Vulnerability Note VU#852283

Cached malformed SIG record buffer overflow

Original Release date: 13 Nov 2002 | Last revised: 18 Oct 2004

Overview

A vulnerability in BIND allows remote attackers to execute code with the privileges of the process running named. This vulnerability is resolved in BIND versions 4.9.11, 8.2.7, 8.3.4, and BIND 9.

Description

A remotely exploitable buffer overflow exists in named. An attacker using malformed SIG records can exploit this vulnerability against a nameserver with recursion enabled. The overflow occurs when the nameserver constructs responses to recursive requests using the malformed SIG records, leading to arbitrary code execution as the named uid, typically root. As was the case with a previous issue affecting named and NXT records (CA-1999-14, VU#16532), a malicious server must reply to a forwarded request from a recursive nameserver in order to exploit the vulnerability. However, as with the NXT record exploit, a full-service nameserver is not required, only a service replying to a legitimate victim nameserver request.

The following versions of BIND are affected:

    - BIND versions 4.9.5 to 4.9.10
    - BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3

Impact

A remote attacker could execute arbitrary code on the nameserver with the privileges of the named uid, typically root.

Solution

Upgrade to BIND 4.9.11, BIND 8.2.7, BIND 8.3.4, or BIND 9.

One interim workaround is to disable recursion on vulnerable servers.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected12 Nov 200203 Dec 2002
ConectivaAffected12 Nov 200214 Nov 2002
DebianAffected12 Nov 200214 Nov 2002
EngardeAffected12 Nov 200214 Nov 2002
FreeBSDAffected12 Nov 200214 Nov 2002
IBMAffected12 Nov 200218 Nov 2002
ISCAffected12 Nov 200212 Nov 2002
MandrakeSoftAffected12 Nov 200214 Nov 2002
Nortel NetworksAffected12 Nov 200203 Dec 2002
Openwall GNU/*/LinuxAffected12 Nov 200203 Dec 2002
Red Hat Inc.Affected12 Nov 200213 Nov 2002
SuSE Inc.Affected12 Nov 200214 Nov 2002
Cray Inc.Not Affected12 Nov 200214 Nov 2002
InfoBloxNot Affected12 Nov 200218 Oct 2004
Microsoft CorporationNot Affected12 Nov 200214 Nov 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to ISS for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

  • CVE IDs: CAN-2002-1219
  • CERT Advisory: CA-2002-31
  • Date Public: 11 Nov 2002
  • Date First Published: 13 Nov 2002
  • Date Last Updated: 18 Oct 2004
  • Severity Metric: 30.37
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.