SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#868916

ISC BIND 4 contains input validation error in nslookupComplain()

Overview

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is a format string vulnerability in BIND 4.9.4 that may allow remote intruders to gain access to systems running BIND. Although BIND 4.9.x is no longer officially maintained by ISC, various versions are still widely deployed on the Internet.

This vulnerability has been successfully exploited in a laboratory environment and presents a serious threat to the Internet infrastructure.

I. Description

There is a format string vulnerability in the nslookupComplain() routine of several versions of ISC BIND. This vulnerability is reported to exist in all versions prior to BIND 4.9.5-P1.

The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in the execution of arbitrary code. If an attacker were able to execute code or commands, they would do so with the same privileges as the BIND process, which are typically superuser privileges.

It is important to note that other vendors of DNS software may be vulnerable to this problem as well. Please contact your vendor or check the vendor section of this document for further details.

II. Impact

This vulnerability may allow an attacker to execute privileged commands or code with the same permissions as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.

III. Solution

This vulnerability was patched by the ISC in an earlier version of BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence to suggest that some third party vendors who redistribute BIND have not included these changes in their BIND packages. Therefore, the CERT/CC recommends that all users of BIND 4 or its derivatives base their distributions on BIND 4.9.8.


The BIND 4.9.8 distribution can be downloaded from:


The BIND 9.1 distribution can be downloaded from:

Please note that upgrading to BIND 4.9.8 also addresses the vulnerabilities discussed in VU#325431 and VU#572183.

Systems Affected
VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Not Vulnerable5-Apr-2001
BSDIUnknown26-Jan-2001
Compaq Computer CorporationVulnerable4-Apr-2001
Data GeneralUnknown26-Jan-2001
DebianUnknown5-Apr-2001
FreeBSDNot Vulnerable5-Apr-2001
FujitsuUnknown26-Jan-2001
Hewlett-Packard CompanyNot Vulnerable5-Apr-2001
IBMVulnerable5-Apr-2001
ImmunixUnknown5-Apr-2001
ISCVulnerable4-Apr-2001
MandrakeSoftNot Vulnerable4-Apr-2001
Microsoft CorporationNot Vulnerable30-Jan-2001
NEC CorporationUnknown27-Jan-2001
NetBSDVulnerable5-Apr-2001
NeXTUnknown27-Jan-2001
OpenBSDNot Vulnerable30-Jan-2001
Red Hat Inc.Unknown4-Apr-2001
SequentUnknown27-Jan-2001
SGIUnknown27-Apr-2001
Siemens NixdorfUnknown27-Jan-2001
SlackwareUnknown5-Apr-2001
Sony CorporationUnknown27-Jan-2001
Sun Microsystems Inc.Vulnerable7-Aug-2001
SuSE Inc.Vulnerable5-Apr-2001
The SCO Group (SCO Linux)Vulnerable29-Jan-2001
The SCO Group (SCO UnixWare)Vulnerable1-May-2002
UnisysUnknown27-Jan-2001

References

VU#196945, VU#325431, VU#572183
http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html
http://www.isi.edu/~bmanning/in-addr-audit.html
http://www.securityfocus.com/news/144

Credit

The CERT/CC thanks the COVERT Labs at PGP Security for discovering and analyzing this vulnerability and the Internet Software Consortium for providing a patch to fix it.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public:2001-01-29
Date First Published:2001-01-29
Date Last Updated:2002-12-06
CERT Advisory:CA-2001-02
CVE-ID(s):CAN-2001-0013
NVD-ID(s):CAN-2001-0013
US-CERT Technical Alerts: 
Metric:33.92
Document Revision:25

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader