Vulnerability Note VU#327633

BIND 8.4.4 and 8.4.5 vulnerable to buffer overflow in q_usedns

Original Release date: 25 Jan 2005 | Last revised: 18 Mar 2005

Overview

A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.

Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). A buffer overflow error exists in the handling of the q_usedns array used by the server to track nameservers and addresses that have been queried. This vulnerability only affects BIND versions 8.4.4 and 8.4.5.

Impact

A remote attacker may be able to cause the name server daemon to crash, thereby causing a denial of service for DNS operations.

Solution

Apply a patch from the vendor

Patches have been released in response to this issue. Please see the Systems Affected section of this document.

Upgrade

Users who compile their own versions of BIND from the original ISC source code are encouraged to upgrade to BIND version 8.4.6 which includes a patch for this issue.

Workarounds


ISC recommends that users who are unable to apply the patch disable recursion and glue fetching.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DebianAffected17 Jan 200525 Jan 2005
ISCAffected-25 Jan 2005
Apple Computer Inc.Not Affected17 Jan 200518 Mar 2005
Check PointNot Affected17 Jan 200524 Jan 2005
HitachiNot Affected17 Jan 200520 Jan 2005
IBMNot Affected17 Jan 200524 Jan 2005
Juniper NetworksNot Affected17 Jan 200524 Jan 2005
MandrakeSoftNot Affected17 Jan 200531 Jan 2005
NEC CorporationNot Affected17 Jan 200518 Mar 2005
Red Hat Inc.Not Affected17 Jan 200518 Jan 2005
Sun Microsystems Inc.Not Affected17 Jan 200524 Jan 2005
AdnsUnknown17 Jan 200517 Jan 2005
BlueCat NetworksUnknown17 Jan 200517 Jan 2005
ConectivaUnknown17 Jan 200517 Jan 2005
Cray Inc.Unknown17 Jan 200517 Jan 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Joao Damas of the Internet Systems Consortium for reporting this vulnerability.

This document was written by Chad Dougherty based on information provided by ISC.

Other Information

  • CVE IDs: CAN-2005-0033
  • Date Public: 25 Jan 2005
  • Date First Published: 25 Jan 2005
  • Date Last Updated: 18 Mar 2005
  • Severity Metric: 1.91
  • Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.