Date: 14 February 2001
References: ESB-2001.044
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.058 -- FreeBSD-SA-01:10.bind [REVISED]
bind remote denial of service
14 February 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: bind
Vendor: FreeBSD
Operating System: FreeBSD
BSD
Linux
Unix
Platform: i386
Alpha
Impact: Denial of Service
Access Required: Remote
Ref: ESB-2001.044
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:10 Security Advisory
FreeBSD, Inc.
Topic: bind remote denial of service [REVISED]
Category: core, ports
Module: bind
Announced: 2001-01-23
Revised: 2001-02-07
Credits: Fabio Pietrosanti <fabio@TELEMAIL.IT>
Affects: FreeBSD 3.x prior to the correction date.
Ports collection prior to the correction date.
Corrected: 2000-11-27 (FreeBSD 3.5-STABLE)
2001-01-05 (Ports collection)
Vendor status: Updated version released
FreeBSD only: NO
0. Revision History
v1.0 2001-01-23 Initial release
v1.1 2001-02-07 Rerelease to note the far more serious problems described
in SA-01:18
I. Background
bind is an implementation of the Domain Name System (DNS) protocols.
II. Problem Description
NOTE: It has come to our attention that there are a great deal more
users downloading this advisory than the recently released SA-01:18,
which also deals with the bind software. The latter advisory details
a far more serious vulnerability, which affects all releases of
FreeBSD, and it is recommended that all DNS administrators read
advisory SA-01:18 immediately.
A vulnerability exists with the bind nameserver dealing with
compressed zone transfers. Due to a problem with the compressed zone
transfer (ZXFR) implementation, if named is configured for zone
transfers and recursive resolving, it will crash after a ZXFR for the
authoritative zone and a query of a remote hostname. Since named is
not configured under a watchdog process which will automatically
restart it after a failure, this will lead to the denial of DNS
service on the server.
All versions of FreeBSD 3.x prior to the correction date including
3.5.1-RELEASE are vulnerable to this problem. In addition, the bind8
port in the ports collection is also vulnerable. FreeBSD 4.x is not
affected since it contains versions of BIND 8.2.3.
III. Impact
Malicious remote users can cause the named daemon to crash, if it is
configured to allow zone transfers and recursive queries.
IV. Workaround
A partial workaround can be implemented by disallowing zone transfers
except from trusted hosts. Note that if the trusted hosts are
compromised or contain malicious users, name servers with this bug
will be vulnerable to the denial of service attack.
V. Solution
[Base system]
Upgrade your vulnerable FreeBSD system to 3.5.1-STABLE after the
correction date.
[Ports collection]
If you have chosen to install BIND from the ports collection and are
using it instead of the version in the base system, perform one of the
following steps:
1) Upgrade your entire ports collection and rebuild the bind8 port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.2p7.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.2p7.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.2p7.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) download a new port skeleton for the bind8 port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOoGhrlUuHi5z0oilAQFgewP+NVsp0tymZ5KZvgy6sqewZzqcxPUDgBxw
nBR9KI2BVofLD71wawX/uWmVM5mqeMeCjpVo3Vn6cZyB2JDqCEeK174ULmJJa/Yr
OGQhfKMoIKRtRZcpF5U6mT/RpAJuhaAFyAvwZjAMoZv8AORxxydJGpa3MuH2YKFh
V6PWzjcfkpk=
=G19W
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOoqogih9+71yA2DNAQFTHgP+KyJOt7yopDjDDpt1bS9s9uyCDyR0tNgl
i8/4xXZpsEEVyqRRupt9xP30ipSiQXB3qe0Rqtly7lm3rDGcIv6UOn9OWcYeQmII
a1zRMu4O+LOn4r1WXLtOAAbml6IErABT+kiqUbed7QIsRAMdJurIwj2rafrlZOLy
PXTf2fxd6nA=
=Y55V
-----END PGP SIGNATURE-----
|