Vulnerability Note VU#325431
Queries to ISC BIND servers may disclose environment variables
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is an information leakage vulnerability in BIND 4.9.x and 8.2.x, which may allow remote intruders to obtain information from systems running BIND. Although BIND 4.9.x is no longer officially maintained by ISC, various versions are still widely deployed on the Internet.
This vulnerability has been exploited in a laboratory environment and presents a moderate threat to the Internet infrastructure.
There is a vulnerability in ISC BIND that allows a remote attacker to access the program stack, possibly exposing program and/or environment variables. This vulnerability affects both BIND 4 and BIND 8, and can be triggered by sending a specially formatted query to vulnerable BIND servers.
This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables.
The ISC has released BIND versions 4.9.8 and 8.2.3 to address this security issue. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x upgrade to BIND 4.9.8 or BIND 8.2.3, respectively. Because BIND 4 is no longer actively maintained, the ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1. Upgrading to one of these two version will also provide functionality enhancements that are not related to security.
The BIND 9.1 distribution can be downloaded from:
Please note that upgrading to BIND 4.9.8 also addresses the vulnerabilities discussed in VU#572183 and VU#868916, while upgrading to 8.2.3 will address the vulnerability discussed in VU#196945.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Caldera||Affected||03 Jan 2001||29 Jan 2001|
|Compaq Computer Corporation||Affected||03 Jan 2001||04 Apr 2001|
|Conectiva||Affected||29 Jan 2001||04 Apr 2001|
|Debian||Affected||03 Jan 2001||05 Apr 2001|
|FreeBSD||Affected||03 Jan 2001||05 Apr 2001|
|Hewlett Packard||Affected||03 Jan 2001||05 Apr 2001|
|IBM||Affected||03 Jan 2001||05 Apr 2001|
|Immunix||Affected||31 Jan 2001||05 Apr 2001|
|ISC||Affected||02 Jan 2001||04 Apr 2001|
|MandrakeSoft||Affected||03 Feb 2001||04 Apr 2001|
|NetBSD||Affected||03 Jan 2001||05 Apr 2001|
|RedHat||Affected||03 Jan 2001||04 Apr 2001|
|SCO||Affected||03 Jan 2001||01 May 2002|
|Slackware||Affected||03 Feb 2001||05 Apr 2001|
|Sun||Affected||03 Jan 2001||07 Aug 2001|
CVSS Metrics (Learn More)
- VU#325431,VU#196945, VU#572183, VU#868916
The CERT/CC thanks Claudio Musmarra for discovering this vulnerability and the Internet Software Consortium for providing a patch to fix it.
This document was written by Jeffrey P. Lanza.
- CVE IDs: CAN-2001-0012
- CERT Advisory: CA-2001-02
- Date Public: 29 Jan 2001
- Date First Published: 29 Jan 2001
- Date Last Updated: 01 May 2002
- Severity Metric: 16.38
- Document Revision: 54
If you have feedback, comments, or additional information about this vulnerability, please send us email.