CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#325431

Queries to ISC BIND servers may disclose environment variables

Overview

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is an information leakage vulnerability in BIND 4.9.x and 8.2.x, which may allow remote intruders to obtain information from systems running BIND. Although BIND 4.9.x is no longer officially maintained by ISC, various versions are still widely deployed on the Internet.

This vulnerability has been exploited in a laboratory environment and presents a moderate threat to the Internet infrastructure.

I. Description

There is a vulnerability in ISC BIND that allows a remote attacker to access the program stack, possibly exposing program and/or environment variables. This vulnerability affects both BIND 4 and BIND 8, and can be triggered by sending a specially formatted query to vulnerable BIND servers.

II. Impact

This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables.

III. Solution

The ISC has released BIND versions 4.9.8 and 8.2.3 to address this security issue. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x upgrade to BIND 4.9.8 or BIND 8.2.3, respectively. Because BIND 4 is no longer actively maintained, the ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1. Upgrading to one of these two version will also provide functionality enhancements that are not related to security.


The BIND 4.9.8 and 8.2.3 distributions can be downloaded from:


The BIND 9.1 distribution can be downloaded from:

Please note that upgrading to BIND 4.9.8 also addresses the vulnerabilities discussed in VU#572183 and VU#868916, while upgrading to 8.2.3 will address the vulnerability discussed in VU#196945.

Systems Affected
VendorStatusDate Updated
AppleNot Vulnerable5-Apr-2001
BSDIUnknown26-Jan-2001
CalderaVulnerable29-Jan-2001
Compaq Computer CorporationVulnerable4-Apr-2001
ConectivaVulnerable4-Apr-2001
Data GeneralUnknown26-Jan-2001
DebianVulnerable5-Apr-2001
FreeBSDVulnerable5-Apr-2001
FujitsuUnknown26-Jan-2001
Hewlett PackardVulnerable5-Apr-2001
IBMVulnerable5-Apr-2001
ImmunixVulnerable5-Apr-2001
ISCVulnerable4-Apr-2001
MandrakeSoftVulnerable4-Apr-2001
MicrosoftNot Vulnerable30-Jan-2001
NCRUnknown27-Jan-2001
NECUnknown27-Jan-2001
NetBSDVulnerable5-Apr-2001
NeXTUnknown27-Jan-2001
OpenBSDNot Vulnerable30-Jan-2001
RedHatVulnerable4-Apr-2001
SCOVulnerable1-May-2002
SequentUnknown27-Jan-2001
SGIUnknown27-Apr-2001
Siemens NixdorfUnknown27-Jan-2001
SlackwareVulnerable5-Apr-2001
SonyUnknown27-Jan-2001
SunVulnerable7-Aug-2001
SuSEVulnerable5-Apr-2001
UnisysUnknown27-Jan-2001

References

VU#325431,VU#196945, VU#572183, VU#868916
http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html
http://www.isi.edu/~bmanning/in-addr-audit.html
http://www.securityfocus.com/news/144
http://www.securityfocus.com/bid/2321

Credit

The CERT/CC thanks Claudio Musmarra for discovering this vulnerability and the Internet Software Consortium for providing a patch to fix it.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public01/29/2001
Date First Published01/29/2001 08:47:27 AM
Date Last Updated05/01/2002
CERT AdvisoryCA-2001-02
CVE NameCAN-2001-0012
Metric16.38
Document Revision54

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2001 Carnegie Mellon University