Vulnerability Note VU#196945
ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is a buffer overflow vulnerability in BIND 8.2.x, which may allow remote intruders to gain access to systems running BIND. DNS servers running BIND 8 are responsible for the majority of name resolution services on the Internet.
This vulnerability has been successfully exploited in a laboratory environment and presents a serious threat to the Internet infrastructure.
During the processing of transaction signatures, BIND performs a test for signatures that fail to include a valid key. If a transaction signature is found in the request, but a valid key is not included, BIND skips normal processing of the request and jumps directly to code designed to send an error response. Because this code fails to initialize variables in the same manner as the normal processing, later function calls make invalid assumptions about the size of the request buffer. In particular, the code to add a new (valid) signature to the response may overflow the request buffer and overwrite adjacent memory on the stack or heap. Overwriting this memory can allow an intruder (in conjunction with other buffer overflow exploit techniques) to gain unauthorized access to the vulnerable system.
This vulnerability may allow an attacker to execute privileged commands or code with the same permissions as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.
The ISC has released BIND version 8.2.3 to address this security issue as well as others. The CERT/CC strongly recommends that all users of BIND 8.2.x upgrade to 8.2.3 immediately. The ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1.
The BIND 9.1 distribution can be downloaded from:
Please note that upgrading to BIND 8.2.3 also addresses the information leakage vulnerability discussed in VU#325431.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Caldera||Affected||18 Jan 2001||29 Jan 2001|
|Compaq Computer Corporation||Affected||18 Jan 2001||04 Apr 2001|
|Conectiva||Affected||29 Jan 2001||04 Apr 2001|
|Debian||Affected||18 Jan 2001||05 Apr 2001|
|FreeBSD||Affected||18 Jan 2001||11 May 2001|
|IBM||Affected||18 Jan 2001||05 Apr 2001|
|Immunix||Affected||31 Jan 2001||05 Apr 2001|
|ISC||Affected||05 Jan 2001||04 Apr 2001|
|MandrakeSoft||Affected||03 Feb 2001||04 Apr 2001|
|NetBSD||Affected||18 Jan 2001||05 Apr 2001|
|RedHat||Affected||18 Jan 2001||04 Apr 2001|
|SCO||Affected||18 Jan 2001||01 May 2002|
|Slackware||Affected||03 Feb 2001||05 Apr 2001|
|Sun||Affected||18 Jan 2001||07 Aug 2001|
|SuSE||Affected||03 Feb 2001||05 Apr 2001|
CVSS Metrics (Learn More)
- VU#325431, VU#572183, VU#868916
The CERT/CC thanks the COVERT Labs at PGP Security for discovering and analyzing this vulnerability and the Internet Software Consortium for providing a patch to fix it.
This document was written by Cory F Cohen.
- CVE IDs: CAN-2001-0010
- CERT Advisory: CA-2001-02
- Date Public: 29 Jan 2001
- Date First Published: 29 Jan 2001
- Date Last Updated: 01 May 2002
- Severity Metric: 50.87
- Document Revision: 59
If you have feedback, comments, or additional information about this vulnerability, please send us email.