search menu icon-carat-right cmu-wordmark

CERT Coordination Center


ISC BIND 4 contains buffer overflow in nslookupComplain()

Vulnerability Note VU#572183

Original Release Date: 2001-04-27 | Last Revised: 2002-05-01

Overview

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is a buffer overflow vulnerability in BIND 4.9.x, which may allow remote intruders to gain access to systems running BIND. Although BIND 4.9.x is no longer officially maintained by ISC, various versions are still widely deployed on the Internet.

This vulnerability has been successfully exploited in a laboratory environment and presents a serious threat to the Internet infrastructure.

Description

A buffer overflow exists in the nslookupComplain() routine of several versions of ISC BIND. This vulnerability is reported to exist in all versions prior to BIND 4.9.8.

The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in either denial of service or the execution of arbitrary code. If an attacker were able to execute code or commands, they would do so with the same privileges as the BIND process, which are typically superuser privileges.

It is important to note that other vendors of DNS software may be vulnerable to this problem as well. Please contact your vendor or check the vendor section of this document for further details.

Impact

This vulnerability can disrupt the proper operation of the BIND server and may allow an attacker to execute privileged commands or code with the same permissions as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.

Solution

The ISC has released BIND version 4.9.8 to address this security issue as well as others. The CERT/CC strongly recommends that all users of BIND 4.9.x upgrade to 4.9.8 immediately.

The BIND 4.9.8 distribution can be downloaded from:


The BIND 9.1 distribution can be downloaded from:

Please note that upgrading to BIND 4.9.8 also addresses the vulnerabilities discussed in VU#325431 and VU#868916.

Vendor Information

572183
Expand all

Caldera

Notified:  January 03, 2001 Updated:  January 29, 2001

Status

  Vulnerable

Vendor Statement

OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable.

Update packages will be provided at

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  January 03, 2001 Updated:  April 04, 2001

Status

  Vulnerable

Vendor Statement

------------------------------------------------------------------------------------

VU#572183 - BIND 4 Buffer overflow in nslookupComplain()
X-REF: SSRT1-69U
------------------------------------------------------------------------------------
Compaq Tru64 UNIX V5.1, V5.0, V5.0a - Not Vulnerable

Compaq Tru64 UNIX V4.0D/F/G -
V4.0d patch: SSRT1-69U_v4.0d.tar.Z
V4.0f patch: SSRT1-69U_v4.0f.tar.Z
V4.0g patch: SSRT1-69U_v4.0g.tar.Z

TCP/IP Services for Compaq OpenVMS - Not Vulnerable

------------------------------------------------------------------------------------
Compaq will provide notice of the completion/availability of the patches
through AES services (DIA, DSNlink FLASH), the Security mailing list (**),
and be available from your normal Compaq Support channel.

**You may subscribe to the Security mailing list at:

http://www.support.compaq.com/patches/mailing-list.shtml

Software Security Response Team
COMPAQ COMPUTER CORPORATION

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  January 03, 2001 Updated:  April 05, 2001

Status

  Vulnerable

Vendor Statement

Bind 4.9.7 is vulnerable to both VU#325431 (infoleak problem) and VU#572183 (nslookupComplain() buffer overflow).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP has released a Security Bulletin to address this issue; for further information, please visit http://itrc.hp.com and search for "HPSBUX0102-144". Please note that registration may be required to access this document.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  January 03, 2001 Updated:  April 05, 2001

Status

  Vulnerable

Vendor Statement

[A fix for this vulnerability] can be downloaded from ftp://ftp.software.ibm.com/aix/efixes/security. The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation instructions and other important information are given in the README file that is included in the tarball.

The official fix for the four BIND4 and BIND8 vulnerabilities will be in APAR #IY16182.

AIX Security Response Team
IBM Austin

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ISC

Notified:  January 03, 2001 Updated:  April 04, 2001

Status

  Vulnerable

Vendor Statement

Name:"complain bug"
Versions:4.9.3, 4.9.4, 4.9.5, 4.9.5-P1, 4.9.6, 4.9.7, possibly earlier
version of BIND 4.9.x and BIND 4.9.
Severity:SERIOUS
Exploitable:Remotely
Type:Stack corruption, possible remote access.

Description:

It is possible to overflow the buffer used by sprintf in
nslookupComplain().

Workarounds:

None.

Active Exploits:

Exploits for this bug exist.

Solution:

Upgrade to BIND 9, BIND 8 or BIND 4.9.8, in preferred
solution order. BIND 4.9.x should be considered to be dead
code. Only security fixes will be applied BIND 4.9.x.

Credits:

Discovery and initial documentation of this vulnerability
was conducted by Anthony Osborne and John McDonald of the
COVERT Labs at PGP Security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The ISC has posted this information on their web site at:


The source code for ISC BIND can be downloaded from:

NetBSD

Notified:  January 03, 2001 Updated:  April 05, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see NetBSD-SA2001-001, "Security vulnerabilities in BIND" at:

OpenBSD

Notified:  January 03, 2001 Updated:  April 04, 2001

Status

  Vulnerable

Vendor Statement

Please see OpenBSD 2.8 release errata "018: SECURITY FIX: Jan 29, 2001" at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  January 03, 2001 Updated:  May 01, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera UNIX has published Security Advisory CSSA-2002-SCO.16 to address this issue in their UnixWare product line. For more information, please see:

SGI

Notified:  January 25, 2001 Updated:  April 27, 2001

Status

  Vulnerable

Vendor Statement

SGI's IRIX (tm) operating system contains base BIND 4.9.7 with SGI modifications. IRIX BIND 4.9.7 is vulnerable to buffer overflow in nslookupComplain(). Patches are forth coming and will be released with an advisory to http://www.sgi.com/support/security/ when available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has released an advisory regarding this vulnerability. For further information, please visit

SuSE

Notified:  February 03, 2001 Updated:  April 05, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has made an announcement regarding this vulnerability; for further information, please see:

Sun

Notified:  January 03, 2001 Updated:  August 07, 2001

Status

  Vulnerable

Vendor Statement

CERT Advisory CA-2001-02 describes four vulnerabilities in certain

versions of BIND.  The four vulnerabilities are listed below along with
the affected versions of Solaris and the version of BIND shipped with each
version of Solaris.

VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG)
            handling code

    Solaris 8 04/01* (BIND 8.2.2-p5)
    Solaris 8 Maintenance Update 4* (BIND 8.2.2-p5)

VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()

    Solaris 2.6 (BIND 4.9.4-P1)
    Solaris 2.5.1** (BIND 4.9.3)

VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain()

    Solaris 2.6 (BIND 4.9.4-P1)
    Solaris 2.5.1** (BIND 4.9.3)

VU#325431 - Queries to ISC BIND servers may disclose environment variables

    Solaris 2.4, 2.5 (BIND 4.8.3)
    Solaris 2.5.1** (BIND 4.9.3 and BIND 4.8.3)
    Solaris 2.6 (BIND 4.9.4-P1)
    Solaris 7 and 8 (BIND 8.1.2)

*  To determine if one is running Solaris 8 04/01 or Solaris 8 Maintenance
   Update 4, check the contents of the /etc/release file.

** Solaris 2.5.1 ships with BIND 4.8.3 but patch 103663-01 for SPARC and
   103664-01 for x86 upgrades BIND to 4.9.3, current revision for each
   patch is -17.

List of Patches

 The following patches are available in relation to the above problems.

 OS Version               Patch ID
 __________               _________
 SunOS 5.8                109326-04
 SunOS 5.8_x86            109327-04
 SunOS 5.7                107018-03
 SunOS 5.7_x86            107019-03
 SunOS 5.6                105755-10
 SunOS 5.6_x86            105756-10
 SunOS 5.5.1              103663-16
 SunOS 5.5.1_x86          103664-16
 SunOS 5.5                103667-12
 SunOS 5.5_x86            103668-12
 SunOS 5.4                102479-14
 SunOS 5.4_x86            102480-12

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

For the full text of Sun Microsystems Security Bulletin #204, please visit

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/204&type=0&nav=sec.sba

This document has been archived here

sun-security-bulletin-204.txt

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  January 03, 2001 Updated:  April 05, 2001

Status

  Not Vulnerable

Vendor Statement

Apple plans to include BIND 8.2.3 in Mac OS X. BIND is not enabled by default in Mac OS X or Mac OS X Server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  January 03, 2001 Updated:  April 05, 2001

Status

  Not Vulnerable

Vendor Statement

No supported version of FreeBSD contains BIND 4.x, so this does not affect us. We currently ship betas of 8.2.3 in the FreeBSD 4.x release branch, and will be upgrading to 8.2.3 once it is released.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  February 03, 2001 Updated:  April 04, 2001

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has made an announcement regarding this vulnerability; for further information, please see:

Microsoft

Notified:  January 18, 2001 Updated:  January 30, 2001

Status

  Not Vulnerable

Vendor Statement

Microsoft's implementation of DNS is not based on BIND, and is not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  January 03, 2001 Updated:  January 26, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  January 03, 2001 Updated:  January 26, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  January 03, 2001 Updated:  April 05, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian has made an announcement regarding this vulnerability; for further information, please see:

Fujitsu

Notified:  January 03, 2001 Updated:  January 26, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix

Notified:  January 31, 2001 Updated:  April 05, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Immunix has made an announcement regarding this vulnerability; for further information, please see:

NCR

Notified:  January 03, 2001 Updated:  January 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC

Notified:  January 03, 2001 Updated:  January 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT

Notified:  January 03, 2001 Updated:  January 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat

Notified:  January 03, 2001 Updated:  April 04, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

RedHat has released an advisory regarding this vulnerability; for further information, please see RHSA-2001-007 and associated bug reports at:

Sequent

Notified:  January 03, 2001 Updated:  January 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens Nixdorf

Notified:  January 03, 2001 Updated:  January 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware

Notified:  February 03, 2001 Updated:  April 05, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware has made an announcement regarding this vulnerability; for further information, please see:

Sony

Notified:  January 03, 2001 Updated:  January 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  January 03, 2001 Updated:  January 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks the COVERT Labs at PGP Security for discovering and analyzing this vulnerability and the Internet Software Consortium for providing a patch to fix it.

This document was written by Jeffrey P. Lanza

Other Information

CVE IDs: CVE-2001-0011
CERT Advisory: CA-2001-02
Severity Metric: 38.90
Date Public: 2001-01-29
Date First Published: 2001-04-27
Date Last Updated: 2002-05-01 18:59 UTC
Document Revision: 60

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.