| VID |
19010 |
| Severity |
40 |
| Port |
53 |
| Protocol |
TCP,UDP |
| Class |
DNS |
| Detailed Description |
The BIND daemon, according to its version number, is vulnerable to multiple buffer overflow vulnerabilities. ISC BIND (Berkeley Internet Name Domain) is the most popular implementation of the DNS (Domain Name Server) protocol for Unix and Linux DNS servers.
BIND 4 up to and including version 4.9.10 and BIND 8 up to and including version 8.3.3 is vulnerable to multiple vulnerabilities with varying impacts. Some of these vulnerabilities may allow remote attackers to execute arbitrary code with the privileges of the user running named, (typically root), or with the privileges of vulnerable client applications. The other vulnerabilities will allow remote attackers to disrupt the normal operation of DNS name service running on victim servers.
o Cached malformed SIG record buffer overflow:
- BIND versions 4.9.5 to 4.9.10
- BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3
CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219
o Overly large OPT record assertion:
- BIND versions 8.3.0 to 8.3.3
CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1220
o ISC BIND 8 fails to properly de-reference cache SIG RR elements with invalid expiry times from the internal database:
- BIND versions 8.2 to 8.2.6
- BIND versions 8.3.0 to 8.3.3
CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221
o Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups:
- BIND 4.9.2 through 4.9.10
CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0029
* Note: This check solely relied on the version of the remote BIND to assess this vulnerability, so this might be a false positive.
* References:
http://www.cert.org/advisories/CA-2002-31.html
* Platforms Affected:
Linux Any version
Unix Any version |
| Recommendation |
If your vendor provides a patch, apply the patch from your vendor. The appendix in the following site contains information provided by vendors:
http://www.cert.org/advisories/CA-2002-31.html
If a vendor patch is not available, you may wish to consider applying the patches ISC (Internet Software Consortium) has produced:
BIND 8.3.3 - http://www.isc.org/products/BIND/patches/bind833.diff
BIND 8.2.6 - http://www.isc.org/products/BIND/patches/bind826.diff
BIND 4.9.10 - http://www.isc.org/products/BIND/patches/bind4910.diff
BIND administrators should consider upgrading to BIND 9. Please refer to the following ISC Web site for information about updated versions of BIND when they are made available:
http://www.isc.org/products/BIND/
As a workaround for DNS servers that do not need recursive DNS functionality, it is recommended to disable recursion within the BIND configuration file:
BIND 8, named.conf
options {
recursion no;
};
BIND 4, named.boot
options no-recursion
-- OR --
One another workaround to limit exposure to the vulnerabilities in named is to disable recursion on any nameserver responding to DNS requests made by untrusted systems.
If you use bind version 8, you can use 'allow-recursive' command on the 'options' section in named.conf file. If bind version 9, you can use 'allow-recursion' command.
You should restrict some of the information that is served from the DNS server to outside clients so that it cannot be used to retrieve valuable information from your organization that you do not want to give away. This includes adding the following options: allow-transfer, allow-query, allow-recursive (or allow-recursion) and version. You can either limit this on the global section (so it applies to all the zones served) or on a per-zone basis.
For example, Imagine that your server is connected to the Internet and to your internal (your internal IP is 192.168.1.2) network (a basic multi-homed server), you do not want to give any service to the Internet and you just want to enable DNS lookups from your internal hosts. You could restrict it by including in /etc/named.conf:
options {
allow-query { 192.168.1/24; } ;
allow-transfer { none; } ;
allow-recursive { 192.168.1/24; } ;
listen-on { 192.168.1.2; } ;
forward { only; } ;
forwarders { A.B.C.D; } ;
}; |
| Related URL |
CVE-2002-1219,CVE-2002-1220,CVE-2002-1221,CVE-2002-0029 (CVE) |
| Related URL |
6186 (SecurityFocus) |
| Related URL |
10304 (ISS) |
|
