Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » SCO CSSA-2003-SCO.17.1: Bind

SCO CSSA-2003-SCO.17.1: Bind

by Nikola Strahija on September 10th, 2003 ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). If exploits for these vulnerabilities are developed and made public, they may lead to compromise and DoS attacks against vulnerable DNS servers.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________________________

SCO Security Advisory

Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer
5.0.5 : Multiple Remote Vulnerabilities in BIND
Advisory number: CSSA-2003-SCO.17.1
Issue date: 2003 September 10
Cross reference: sr871560 fz526617 erg712158
__________________________________________________________________


1. Problem Description

ISS X-Force has discovered several serious vulnerabilities
in the Berkeley Internet Name Domain Server (BIND). BIND
is the most common implementation of the DNS (Domain Name
Service) protocol, which is used on the vast majority of
DNS servers on the Internet. DNS is a vital Internet protocol
that maintains a database of easy-to-remember domain names
(host names) and their corresponding numerical IP addresses.

Impact: The vulnerabilities described in this advisory
affect nearly all currently deployed recursive DNS servers
on the Internet. The DNS network is considered a critical
component of Internet infrastructure. There is no information
implying that these exploits are known to the computer
underground, and there are no reports of active attacks.
If exploits for these vulnerabilities are developed and
made public, they may lead to compromise and DoS attacks
against vulnerable DNS servers. Since the vulnerability is
widespread, an Internet worm may be developed to propagate
by exploiting the flaws in BIND. Widespread attacks against
the DNS system may lead to general instability and inaccuracy
of DNS data.

Affected Versions:

BIND SIG Cached RR Overflow Vulnerability
BIND 8, versions up to and including 8.3.3-REL
BIND 4, versions up to and including 4.9.10-REL

BIND OPT DoS
BIND 8, versions 8.3.0 up to and including 8.3.3-REL

BIND SIG Expiry Time DoS
BIND 8, versions up to and including 8.3.3-REL

Description:

BIND SIG Cached RR Overflow Vulnerability

A buffer overflow exists in BIND 4 and 8 that may lead to
remote compromise of vulnerable DNS servers. An attacker
who controls any authoritative DNS server may cause BIND
to cache DNS information within its internal database, if
recursion is enabled. Recursion is enabled by default unless
explicitly disabled via command line options or in the BIND
configuration file. Attackers must either create their own
name server that is authoritative for any domain, or
compromise any other authoritative server with the same
criteria. Cached information is retrieved when requested
by a DNS client. There is a flaw in the formation of DNS
responses containing SIG resource records (RR) that can
lead to buffer overflow and execution of arbitrary code.

BIND OPT DoS

Recursive BIND 8 servers can be caused to
abruptly terminate due to an assertion failure. A client
requesting a DNS lookup on a nonexistent sub- domain of a
valid domain name may cause BIND 8 to terminate by attaching
an OPT resource record with a large UDP payload size. This
DoS may also be triggered for queries on domains whose
authoritative DNS servers are unreachable.

BIND SIG Expiry Time DoS

Recursive BIND 8 servers can be caused to abruptly
terminate due to a null pointer dereference. An attacker
who controls any authoritative name server may cause
vulnerable BIND 8 servers to attempt to cache SIG RR elements
with invalid expiry times. These are removed from the BIND
internal database, but later improperly referenced, leading
to a DoS condition.

The Common Vulnerabilities and Exposures
(CVE) project has assigned the following names to these
issues. These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security
problems.

CAN-2002-1219 BIND SIG Cached RR Overflow Vulnerability
CAN-2002-1220 BIND OPT DoS
CAN-2002-1221 BIND SIG Expiry Time DoS

ISC BIND
http://www.isc.org/products/BIND


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
OpenServer 5.0.7
etc/named
etc/named-xfer
etc/dig
etc/host
etc/nsupdate
etc/dnsquery
etc/addr

OpenServer 5.0.6
etc/named
etc/named-xfer
etc/dig
etc/host
etc/nsupdate
etc/dnsquery
etc/addr

OpenServer 5.0.5
etc/named
etc/named-xfer
etc/dig
etc/host
etc/nsupdate
etc/dnsquery
etc/addr


3. Solution

The proper solution is to install the latest packages.


4. OpenServer 5.0.7

4.1 Install Maintenance pack 1.

4.2 Location of Maintenance pack 1.

ftp://ftp.sco.com/pub/openserver5/osr507mp/

4.3 Installing Maintenance pack 1.

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.


5. OpenServer 5.0.6

5.1 First install oss646b - Execution Environment Supplement

5.2 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.17


5.3 Verification

MD5 (VOL.000.000) = 9e8b7bd8eab2ec474b51add1217a945f

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.4 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.


6. OpenServer 5.0.5

6.1 First install oss646b - Execution Environment Supplement

6.2 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.17


6.3 Verification

MD5 (VOL.000.000) = 9e8b7bd8eab2ec474b51add1217a945f

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


6.4 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.

8. References

Specific references for this advisory:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1220
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221
http://www.isc.org/products/BIND/bind-security.html
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469

SCO security resources:
http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr871560 fz526617 erg712158.


9. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


10. Acknowledgments

These vulnerabilities were discovered and researched by
Neel Mehta of the ISS X-Force.

__________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/X5OnaqoBO7ipriERAluRAJ0eDTa5L/x17if4aVNDXyxBO3SJ2QCcCE/6
b6VVwa/XrxyqWUfn4Jc3MZs=
=qgGb
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »