Vulnerability Note VU#325431

Queries to ISC BIND servers may disclose environment variables

Original Release date: 29 Jan 2001 | Last revised: 01 May 2002

Overview

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is an information leakage vulnerability in BIND 4.9.x and 8.2.x, which may allow remote intruders to obtain information from systems running BIND. Although BIND 4.9.x is no longer officially maintained by ISC, various versions are still widely deployed on the Internet.

This vulnerability has been exploited in a laboratory environment and presents a moderate threat to the Internet infrastructure.

Description

There is a vulnerability in ISC BIND that allows a remote attacker to access the program stack, possibly exposing program and/or environment variables. This vulnerability affects both BIND 4 and BIND 8, and can be triggered by sending a specially formatted query to vulnerable BIND servers.

Impact

This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables.

Solution

The ISC has released BIND versions 4.9.8 and 8.2.3 to address this security issue. The CERT/CC recommends that users of BIND 4.9.x or 8.2.x upgrade to BIND 4.9.8 or BIND 8.2.3, respectively. Because BIND 4 is no longer actively maintained, the ISC recommends that users affected by this vulnerability upgrade to either BIND 8.2.3 or BIND 9.1. Upgrading to one of these two version will also provide functionality enhancements that are not related to security.

The BIND 4.9.8 and 8.2.3 distributions can be downloaded from:


The BIND 9.1 distribution can be downloaded from:

Please note that upgrading to BIND 4.9.8 also addresses the vulnerabilities discussed in VU#572183 and VU#868916, while upgrading to 8.2.3 will address the vulnerability discussed in VU#196945.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected03 Jan 200129 Jan 2001
Compaq Computer CorporationAffected03 Jan 200104 Apr 2001
ConectivaAffected29 Jan 200104 Apr 2001
DebianAffected03 Jan 200105 Apr 2001
FreeBSDAffected03 Jan 200105 Apr 2001
Hewlett PackardAffected03 Jan 200105 Apr 2001
IBMAffected03 Jan 200105 Apr 2001
ImmunixAffected31 Jan 200105 Apr 2001
ISCAffected02 Jan 200104 Apr 2001
MandrakeSoftAffected03 Feb 200104 Apr 2001
NetBSDAffected03 Jan 200105 Apr 2001
RedHatAffected03 Jan 200104 Apr 2001
SCOAffected03 Jan 200101 May 2002
SlackwareAffected03 Feb 200105 Apr 2001
SunAffected03 Jan 200107 Aug 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Claudio Musmarra for discovering this vulnerability and the Internet Software Consortium for providing a patch to fix it.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2001-0012
  • CERT Advisory: CA-2001-02
  • Date Public: 29 Jan 2001
  • Date First Published: 29 Jan 2001
  • Date Last Updated: 01 May 2002
  • Severity Metric: 16.38
  • Document Revision: 54

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.