Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
CERT Advisory on BIND Vulnerabilities

By Vygramul in MLP
Wed Jan 31, 2001 at 12:07:53 AM EST
Tags: Security (all tags)
Security

CERT issued an advisory on multiple vulnerabilities in BIND.

Upgrades to BIND are available and it's advisable that one be installed ASAP.


This affects any DNS servers running ISC BIND versions 4.9.x prior to 4.9.8 and 8.2.2, 8.2.1, 8.2.0. (9.x is not affected.)

"Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be impacted if these vulnerabilities are exploited."

Download 4.9.8 or 8.2.3

Download 9.1

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o advisory
o Download 4.9.8 or 8.2.3
o Download 9.1
o Also by Vygramul


Display: Sort:
CERT Advisory on BIND Vulnerabilities | 22 comments (10 topical, 12 editorial, 0 hidden)
Is it just me, or... (1.88 / 9) (#1)
by Speare on Tue Jan 30, 2001 at 12:41:09 PM EST

Is this WAY overdue?

Are these new vulnerabilities, or are they the same ones that have made BIND the laughing-stock of *nix security for the past two years?

I don't use BIND, since I (currently) have no need for local DNS services. But I have been hearing about BIND vulnerabilities on slashdot, theregister, k5 and other "geek" sites for years now.


[ e d @ h a l l e y . c c ]
that's because... (4.00 / 3) (#8)
by Mr. Neutron on Tue Jan 30, 2001 at 02:49:40 PM EST

lousy sysadmins don't upgrade their name servers and it when big companies get hacked over and over again the media blames the software. nevermind the damn-fool with his head up his ass. I just did a quick count of the vulnerabilities of ISC's bind listed at www.securityfocus.com and it came to a whopping 14 - since april 98. And there are probably some repeats in there, but i didn't look.

of course, nobody's perfect and i probably have missed something on one of my servers. but at least i try to keep up with it.

but my point is that it wouldn't seem like such a big deal (because it's really not) if people would just learn what the hell is running on their own damn systems and upgrade their software when fixes come out. netstat -tulnp and ps awux should be aliased to something nice in every .bashrc.



[ Parent ]
I voted for it with +1 (3.57 / 7) (#5)
by mami on Tue Jan 30, 2001 at 01:21:35 PM EST

because there will be an overload of people trying to download it right now and later they might forget about it. Good to be reminded and do it ASAP.

More Information (4.50 / 6) (#11)
by sigwinch on Tue Jan 30, 2001 at 03:21:16 PM EST

Here's Paul Vixie's posting to NANOG.

The ISC FTP server is highly-loaded right now. It'd be better to wait until later to download the latest documentation. And are there any mirrors? I looked a couple of places and found nothing. (Including Red Hat, who hasn't seen fit to release an rpm yet. Grrrr.)

FWIW, BIND 9 is a complete rewrite that includes none of the original code "produced in a drunken fury by a bunch of U C Berkeley grad students". (Vixie's exact words, I swear! The linked-to article is a fun read.) This hopefully means that BIND 9 will have a better security record than the older BINDs. As a bonus, the BIND 9 config file syntax is mostly compatible with BIND 8.

For the record, I voted +1 Front Page for this story. Too much of the Internet depends on name servers running the vulnerable BINDs. (And numerous hosts use it locally as a caching name server.) Furthermore, name servers are all too often visible from both sides of a firewall, and thus can serve as a tunnel for attackers. The more visibility this problem gets, the better.

--
I don't want the world, I just want your half.

Mirrors (including not yet announced RedHat's RPM) (3.00 / 2) (#13)
by Pac on Tue Jan 30, 2001 at 04:23:33 PM EST

Red Hat's FTP server is heavily loaded right now. You my try it anyway:
RedHat FTP Server Updates Area
But you'd better try the RedHat mirrors.

Debian user running Potato should have the following line in /etc/apt/sources.list:
deb http://security.debian.org/ stable/updates main contrib non-free

Australian Mirrors (PAY ATTENTION: BIND is something running at the very heart of your installation. I can not guarantee or recommend in any way downloading such a piece of software from anywhere but the maintainer or your main vendor. Your mileage may vary):
PlanetMirror
AARNet

There is at least one well known BIND alternative, djbdns. Users like it a lot.

Evolution doesn't take prisoners


[ Parent ]
Some pointers (4.16 / 6) (#12)
by Pac on Tue Jan 30, 2001 at 03:40:43 PM EST

Although reading the advisory linked from the article body will give you most or all need to proceed ("CERT is your friend"), here are some important hightlights (also adressing some other posters requests for more information):

Upgrade Path:

The ISC has released BIND versions 4.9.8 and 8.2.3 to address these security issues. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x upgrade to BIND 4.9.8, BIND 8.2.3, or BIND 9.1.

Because BIND 4 is no longer actively maintained, the ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1. Upgrading to one of these versions will also provide functionality enhancements that are not related to security.

More info on the problems:

This page at the Internet Software Consortium (the maintainers of BIND) has a more information about the BIND's security problems and their severity than you want to know.

This CERT advisory was issued in collaboration with Network Associates'Covert Labs. Their advisory has a deeper analisys on BIND's problems.

Evolution doesn't take prisoners


BIND and security (4.20 / 5) (#16)
by Miniluv on Tue Jan 30, 2001 at 08:11:37 PM EST

BIND is not insecure. Let's get that out of the way right up front. I saw another comment that mentioned "the laughing stock of *nix security for the past two years" and fought the urge to smash my monitor. While we're on the topic of mistaken identity regarding security issues, Sendmail isn't insecure either.

Vulnerabilities have been revealed and patched in both in the past two years, along with virtually every other major *nix software package and OS/distro. To the best of my knowledge neither package has a currently outstanding unpatched vulnerability.

Upgrading to BIND9 is a good idea far above and beyond the mere concept of fixing a vulnerability in the 8.2.x tree, as there are tons of cool things about the new version. DNSSEC, TSIGs, multiple views for each zone, and a relatively easy upgrade path. I moved from 8.2.2p7 to 9.1 two days ago in 20 minutes, most of that spent compiling. The major change I had to make was adding "$TTL = 86400" to each of my zone files, as I'd been to lazy to be RFC compliant and specify a specific TTL for each zone.

On a brief editorial note, I voted this story down because 1)K5 != bugtraq and anybody running a server connected to the Internet should be on bugtraq and every security mailing list related to each and every service offered to the Internet on their machine. 2)The story isn't particularly well written even if we were bugtraq. It's not a bad story, just sparse on details, and I don't come to K5 to be sent off on hunts through other websites to find out why I should upgrade.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'

Going to the extremes (3.25 / 8) (#18)
by versus on Tue Jan 30, 2001 at 09:00:27 PM EST

Not a lot more than ten years ago, information about security vulnerabilities was a highly kept secret. Only proven computer security experts had access to the information usually spread via e-mail mailinglist. The information on the lists was sort of a Holy Grail for hackers.

A lot of water has passed under London Bridge (that still didn't fall down) and times have changed a bit.

Today, every little vulnerability is advertised as a major issue. I am not saying we should go back to the old extremes and keep security vulnerabilities within the security kabal, what I am saying is that today's overhype about every little vulnerability is doing more harm than good.

In all this flood of discovered vulnerabilities, one can easily miss a critical one. The current one with BIND is a prime example of hype that's taking place in the last couple of years. Let's have a look at the last CERT advisory:

(I'll skip vulnerabilities in BIND 4. Those that still run vulnerable BIND 4 after all this time either don't ever read security bulletins or have their BIND locked down in chroot'ed environment).

VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
How many people use (broken) DNSSec in BIND 8? Exactly. Those, that do use BIND's ability to sign zones and replies to queries also most probably run BIND in chroot'ed environment as a non-privileged user. Potential attacker will have to find another way to break in.

VU#325431 - Queries to ISC BIND servers may disclose environment variables
This is a serious bug. But only if the information the adversary may get can result in a potential successful break-in. But only if your version of BIND is vulnerable to some other security bugs. Most of the script kiddies today couldn't be bothered gathering information and then attacking selected targets -- they attack DNS servers in bulk, without checking what version you run.
This vulnerability is a serious security threat only if you're a target of a sophisticated adersary -- and in that case, you've already lost the battle if information gathered thru this bug can seriously jeopardize your system's security.

It's time once well-respected organizations like CERT-CC jump off the 'security threats overhype' bandwagon and add some salt to their advisories.


--
Le Chef

If you rate it 3 or less, please comment why.
TSIG vulnerability (4.00 / 2) (#20)
by kreggan on Wed Jan 31, 2001 at 03:59:22 AM EST

1) TSIG is not a part of the DNSSEC extension to DNS, it's separate. DNSSEC is a public-key based system, TSIG is a private-key based system used between a server pair, a server/resolver pair, or server/dynamic updater pair.

2) All versions of Bind 8.2.x prior to 8.2.3-REL are vulnerable to the TSIG bug even if you're not using TSIG. Check the table at the end of this page.

[ Parent ]

I stand corrected (5.00 / 1) (#22)
by versus on Wed Jan 31, 2001 at 08:46:00 PM EST

1) TSIG is not a part of the DNSSEC extension to DNS, it's separate. DNSSEC is a public-key based system, TSIG is a private-key based system used between a server pair, a server/resolver pair, or server/dynamic updater pair.

You're correct, I was wrong.

2) All versions of Bind 8.2.x prior to 8.2.3-REL are vulnerable to the TSIG bug even if you're not using TSIG. Check the table at the end of this page.

The CERT/CC advisory and ISC's press release don't contain infromation needed to conclude that. From what I've read in CERT's advisory and from what could be read on ISC's page, the severity of the security holes isn't even close to being "the end of the 'Net".

I admit, I was misinformed about TSIG bug. But the vulnerability still doesn't pose end of the world security risk like all the fine press touted. Most of the big DNS systems have mitigated most the risk by running BIND as a non-privileged user in a chroot'ed environment. This of course doesn't make you immune to the new bug, but it does mitigate most of the risk already. Proper system design dictates that you have 99.99% system availability, which also means that there is normally more than one box running as DNS server on the same IP.

Amuse me: How does this exploit work through layer 4 switches?

--
Le Chef

If you rate it 3 or less, please comment why.
[ Parent ]
CERT Advisory on BIND Vulnerabilities | 22 comments (10 topical, 12 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!