SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#844360

Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups

Overview

The DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10 contains buffer overflows in code that handles responses for network name and address requests. Other resolver libraries derived from BIND 4 such as BSD libc, GNU glibc, and those used by System V UNIX systems may also be affected. An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service.

I. Description

A DNS stub resolver library provides an interface for network applications to make requests and receive responses from the domain name system. The BIND 4 resolver library (libresolv.a) contains several buffer overflows in the functions that handle responses for network name and address requests (getnetbyname(), getnetbyaddr()). While reading the answer portion of a DNS response, the functions copy data received from the network into inadequately sized buffers. A specially crafted DNS response could overflow the buffers, possibly injecting arbitrary code onto the stack.

ISC BIND 4.9.2 through 4.9.10 are vulnerable. DNS stub resolver libraries that are derived from BIND 4 may vulnerable, including BSD libc, GNU glibc, and resolvers used by System V UNIX systems. In addition, some network applications provide their own resolver functions which may use vulnerable code from BIND 4.

The buffer overflows described in this document are different than the network lookup vulnerability described in CA-2002-19/VU#542971/CAN-2002-0684.

When performing a DNS lookup, applications issue calls to resolver functions, at which point most applications dynamically load the relevant portion of the resolver library. Other applications are statically linked at compile time to include resolver functions. In order to use updated resolver code, dynamically linked process must be restarted, and statically linked binaries must be recompiled.

II. Impact

An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service. The attacker would need to control DNS responses, possibly by spoofing responses or gaining control of a DNS server.

III. Solution

Patch or Upgrade

Upgrade or apply a patch as specified by your vendor. Dynamically linked processes must be restarted and statically linked binaries must be recompiled and in order to use the fixed resolver libraries.

Local Caching DNS Server Not Effective

A local caching DNS server will not prevent malicious responses from reaching vulnerable stub resolvers.

Systems Affected

VendorStatusDate NotifiedDate Updated
AlcatelUnknown25-Feb-2003
Apple Computer Inc.Vulnerable25-Feb-2003
AT&TUnknown4-Apr-2003
AvayaUnknown27-Feb-2003
BlueCat NetworksUnknown12-Nov-2002
Check PointUnknown27-Feb-2003
Cisco Systems Inc.Unknown15-Nov-2002
Computer AssociatesUnknown15-Nov-2002
ConectivaUnknown12-Nov-2002
Cray Inc.Unknown14-Nov-2002
D-Link SystemsUnknown27-Feb-2003
Data GeneralUnknown15-Nov-2002
DebianUnknown26-Feb-2003
djbdnsUnknown27-Feb-2003
F5 NetworksUnknown27-Feb-2003
fetchmailUnknown14-Nov-2002
FreeBSDNot Vulnerable14-Nov-2002
FreeRADIUSUnknown27-Feb-2003
FujitsuUnknown27-Feb-2003
Funk SoftwareUnknown27-Feb-2003
GNU adnsUnknown12-Nov-2002
GNU glibcVulnerable16-Jan-2003
Guardian Digital Inc. Unknown4-Apr-2003
Hewlett-Packard CompanyVulnerable15-Apr-2003
IBMVulnerable27-Feb-2003
IntelUnknown27-Feb-2003
ISCVulnerable13-Nov-2002
Juniper NetworksUnknown27-Feb-2003
KTH KerberosUnknown14-Nov-2002
Lotus SoftwareUnknown27-Feb-2003
Lucent TechnologiesUnknown27-Feb-2003
MandrakeSoftUnknown12-Nov-2002
Men&MiceUnknown12-Nov-2002
MetaSolv Software Inc.Vulnerable15-Nov-2002
Microsoft CorporationUnknown12-Nov-2002
MiT Kerberos Development TeamUnknown12-Nov-2002
MontaVista SoftwareUnknown12-Nov-2002
NcFTP SoftwareNot Vulnerable5-Dec-2002
NEC CorporationUnknown4-Apr-2003
NetBSDVulnerable25-Feb-2003
Network ApplianceUnknown4-Apr-2003
NixuUnknown12-Nov-2002
NokiaUnknown13-Nov-2002
NominumUnknown27-Feb-2003
Nortel NetworksUnknown15-Nov-2002
OpenBSDNot Vulnerable14-Nov-2002
OpenSSHUnknown27-Feb-2003
Openwall GNU/*/LinuxVulnerable14-Nov-2002
PADL SoftwareNot Vulnerable14-Nov-2002
PuTTYUnknown27-Feb-2003
Red Hat Inc.Unknown12-Nov-2002
SequentUnknown27-Feb-2003
SGIVulnerable5-Dec-2002
Sony CorporationUnknown15-Nov-2002
Sun Microsystems Inc.Vulnerable15-Nov-2002
SuSE Inc.Unknown12-Nov-2002
The Open GroupUnknown27-Feb-2003
The SCO GroupVulnerable27-Feb-2003
Trend MicroUnknown27-Feb-2003
TrustixUnknown27-Feb-2003
UnisysUnknown4-Apr-2003
Wind River Systems Inc.Unknown12-Nov-2002
WirexUnknown13-Nov-2002
Xerox CorporationVulnerable24-Apr-2003
Xi GraphicsUnknown27-Feb-2003
YARD RADIUSUnknown27-Feb-2003

References


http://www.isc.org/products/BIND/bind-security.html
http://www.isc.org/products/BIND/patches/bind4910.diff

Credit

This vulnerability was reported by CERT/CC staff.

This document was written by Art Manion.

Other Information

Date Public:2002-11-12
Date First Published:2002-11-13
Date Last Updated:2003-04-24
CERT Advisory:CA-2002-31
CVE-ID(s):CAN-2002-0029
NVD-ID(s):CAN-2002-0029
US-CERT Technical Alerts: 
Metric:8.91
Document Revision:22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader