Vulnerability Note VU#738331

Domain Name System (DNS) resolver libraries vulnerable to read buffer overflow

Original Release date: 01 Oct 2002 | Last revised: 15 Apr 2003

Overview

DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service.

Description

A read buffer overflow vulnerability exists in BIND 4 and BIND 8.2.x stub resolver libraries. Other resolver libraries derived from BIND 4 are also affected, including BSD libc, GNU/Linux glibc, and System 5 UNIX libresolv. This vulnerability is similar in scope to VU#803539 and VU#542971, which are referenced by CERT Advisory CA-2002-19.

The name server itself, named, is not affected. The vulnerability exists in DNS stub resolver libraries that are used by network applications to obtain host or network information, typically host names and IP addresses. For example, when a web browser attempts to access http://www.cert.org/, it calls functions in a DNS stub resolver library in order to determine an IP address for www.cert.org.

Within the DNS resolver library, a buffer size value that is smaller than the maximum size of a potential DNS response is passed to the functions that perform DNS resolution. If a response is encountered that is larger than the allocated buffer, the response is truncated and returned to the calling function, along with the amount of buffer space that would be required to handle the entire response. The calling function may use this value for the size of the buffer and read beyond the end of the actual DNS response. In some cases, unmapped memory may be read, which typically causes the calling application to crash. In other cases, mapped memory may be read, and the contents included in the DNS response, which the calling application typically handles as a malformed response.

Applications that call DNS resolution functions directly may also be vulnerable, depending on how those applications handle the returned buffer size value. MIT Kerberos 5, KTH Heimdal Kerberos, nss_ldap, and fetchmail are known to be affected.

Quoting from the ISC advisory:

    When looking up address (gethostbyname(), gethostbyaddr() etc.) a less than maximum sized buffer is passed to res_search() / res_query(). If the answer is too large to fit in the buffer the size of buffer required is returned along with the part of the message that will fit. This value is not checked and is passed to getanswer which then may read past the end of the buffer depending up the contents in the answer section.

Impact

An attacker who is able to send DNS responses to a vulnerable system could cause a denial of service, crashing the application that made calls to a vulnerable resolver library. It does not appear that this vulnerability can be leveraged to execute arbitrary code. There may be some risk of information disclosure if a vulnerable system returns the contents of memory adjacent to a DNS response.

Solution


Patch or Upgrade

Apply a patch or upgrade as specified by your vendor. In the case of statically linked binaries, it is necessary to recompile using the patched version of the DNS stub resolver libraries. ISC has provided the following guidance for applications that call DNS resolution functions directly:

    For application writers. Use a maximum sized buffer (64k), be prepared to redo the calls res_search(), res_query(), res_send(), res_nsearch(), res_nquery() and res_send() with a bigger buffer or take the minimum of the answer buffer size and the value returned by these calls and be aware that the answer is truncated.

Local Caching DNS Server Not Effective
A local caching DNS server will not prevent malicious responses from reaching vulnerable client resolvers.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ConectivaAffected14 Aug 200208 Nov 2002
DebianAffected15 Aug 200208 Nov 2002
FetchmailAffected-18 Oct 2002
FreeBSDAffected15 Aug 200213 Nov 2002
FujitsuAffected15 Aug 200216 Oct 2002
GNU glibcAffected15 Aug 200216 Oct 2002
Guardian Digital Inc. Affected15 Aug 200210 Oct 2002
Hewlett-Packard CompanyAffected14 Aug 200215 Apr 2003
HitachiAffected27 Aug 200208 Nov 2002
IBMAffected14 Aug 200216 Oct 2002
ISCAffected-16 Oct 2002
Juniper NetworksAffected15 Aug 200216 Oct 2002
KAME ProjectAffected-01 Oct 2002
MandrakeSoftAffected15 Aug 200208 Nov 2002
MetaSolv Software Inc.Affected14 Aug 200201 Oct 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Mark Andrews of ISC for reporting this vulnerability.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2002-1146
  • Date Public: 01 Oct 2002
  • Date First Published: 01 Oct 2002
  • Date Last Updated: 15 Apr 2003
  • Severity Metric: 19.04
  • Document Revision: 40

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.