Internet Software Consortium Information for VU#734644

ISC BIND 8 vulnerable to cache poisoning via negative responses



Vendor Statement

  Internet Software Consortium Security Advisory.
         Negative Cache Poison Attack

           4 September 2003

    Versions affected:
   BIND 8 prior to 8.3.7
   BIND 8.4.3 Release (8.4.3-REL)

BIND 8.4.3 is a maintenance release of BIND 8.4.  It includes the BIND 8.4.2
release which includes a security fix (also released as BIND 8.3.7).

Maintenance Release.

Highlights (8.4.2)
Security Fix: Negative Cache Poison Fix.

the distribution files are:

the pgp signature files are:

the md5 checksums are:

MD5 (bind-contrib.tar.gz) = 454f8e3caf1610941a656fcc17e1ecec
MD5 (bind-contrib.tar.gz.asc) = f8f0a5b8985a8180e5bd02207f319980
MD5 (bind-doc.tar.gz) = fcfdaaa2fc7d6485b0e3d08299948bd3
MD5 (bind-doc.tar.gz.asc) = fc0671468c2e3a1e5ff817b69da21a6b
MD5 (bind-src.tar.gz) = e78610fc1663cfe8c2db6a2d132d902b
MD5 (bind-src.tar.gz.asc) = 40453b40819fd940ad4bfabd26425619

Windows NT / Windows 2000 binary distribution.

the md5 checksums are:

MD5 (readme1st.txt) = ac4ce260f151dc1ab393c145f4288bba
MD5 ( = 7c3e333f90edbe3820952a62ff6ffdf3
MD5 ( = f2190cc390ce584c0cc624835bdcc8eb

MD5 (readme1sttools.txt) = eef4c5782be1a1faac3ca0c756eaef05
MD5 ( = 8cb29c092394dfa430ef9ea47b6a02ea
MD5 ( = a77b2adb1f23db780f45efee32a92882

top of CHANGES says:

--- 8.4.3 released --- (Mon Nov 24 17:27:52 PST 2003)

1617. [cleanup] don't pre-fetch missing additional address records if
we have one of A/AAAA.

1616. [func] turn on "preferred-glue A;" (if not specified in
named.conf) if the answer space is a standard UDP
message size or smaller.

1615. [func] when query logging log whether TSIG (T) and/or EDNS (E)
was used to make the query.

1614. [cleanup] on dual (IPv4+IPv6) stack servers delay the lookup of
missing glue if we have glue for one family.

1613. [cleanup] notify: don't lookup A/AAAA records for nameservers
if we don't support the address at the transport level.

1612. [func] named now takes arguements -4 and -6 to limit the
IP transport used for making queries.

1611. [debug] better packet tracing in debug output (+ some lint).

1610. [bug] don't explictly declare errno use <errno.h>.

1609. [bug] drop_port() was being called with ports in network
order rather than host order.

1608. [port] sun: force alignment of answer in dig.c.

1607. [bug] do not attempt to prime cache when recursion and
fetch-glue are disabled.

1606. [bug] sysquery duplicate detection was broken when
using forwarders.

1605. [port] sun: force alignment of newmsg in ns_resp.c.

1604. [bug] heap_delete() sometimes violated the heap invariant,
causing timer events not to be posted when due.

1603. [port] ds_remove_gen() mishandled removal IPv6 interfaces.

1602. [port] linux: work around a non-standard __P macro.

1601. [bug] dig could report the wrong server address on transfers.

1600. [bug] debug_freestr() prototype mismatch.

1599. [bug] res_nsearch() save statp->res_h_errno instead of

1598. [bug] dprint_ip_match_list() fails to print the mask

1597. [bug] use the actual presentation length of the IP address
to determine if sprintf() is safe in write_tsig_info().

--- 8.4.2 released --- (Thu Sep  4 06:58:22 PDT 2003)

1596. [port] winnt: set USELOOPBACK in port_after.h

1595. [bug] dig: strcat used instead of strcpy.

1594. [bug] if only a single nameserver was listed in resolv.conf
IPv6 default server was also being used.

1593. [port] irix: update port/irix/irix_patch.

1592. [port] irix: provide a sysctl() based getifaddrs()

1591. [port] irix: sa_len is a macro.

1590. [port] irix: doesn't have msg_control (NO_MSG_CONTROL)

1589. [port] linux: uninitalised variable.

1588. [port] solaris: provide ALIGN.

1587. [port] NGR_R_END_RESULT was not correct for some ports.

1586. [port] winnt: revert to old socket behaviour for UDP
sockets (Windows 2000 SP2 and later).

1585. [port] solaris: named-xfer needs <fcntl.h>.

1584. [port] bsdos: explictly include <netinet6/in6.h> for
4.0 and 4.1.

1583. [bug] add -X to named-xfer usage message.

1582. [bug] ns_ownercontext() failed to set the correct owner
context for AAAA records. ns_ptrcontext() failed
to return the correct context for IP6.ARPA.

1581. [bug] apply anti-cache poison techniques to negative

1580. [bug] inet_net_pton() didn't fully handle implicit
multicast IPv4 network addresses.

1579. [bug] ifa_addr can be NULL.

1578. [bug] named-xfer: wrong arguement passed to getnameinfo().

1577.   [func]          return referrals for glue (NS/A/AAAA) if recursion
is not desired (hp->rd = 0).

1576. [bug] res_nsendsigned() incorrectly printed the truncated
UDP response when RES_IGNTC was not set.

1575. [bug] tcp_send() passed the wrong length to evConnect().

1574. [bug] res_nsendsigned() failed to handle truncation

1573. [bug] tsig_size was not being copied by ns_forw().

1572. [port] bsdos: missing #include <ifaddrs.h>.

1571. [bug] AA was sometimes incorrectly set.

1570. [port] decunix: change #1544 broke OSF1 3.2C.

1569. [bug] remove extraneous closes.

1568. [cleanup] reduce the memory footprint for large numbers of

1567. [port] winnt: install MSVC70.DLL and MFC70.DLL.

1566. [bug] named failed to locate keys declared in masters

1565. [bug] named-xfer was failing to use TSIG.

1564. [port] linux: allow static linkage to work.

1563. [bug] ndc getargs_closure failed to NUL terminate strings.

1562. [bug] handle non-responsive servers better.

1561. [bug] rtt estimates were not being updated for IPv6

1560. [port] linux: add runtime support to handle old kernels
that don't know about msg_control.

1559. [port] named, named-xfer: ensure that stdin, stdout and
stderr are open.

--- 8.4.1-P1 released --- (Sun Jun 15 17:35:10 PDT 2003)

1558. [port] sunos4 doesn't have msg_control (NO_MSG_CONTROL).

1557. [port] linux: socket returns EINVAL for unsupported family.

1556. [bug] reference through NULL pointer.

1555. [bug] sortlist wasn't being applied to AAAA queries.

1554. [bug] IPv4 access list elements of the form number/number
(e.g. 127/8)  were not correctly defined.

1553. [bug] getifaddrs*() failed to set ifa_dstaddr for point
to point links (overwrote ifa_addr).

1552. [bug] buffer overruns in getifaddrs*() if the server has
point to point links.

1551. [port] freebsd: USE_IFNAMELINKIDS should be conditionally

1550. [port] TruCluster support didn't build.

1549. [port] Solaris 9 has /dev/random.

--- 8.4.1-REL released --- (Sun Jun  8 15:11:32 PDT 2003)

1548. [port] winnt: make recv visible from libbind.

1547. [port] cope with spurious EINVAL from evRead.

1546. [cleanup] dig now reports version 8.4.

1545. [bug] getifaddrs_sun6 was broken.

1544. [port] hpux 10.20 has a broken recvfrom().  Revert to recv()
in named-xfer and work around deprecated recv() in

1543. [bug] named failed to send notifies to servers that live
in zones it was authoritative for.

1542. [bug] set IPV6_USE_MIN_MTU on IPv6 sockets if the kernel
supports it.

1541. [bug] getifaddrs_sun6() should be a no-op on early SunOS

--- 8.4.0-REL released --- (Sun Jun  1 17:49:31 PDT 2003)
BIND 8.3.7 Release

BIND 8.3.7 is a security release of BIND 8.3.  This is expected to
be the last release of BIND 8.3 except for security issues.

The recommended version to use is BIND 9.2.3.  If for whatever
reason you must run BIND 8, use nothing earlier than 8.3.7-REL,
8.4.2-REL.  Do not under any circumstances run BIND 4.

Highlights vs. 8.3.6
Security Fix: Negative Cache Poison Fix.

Highlights vs. 8.3.5
Maintenance release.

Highlights vs. 8.3.4
Maintenance release.

Highlights vs. 8.3.3
Security Fix DoS and buffer overrun.

Highlights vs. 8.3.2
Security Fix libbind. All applications linked against libbind
need to re-linked.
'rndc restart' now preserves named's arguments

Highlights vs. BIND 8.3.1:
dig, nslookup, host and nsupdate have improved IPv6 support.

Highlights vs. BIND 8.3.0:

Critical bug fix to prevent DNS storms. If you have BIND 8.3.0 you
need to upgrade.

the distribution files are:

the pgp signature files are:

the md5 checksums are:

MD5 (bind-contrib.tar.gz) = 89009ee8d937cd652a77742644772023
MD5 (bind-contrib.tar.gz.asc) = 3b91ed818771d21aa37c3ecc4685ba9d
MD5 (bind-doc.tar.gz) = b7ccbde30d8c43202eabf61a51366852
MD5 (bind-doc.tar.gz.asc) = 333f80ec3d12ef7fc27a19ba2f9a9be0
MD5 (bind-src.tar.gz) = 36cc1660eb7d73e872a1e5af6f832167
MD5 (bind-src.tar.gz.asc) = 50a45b11e12441142d6eac423c5d01c7

Windows NT / Windows 2000 binary distribution.

There will be no Windows binary release of BIND 8.3.7.
The current Windows binary release is BIND 8.4.3.

top of CHANGES says:

--- 8.3.7-REL released --- (Wed Sep  3 21:01:37 PDT 2003)

1581. [bug] apply anti-cache poison techniques to negative

--- 8.3.6-REL released --- (Sun Jun  8 15:11:32 PDT 2003)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.