DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service.
A read buffer overflow vulnerability exists in BIND 4 and BIND 8.2.x stub resolver libraries. Other resolver libraries derived from BIND 4 are also affected, including BSD libc, GNU/Linux glibc, and System 5 UNIX libresolv. This vulnerability is similar in scope to VU#803539 and VU#542971, which are referenced by CERT Advisory CA-2002-19.
The name server itself, named, is not affected. The vulnerability exists in DNS stub resolver libraries that are used by network applications to obtain host or network information, typically host names and IP addresses. For example, when a web browser attempts to access http://www.cert.org/, it calls functions in a DNS stub resolver library in order to determine an IP address for www.cert.org.
An attacker who is able to send DNS responses to a vulnerable system could cause a denial of service, crashing the application that made calls to a vulnerable resolver library. It does not appear that this vulnerability can be leveraged to execute arbitrary code. There may be some risk of information disclosure if a vulnerable system returns the contents of memory adjacent to a DNS response.
Patch or Upgrade
Local Caching DNS Server Not Effective
GNU glibc Affected
Guardian Digital Inc. Affected
Hewlett-Packard Company Affected
Juniper Networks Affected
KAME Project Affected
MIT Kerberos Development Team Affected
MetaSolv Software Inc. Affected
Nortel Networks Affected
Openwall GNU/*/Linux Affected
Red Hat Inc. Affected
SuSE Inc. Affected
Sun Microsystems Inc. Affected
Xerox Corporation Affected
Apple Computer Inc. Not Affected
Computer Associates Not Affected
GNU adns Not Affected
Lucent Technologies Not Affected
Microsoft Corporation Not Affected
Nixu Not Affected
SGI Not Affected
Secure Computing Corporation Not Affected
djbdns Not Affected
BlueCat Networks Unknown
Check Point Unknown
Cisco Systems Inc. Unknown
Cray Inc. Unknown
Data General Unknown
F5 Networks Unknown
KTH Kerberos Unknown
Lotus Software Unknown
NEC Corporation Unknown
Network Appliance Unknown
Oracle Corporation Unknown
Sony Corporation Unknown
The SCO Group Unknown
Unisphere Networks Unknown
Wind River Systems Inc. Unknown
The CERT/CC thanks Mark Andrews of ISC for reporting this vulnerability.
This document was written by Art Manion.
|Date First Published:||2002-10-01|
|Date Last Updated:||2003-04-15 19:39 UTC|