Date: 31 January 2001
References: ESB-2001.044 ESB-2001.074 ESB-2001.088 ESB-2001.095 ESB-2001.157 ESB-2001.260
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2001.01 AUSCERT Advisory
ISC BIND Vulnerability
31 January 2001
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received information that there are multiple vulnerabilities
in some versions of ISC BIND. These vulnerabilities may allow remote users
to gain system access, execute arbitrary code or cause a denial of service.
Exploit information involving this vulnerability has been made publicly
available. AusCERT recommends that sites take the steps outlined in section
3 as soon as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
ISC (Internet Software Consortium) BIND (Berkeley Internet Name Domain)
is an implementation of the Domain Name System (DNS) protocols.
There are four known vulnerabilities in various versions of ISC BIND.
Each are caused by buffer overruns that can be triggered by specially
constructed DNS queries.
Exploit information involving these vulnerabilities has been made
publicly available.
Current versions of ISC BIND (8.2.3 and 9.1) are not affected. It is
therefore recommended that users upgrade to at least version 8.2.3 as
soon as possible.
2. Impact
Remote users may be able to gain system access, execute arbitrary
code or cause a denial of service.
More information about these vulnerabilities and the availability
of updated vendor software packages is available in recent AusCERT
External Security Bulletins (ESB):
CERT Advisory CA-2001-02 - Multiple Vulnerabilities in BIND
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.037
RHSA-2001:007-03 - Updated bind packages available
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.038
Internet Security Systems Security Alert - Remote Vulnerabilities in
BIND versions 4 and 8
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.039
3. Solution
AusCERT recommends that sites prevent the exploitation of the
vulnerabilities in ISC BIND by immediately applying the solution given
in Section 3.1.
3.1 Upgrade ISC BIND
ISC has released three versions of BIND that are not vulnerable. It is
recommended that users upgrade to versions 8.2.3 or 9.1. If you are
running ISC BIND version 4.x and cannot upgrade to 8.2.3 or 9.1, you
should upgrade to version 4.9.8 - however, since BIND 4.x is no longer
maintained, this should only be done if it is absolutely impossible to
upgrade to version 8.2.3 or 9.1.
ISC BIND 4.9.8 and 8.2.3 can be retrieved from:
ftp://ftp.isc.org/isc/bind/src/4.9.8/
ftp://ftp.isc.org/isc/bind/src/8.2.3/
ISC BIND 9.1 can be retrieved from
ftp://ftp.isc.org/isc/bind9/9.1.0/
4. Additional measures
4.1 Split Horizon DNS
Using separate DNS servers for public (the outside world looking for
information about your servers) and private (your servers looking for
information on external servers) lookups can minimise the impact of
these vulnerabilities. It may also be possible, by configuring your
DNS environment correctly and applying appropriate security policies,
to keep one of the DNS servers functioning normally even if the other
is compromised. Other security benefits may be gained by using a Split
Horizon DNS.
- ---------------------------------------------------------------------------
AusCERT would like to acknowledge the CERT/CC, Red Hat Inc. and ISS who
have provided information that assisted in the production of this advisory.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOngxBSh9+71yA2DNAQHiJgP/e0LrJZsrFTKxQfRMqO+wS4D+C8NUnfTk
9KbEq6pQfWIPQTB9pgLJaj4S5AKj30E3C5KLiIEUh1t/hq/+JiCIcO+Seh67GlQ1
TlM0L4Bspkd1d1e+h6LlMlZ+5pzhVCjQJW2s2nEt2LouMwu1Siz84JDq8y+pHiRq
LpejgHbeNY0=
=IF4j
-----END PGP SIGNATURE-----
|