For more information, please see:

ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.16/CSSA-2002-SCO.16.txt

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Slackware __ Affected

Notified: February 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware has made an announcement regarding this vulnerability; for further information, please see:

http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2001&m=slackware-security.247721

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

SuSE __ Affected

Notified: February 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has made an announcement regarding this vulnerability; for further information, please see:

http://www.suse.com/us/support/security/index.html

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Sun __ Affected

Notified: January 03, 2001 Updated: August 07, 2001

Status

Affected

Vendor Statement

CERT Advisory CA-2001-02 describes four vulnerabilities in certain

versions of BIND. The four vulnerabilities are listed below along with
the affected versions of Solaris and the version of BIND shipped with each
version of Solaris.

VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG)
handling code

Solaris 8 04/01* (BIND 8.2.2-p5)
Solaris 8 Maintenance Update 4* (BIND 8.2.2-p5)

VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()

Solaris 2.6 (BIND 4.9.4-P1)
Solaris 2.5.1** (BIND 4.9.3)

VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()

Solaris 2.6 (BIND 4.9.4-P1)
Solaris 2.5.1** (BIND 4.9.3)

VU#325431 - Queries to ISC BIND servers may disclose environment variables

Solaris 2.4, 2.5 (BIND 4.8.3)
Solaris 2.5.1** (BIND 4.9.3 and BIND 4.8.3)
Solaris 2.6 (BIND 4.9.4-P1)
Solaris 7 and 8 (BIND 8.1.2)

* To determine if one is running Solaris 8 04/01 or Solaris 8 Maintenance
Update 4, check the contents of the /etc/release file.

** Solaris 2.5.1 ships with BIND 4.8.3 but patch 103663-01 for SPARC and
103664-01 for x86 upgrades BIND to 4.9.3, current revision for each
patch is -17.

List of Patches

The following patches are available in relation to the above problems.

OS Version Patch ID
__________ _________
SunOS 5.8 109326-04
SunOS 5.8_x86 109327-04
SunOS 5.7 107018-03
SunOS 5.7_x86 107019-03
SunOS 5.6 105755-10
SunOS 5.6_x86 105756-10
SunOS 5.5.1 103663-16
SunOS 5.5.1_x86 103664-16
SunOS 5.5 103667-12
SunOS 5.5_x86 103668-12
SunOS 5.4 102479-14
SunOS 5.4_x86 102480-12

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

For the full text of Sun Microsystems Security Bulletin #204, please visit

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/204&type=0&nav=sec.sba

This document has been archived here

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Apple __ Not Affected

Notified: January 03, 2001 Updated: April 05, 2001

Status

Not Affected

Vendor Statement

Apple plans to include BIND 8.2.3 in Mac OS X. BIND is not enabled by default in Mac OS X or Mac OS X Server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Microsoft __ Not Affected

Notified: January 18, 2001 Updated: January 30, 2001

Status

Not Affected

Vendor Statement

Microsoft’s implementation of DNS is not based on BIND, and is not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

OpenBSD __ Not Affected

Notified: January 03, 2001 Updated: January 30, 2001

Status

Not Affected

Vendor Statement

So we are pretty impressed with ourselves, since it looks like none of these BIND bugs affected us. In '97, a couple of us did some sprintf->snprintf whacking. Probably took about 3 minutes.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

BSDI Unknown

Notified: January 03, 2001 Updated: January 26, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Data General Unknown

Notified: January 03, 2001 Updated: January 26, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Fujitsu Unknown

Notified: January 03, 2001 Updated: January 26, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

NCR Unknown

Notified: January 03, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

NEC Unknown

Notified: January 03, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

NeXT Unknown

Notified: January 03, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

SGI __ Unknown

Notified: January 03, 2001 Updated: April 27, 2001

Status

Unknown

Vendor Statement

SGI’s IRIX ™ operating system contains base BIND 4.9.7 with SGI modifications. IRIX BIND 4.9.7 is vulnerable to buffer overflow in nslookupComplain(). Patches are forth coming and will be released with an advisory to <http://www.sgi.com/support/security/&gt; when available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has released an advisory regarding this vulnerability. For further information, please visit

ftp://patches.sgi.com/support/free/security/advisories/20010401-01-P

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Sequent Unknown

Notified: January 03, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Siemens Nixdorf Unknown

Notified: January 03, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Sony Unknown

Notified: January 03, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

Unisys Unknown

Notified: January 03, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23325431 Feedback>).

View all 30 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html&gt;
• <http://www.isi.edu/~bmanning/in-addr-audit.html&gt;
• <http://www.securityfocus.com/news/144&gt;
• <http://www.securityfocus.com/bid/2321&gt;

Acknowledgements

The CERT/CC thanks Claudio Musmarra for discovering this vulnerability and the Internet Software Consortium for providing a patch to fix it.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs:	CVE-2001-0012
CERT Advisory:	CA-2001-02 Severity Metric: