Vulnerability Note VU#852283
Cached malformed SIG record buffer overflow
A vulnerability in BIND allows remote attackers to execute code with the privileges of the process running named. This vulnerability is resolved in BIND versions 4.9.11, 8.2.7, 8.3.4, and BIND 9.
A remotely exploitable buffer overflow exists in named. An attacker using malformed SIG records can exploit this vulnerability against a nameserver with recursion enabled. The overflow occurs when the nameserver constructs responses to recursive requests using the malformed SIG records, leading to arbitrary code execution as the named uid, typically root. As was the case with a previous issue affecting named and NXT records (CA-1999-14, VU#16532), a malicious server must reply to a forwarded request from a recursive nameserver in order to exploit the vulnerability. However, as with the NXT record exploit, a full-service nameserver is not required, only a service replying to a legitimate victim nameserver request.
The following versions of BIND are affected:
- BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3
A remote attacker could execute arbitrary code on the nameserver with the privileges of the named uid, typically root.
Upgrade to BIND 4.9.11, BIND 8.2.7, BIND 8.3.4, or BIND 9.
One interim workaround is to disable recursion on vulnerable servers.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||12 Nov 2002||03 Dec 2002|
|Conectiva||Affected||12 Nov 2002||14 Nov 2002|
|Debian||Affected||12 Nov 2002||14 Nov 2002|
|Engarde||Affected||12 Nov 2002||14 Nov 2002|
|FreeBSD||Affected||12 Nov 2002||14 Nov 2002|
|IBM||Affected||12 Nov 2002||18 Nov 2002|
|ISC||Affected||12 Nov 2002||12 Nov 2002|
|MandrakeSoft||Affected||12 Nov 2002||14 Nov 2002|
|Nortel Networks||Affected||12 Nov 2002||03 Dec 2002|
|Openwall GNU/*/Linux||Affected||12 Nov 2002||03 Dec 2002|
|Red Hat Inc.||Affected||12 Nov 2002||13 Nov 2002|
|SuSE Inc.||Affected||12 Nov 2002||14 Nov 2002|
|Cray Inc.||Not Affected||12 Nov 2002||14 Nov 2002|
|InfoBlox||Not Affected||12 Nov 2002||18 Oct 2004|
|Microsoft Corporation||Not Affected||12 Nov 2002||14 Nov 2002|
CVSS Metrics (Learn More)
Thanks to ISS for reporting this vulnerability.
This document was written by Jason A Rafail.
- CVE IDs: CAN-2002-1219
- CERT Advisory: CA-2002-31
- Date Public: 11 Nov 2002
- Date First Published: 13 Nov 2002
- Date Last Updated: 18 Oct 2004
- Severity Metric: 30.37
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.