Vulnerability Note VU#229595
Overly large OPT record assertion
Overview
A remotely exploitable denial-of-service vulnerability exists in BIND. Based on recent reports, we believe this vulnerability is being actively exploited.
Description
A remotely exploitable denial-of-service vulnerability exists in BIND 8.3.0 - 8.3.3. ISC's description of this vulnerability states: When constucting [sic] a response a NXDOMAIN response to a ENDS query with a large UDP size it is possible to trigger an assertion. |
Impact
The BIND daemon will shut down. As a result, clients will not be able to connect to the service to resolve queries. |
Solution
Apply a patch from your vendor. In the absence of a patch, you may wish to consider ISC's recommendation, which is upgrading to "BIND 4.9.11, BIND 8.2.7, BIND 8.3.4 or preferably BIND 9." Additionally, ISC indicates, "BIND 4 is officially deprecated. Only security fixes will be issued for BIND 4." |
Disable recursion if possible. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Apple Computer Inc. | Affected | 12 Nov 2002 | 26 Feb 2003 |
| Hewlett-Packard Company | Affected | 12 Nov 2002 | 24 Feb 2003 |
| IBM | Affected | 12 Nov 2002 | 09 Dec 2002 |
| Red Hat Inc. | Affected | 12 Nov 2002 | 12 Nov 2002 |
| The OpenPKG Project | Affected | - | 19 Nov 2002 |
| Trustix | Affected | - | 18 Nov 2002 |
| MontaVista Software | Not Affected | 12 Nov 2002 | 12 Nov 2002 |
| Nominum | Not Affected | - | 13 Nov 2002 |
| Xerox Corporation | Not Affected | 12 Nov 2002 | 30 May 2003 |
| 3Com | Unknown | 12 Nov 2002 | 12 Nov 2002 |
| Adns | Unknown | 12 Nov 2002 | 12 Nov 2002 |
| Aks | Unknown | 12 Nov 2002 | 12 Nov 2002 |
| Alcatel | Unknown | 12 Nov 2002 | 25 Feb 2003 |
| Apache Software Foundation | Unknown | 12 Nov 2002 | 12 Nov 2002 |
| AT&T | Unknown | 12 Nov 2002 | 12 Nov 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
- http://www.isc.org/products/BIND/bind-security.html
- http://www.ciac.org/ciac/bulletins/n-013.shtml
Credit
Internet Security Systems is credited for discovering this vulnerability.
This document was written by Ian A Finlay.
Other Information
- CVE IDs: CAN-2002-1220
- CERT Advisory: CA-2002-31
- Date Public: 12 Nov 2002
- Date First Published: 13 Nov 2002
- Date Last Updated: 30 May 2003
- Severity Metric: 33.05
- Document Revision: 26
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.