SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#803539

Multiple vendors' Domain Name System (DNS) stub resolvers vulnerable to buffer overflows

Overview

Buffer overflow vulnerabilities exists in the DNS stub resolver library used by BSD, ISC BIND, and GNU glibc. Other systems that use DNS resolver code derived from ISC BIND may also be affected. An attacker who is able to control DNS responses could exploit arbitrary code or cause a denial of service on vulnerable systems.

I. Description

The Domain Name System (DNS) provides name, address, and other information about Internet Protocol (IP) networks and devices. By issuing queries to and interpreting responses from DNS servers, IP-enabled network operating systems can access DNS information. When an IP network application needs to access or process DNS information, it calls functions in the stub resolver library, which may be part of the underlying network operating system. On BSD-based systems, DNS stub resolver functions are implemented in the system library libc. In ISC BIND, they are implemented in libbind, and on GNU/Linux-based systems, they are implemented in glibc.

The DNS resolver libraries on BSD-based systems (libc), ISC BIND (libbind), GNU/Linux (glibc), and possibly other systems that use code derived from ISC BIND contain buffer overflow vulnerabilities in the way the resolvers handle DNS responses. Quoting from FreeBSD Security Advisory FreeBSD-SA-02:28.resolv:

    DNS messages have specific byte alignment requirements, resulting in padding in messages. In a few instances in the resolver code, this padding is not taken into account when computing available buffer space. As a result, the parsing of a DNS message may result in a buffer overrun of up to a few bytes for each record included in the message.
NetBSD Security Advisory 2002-006 provides further detail:
    In lib/libc/net/gethnamaddr.c:getanswer() and lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage packet buffer parsing - a pointer to the byte we are looking at, and the remaining length on the buffer. The remaining length was not updated consistently, and malicious DNS responses are able to write outside the buffer.
This problem is not limited to DNS servers or to BIND. Any application that uses a vulnerable resolver library is likely to be affected. Applications that are statically linked must be recompiled using patched resolver libraries.

Note that the DNS stub resolver implemented in glibc on GNU/Linux systems is vulnerable via DNS lookups for network names and addresses (VU#542971).

II. Impact

An attacker who is able to control DNS responses could exploit arbitrary code or cause a denial of service on vulnerable systems. The attacker would need to be able to spoof DNS responses or control a DNS server that provides responses to a vulnerable system. Any code executed by the attacker would run with the privileges of the process that called the vulnerable resolver function, potentially root.

III. Solution

Apply a Patch

Apply a patch from your vendor. In the case of statically linked binaries, it is necessary to recompile using the patched version of the DNS stub resolver libraries.

Upgrade

Upgrade your system as specified by your vendor.

Use of a local caching DNS server is not an effective workaround

When this document was initially published, it was thought that a caching DNS server that reconstructs DNS responses would prevent malicious code from reaching systems with vulnerable resolver libraries. This workaround does not prevent some DNS responses that contain malicious code from reaching clients, whether or not the responses are reconstructed by a local caching DNS server. Since the server may cache the responses, the malicious code could persist until the server's cache is purged or the entries expire.

Disable Reverse DNS Lookups

Disable the reverse DNS lookup functions in applications that perform DNS name lookups from IP addresses. For example, some HTTP and FTP servers perform reverse DNS lookups to convert IP addresses to hostnames in logs. Disabling reverse DNS lookups will only protect against specific exploit attempts that rely on the reverse lookup as an attack vector.

Systems Affected

VendorStatusDate Updated
3ComUnknown30-Jun-2002
AlcatelUnknown30-Jun-2002
Apple Computer Inc.Not Vulnerable1-Jul-2002
AT&TUnknown30-Jun-2002
BIND/NTUnknown3-Jul-2002
BlueCat NetworksUnknown3-Jul-2002
Check PointUnknown15-Apr-2003
Cisco Systems Inc.Unknown6-Jul-2002
Compaq Computer CorporationVulnerable1-Apr-2003
Computer AssociatesUnknown30-Jun-2002
ConectivaVulnerable14-Aug-2002
Cray Inc.Vulnerable28-Jun-2002
Data GeneralUnknown28-Jun-2002
DebianVulnerable14-Aug-2002
djbdnsNot Vulnerable16-Apr-2003
F5 NetworksUnknown30-Jun-2002
FreeBSDVulnerable27-Jun-2002
FujitsuUnknown27-Jun-2002
GNU adnsNot Vulnerable28-Jun-2002
GNU glibcVulnerable18-Jul-2002
Guardian Digital Inc. Vulnerable25-Jul-2002
Hewlett-Packard CompanyVulnerable15-Apr-2003
IBMVulnerable15-Apr-2003
InfoBloxUnknown3-Jul-2002
IntelUnknown30-Jun-2002
ISCVulnerable7-Mar-2003
Juniper NetworksVulnerable29-Jun-2002
Lotus SoftwareUnknown30-Jun-2002
Lucent TechnologiesUnknown2-Jul-2002
MandrakeSoftVulnerable14-Aug-2002
Men&MiceUnknown3-Jul-2002
MetaInfoVulnerable15-Apr-2003
MetaSolv Software Inc.Vulnerable26-Jul-2002
Microsoft CorporationNot Vulnerable28-Jun-2002
NEC CorporationUnknown30-Jun-2002
NetBSDVulnerable27-Jun-2002
Network ApplianceVulnerable28-Jun-2002
NixuUnknown3-Jul-2002
Nortel NetworksVulnerable25-Jul-2002
NovellUnknown26-Jul-2002
OpenBSDVulnerable28-Jun-2002
OpenPKGVulnerable25-Jul-2002
Openwall GNU/*/LinuxVulnerable1-Jul-2002
Oracle CorporationUnknown30-Jun-2002
Process SoftwareUnknown30-Jun-2002
Red Hat Inc.Vulnerable9-Aug-2002
Secure Computing CorporationVulnerable18-Jul-2002
SendmailVulnerable1-Jul-2002
SequentUnknown30-Jun-2002
SGINot Vulnerable25-Jul-2002
ShadowSupportUnknown3-Jul-2002
SlackwareVulnerable13-Aug-2002
Sony CorporationUnknown30-Jun-2002
Sorceror LinuxVulnerable15-Apr-2003
Sun Microsystems Inc.Vulnerable28-Aug-2002
SuSE Inc.Vulnerable25-Jul-2002
The SCO GroupVulnerable13-Sep-2002
Threshold NetworksUnknown3-Jul-2002
TrustixVulnerable14-Aug-2002
Unisphere NetworksUnknown30-Jun-2002
UnisysUnknown30-Jun-2002
Wind River Systems Inc.Unknown26-Jun-2002
Xerox CorporationVulnerable15-Apr-2003

References

VU#542971
http://www.pine.nl/advisories/pine-cert-20020601.asc
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28.resolv.asc
ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc
http://www.securityfocus.com/bid/5100
http://www.ietf.org/rfc/rfc1034.txt
http://www.ietf.org/rfc/rfc1035.txt
http://www.ietf.org/rfc/rfc2136.txt

Credit

The CERT/CC thanks PINE-CERT for reporting this vulnerability and The FreeBSD Project, the NetBSD Project, and David Conrad of Nominum for information used in this document.

This document was written by Art Manion.

Other Information

Date Public06/26/2002
Date First Published06/27/2002 10:17:17 AM
Date Last Updated04/16/2003
CERT AdvisoryCA-2002-19
CVE NameCAN-2002-0651
US-CERT Technical Alerts 
Metric29.72
Document Revision58

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader