search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Domain Name System (DNS) resolver libraries vulnerable to read buffer overflow

Vulnerability Note VU#738331

Original Release Date: 2002-10-01 | Last Revised: 2003-04-15

Overview

DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service.

Description

A read buffer overflow vulnerability exists in BIND 4 and BIND 8.2.x stub resolver libraries. Other resolver libraries derived from BIND 4 are also affected, including BSD libc, GNU/Linux glibc, and System 5 UNIX libresolv. This vulnerability is similar in scope to VU#803539 and VU#542971, which are referenced by CERT Advisory CA-2002-19.

The name server itself, named, is not affected. The vulnerability exists in DNS stub resolver libraries that are used by network applications to obtain host or network information, typically host names and IP addresses. For example, when a web browser attempts to access http://www.cert.org/, it calls functions in a DNS stub resolver library in order to determine an IP address for www.cert.org.

Within the DNS resolver library, a buffer size value that is smaller than the maximum size of a potential DNS response is passed to the functions that perform DNS resolution. If a response is encountered that is larger than the allocated buffer, the response is truncated and returned to the calling function, along with the amount of buffer space that would be required to handle the entire response. The calling function may use this value for the size of the buffer and read beyond the end of the actual DNS response. In some cases, unmapped memory may be read, which typically causes the calling application to crash. In other cases, mapped memory may be read, and the contents included in the DNS response, which the calling application typically handles as a malformed response.

Applications that call DNS resolution functions directly may also be vulnerable, depending on how those applications handle the returned buffer size value. MIT Kerberos 5, KTH Heimdal Kerberos, nss_ldap, and fetchmail are known to be affected.

Quoting from the ISC advisory:

When looking up address (gethostbyname(), gethostbyaddr() etc.) a less than maximum sized buffer is passed to res_search() / res_query(). If the answer is too large to fit in the buffer the size of buffer required is returned along with the part of the message that will fit. This value is not checked and is passed to getanswer which then may read past the end of the buffer depending up the contents in the answer section.

Impact

An attacker who is able to send DNS responses to a vulnerable system could cause a denial of service, crashing the application that made calls to a vulnerable resolver library. It does not appear that this vulnerability can be leveraged to execute arbitrary code. There may be some risk of information disclosure if a vulnerable system returns the contents of memory adjacent to a DNS response.

Solution

Patch or Upgrade

Apply a patch or upgrade as specified by your vendor. In the case of statically linked binaries, it is necessary to recompile using the patched version of the DNS stub resolver libraries. ISC has provided the following guidance for applications that call DNS resolution functions directly:

For application writers. Use a maximum sized buffer (64k), be prepared to redo the calls res_search(), res_query(), res_send(), res_nsearch(), res_nquery() and res_send() with a bigger buffer or take the minimum of the answer buffer size and the value returned by these calls and be aware that the answer is truncated.

Local Caching DNS Server Not Effective

A local caching DNS server will not prevent malicious responses from reaching vulnerable client resolvers.

Vendor Information

738331
Expand all

Conectiva

Notified:  August 15, 2002 Updated:  November 08, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please reference the following Conectiva Linux Announcements (English): CLSA-2002:535 (glibc) and CLSA-2002:531 (fetchmail).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  August 15, 2002 Updated:  November 08, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. Debian Security Advisory DSA-178 (superseded by DSA-185) addresses this issue in Heimdal Kerberos. See also:

http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.6.diff.gz

Debian Security Advisory DSA-171 addresses this issue in fetchmail.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fetchmail

Updated:  October 18, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  August 15, 2002 Updated:  November 13, 2002

Status

  Vulnerable

Vendor Statement

Please see FreeBSD-SA-02:42.resolv.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  August 15, 2002 Updated:  October 16, 2002

Status

  Vulnerable

Vendor Statement

Fujitsu's UXP/V operating system is vulnerable to the bug reported in VU#738331.

Bug fixes are currently being developed and will be available in November, 2002.

The bug fix no. for UXP/V V20L10 is UX28292.

The bug fix no. for UXP/V V10L20 is UX15055.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU glibc

Notified:  August 15, 2002 Updated:  October 16, 2002

Status

  Vulnerable

Vendor Statement

Version 2.2.5 of the GNU C Library is vulnerable. The following patch has been installed into the CVS sources, and should appear in the next version.

2002-09-04  Roland McGrath  <roland@redhat.com>

        * resolv/nss_dns/dns-network.c (MAXPACKET): Increase minimum value
        from 1024 to 65536, to avoid buffer overrun.

2002-08-24  Ulrich Drepper  <drepper@redhat.com>

        * resolv/nss_dns/dns-host.c (MAXPACKET): Likewise.

2002-08-16  Paul Eggert  <eggert@twinsun.com>

        * resolv/gethnamaddr.c (MAXPACKET): Likewise.
        * resolv/res_query.c (MAXPACKET): Likewise.

===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- libc/resolv/nss_dns/dns-network.c   2002/08/26 06:20:05     1.12
+++ libc/resolv/nss_dns/dns-network.c   2002/09/05 01:23:06     1.13
@@ -70,10 +70,10 @@
 #define MAX_NR_ALIASES 48


-#if PACKETSZ > 1024
-#define MAXPACKET       PACKETSZ
+#if PACKETSZ > 65536
+# define MAXPACKET     PACKETSZ
 #else
-#define MAXPACKET       1024
+# define MAXPACKET     65536
 #endif

===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-host.c,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- libc/resolv/nss_dns/dns-host.c      2002/08/03 03:42:06     1.32
+++ libc/resolv/nss_dns/dns-host.c      2002/08/24 22:29:11     1.33
@@ -92,10 +92,10 @@
 #define MAX_NR_ALIASES 48
 #define MAX_NR_ADDRS   48

-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
 # define MAXPACKET     PACKETSZ
 #else
-# define MAXPACKET     1024
+# define MAXPACKET     65536
 #endif
 /* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length.  */
 #ifdef MAXHOSTNAMELEN
===================================================================
RCS file: /cvs/glibc/libc/resolv/gethnamaddr.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- libc/resolv/gethnamaddr.c   2002/08/03 03:40:54     1.39
+++ libc/resolv/gethnamaddr.c   2002/08/24 22:29:11     1.40
@@ -115,10 +115,10 @@
 extern void addrsort __P((char **, int));
 #endif

-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
 #define        MAXPACKET       PACKETSZ
 #else
-#define        MAXPACKET       1024
+#define        MAXPACKET       65536
 #endif

 /* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length.  */
===================================================================
RCS file: /cvs/glibc/libc/resolv/res_query.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- libc/resolv/res_query.c     2001/01/08 17:55:24     1.16
+++ libc/resolv/res_query.c     2002/08/24 22:29:11     1.17
@@ -85,10 +85,10 @@
 /* Options.  Leave them on. */
 /* #undef DEBUG */

-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
 #define MAXPACKET      PACKETSZ
 #else
-#define MAXPACKET      1024
+#define MAXPACKET      65536
 #endif

 /*

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  August 15, 2002 Updated:  October 10, 2002

Status

  Vulnerable

Vendor Statement

See ESA-20021003-021.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  August 15, 2002 Updated:  April 15, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Secure OS Software for Linux is affected. Please reference the following documents: HPSBTL0210-071 (fetchmail), HPSBTL0210-070 (nss_ldap), and HPSBTL0210-069/HPSBTL0211-0075 (glibc).

See also HPSBUX0208-209/SSRT2316.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  August 27, 2002 Updated:  November 08, 2002

Status

  Vulnerable

Vendor Statement

DNS resolver included in GR2000 router is potentially vulnerable to this problem. All ROUTE-OS software from the version 02-03 is affected. Below is the release schedule for the fixed version of software.

Fixed software version : 06-05-/E
Release date : September 12, 2002
Please see

http://www.hitachi.co.jp/Prod/comp/network/notice/20020911_0_E.html
for more information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  August 15, 2002 Updated:  October 16, 2002

Status

  Vulnerable

Vendor Statement

The AIX operating system is vulnerable to a buffer overflow in the res_nsend() resolver function, as mentioned above, in releases 4.3.3 and 5.1.0. This problem was discovered and fixed earlier while investigating a core dump from the "host" command.

The following APAR's are available for this fix:

AIX 4.3.3: IY31886

AIX 5.1.0: IY31889
The APAR's can be downloaded by going to the following URL, then following the links for your system release level.

http://techsupport.services.ibm.com/servers/fixes?view=pseries

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ISC

Updated:  October 16, 2002

Status

  Vulnerable

Vendor Statement

Internet Software Consortium Security Advisary.
LIBBIND/LIBRESOLV: Denial of Service.
8 August 2002

Versions affected:
BIND 4 prior to 4.9.10
BIND 8 prior to 8.2.5
Severity: SERIOUS
Exploitable: Remotely
Type: Denial of service

Description:

When looking up address (gethostbyname(), gethostbyaddr()
etc.) a less than maximum sized buffer is passed to
res_search() / res_query().  If the answer is too large
to fit in the buffer the size of buffer required is
returned along with the part of the message that will fit.
This value is not checked and is passed to getanswer which
then may read past the end of the buffer depending up the
contents in the answer section.

THIS DOES NOT AFFECT THE NAMESERVER.

THIS CAN BE TRANSMITTED THROUGH CACHES.

BIND 9 is NOT affected.
BIND 8.3.x is NOT affected.

This bug may exist in other applications that call the
DNS directly.

Workarounds:

None.  Upgrade and re-linking required.

Impact:

Applications linked against vulnerable versions of the
libraries may die with segmentation violations /
bus errors.

Fix:

Upgrade to BIND 4.9.10 or preferably BIND 8.3.3.

BIND 4 is officially deprecated.  Only security
fixes will be issued for BIND 4.

http://www.isc.org/products/BIND

For application writers.  Use a maximum sized buffer (64k),
be prepared to redo the calls res_search(), res_query(),
res_send(), res_nsearch(), res_nquery() and res_send()
with a bigger buffer or take the minimum of the answer
buffer size and the value returned by these calls and
be aware that the answer is truncated.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  August 15, 2002 Updated:  October 16, 2002

Status

  Vulnerable

Vendor Statement

Juniper Networks has determined that its JUNOS Internet Software, used on the M- and T-series of router products, is susceptible to this vulnerability in versions 5.2R1.4, 5.2R2.3, 5.2R3.4, 5.2R4.4, 5.3R1.2, 5.3R2.4, 5.3R3.3, and 5.4R1.4. Customers should contact Juniper or their Juniper reseller to obtain an updated version of JUNOS software.

Juniper Networks has determined that the operating software used on the ERX router products is not susceptible to this vulnerability. No software upgrade is required. However, the SDX-300 Service Deployment system may be susceptible if it is installed on a susceptible host platform. Users of SDX-300 should contact their host operating system vendor regarding this advisory.

The Juniper Networks G10 CMTS product is not susceptible to this vulnerability. No upgrade is required.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KAME Project

Updated:  October 01, 2002

Status

  Vulnerable

Vendor Statement

The problem was fixed in the KAME tree on August 27, 2002.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MIT Kerberos Development Team

Notified:  August 23, 2002 Updated:  October 16, 2002

Status

  Vulnerable

Vendor Statement

We don't ship a resolver implementation as part of MIT krb5. Our code does call res_search() in a potentially unsafe manner, but seems to only result in a read overrun. Also, it is primarily client-side code that calls res_search(), so denial of service attacks against servers are unlikely.

This will be fixed in an upcoming release of MIT krb5. The MIT Kerberos Team is not issuing a patch at this time, as we believe that the vulnerability is limited to a client-side denial of service.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  August 15, 2002 Updated:  November 08, 2002

Status

  Vulnerable

Vendor Statement

Mandrake Linux 7.1 and 7.2, which ship with BIND 8.x, already have been updated to BIND version 8.3.3, which is not vulnerable to this problem. Mandrake Linux 8.0 and higher ship with BIND 9.x which is also not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. MandrakeSoft has also released MDKSA-2002:063 (fetchmail) and MDKSA-2002:075 (nss_ldap).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MetaSolv Software Inc.

Notified:  August 15, 2002 Updated:  October 01, 2002

Status

  Vulnerable

Vendor Statement

The resolver code embedded in the DNS Server (Based on ISC BIND 8.2.3) on both MetaSolv Policy Services 4.1 and 4.2 are open to Vulnerability Note VU#738331. This issue is being tracked by MetaSolv under Case #28230. An upgrade to ISC BIND 8.2.6 and the ISC Sanctioned Patches to 8.2.6 for this advisory have been compiled and applied, and will be available in Policy Services 4.2 Service Pack 1 efix 1. Please contact MetaSolv Global Customer Care (supporthd@metasolv.com) for availability and assistance.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  August 15, 2002 Updated:  October 10, 2002

Status

  Vulnerable

Vendor Statement

See NetBSD Security Advisory SA2002-015 for details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  August 15, 2002 Updated:  November 08, 2002

Status

  Vulnerable

Vendor Statement

Nortel Networks has determined that NetID version 4.3.1 and later is potentially affected by the vulnerability identified in CERT/CC Vulnerability Note VU#738331; a bulletin and patch are available from the following Nortel Networks support contacts:

North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009

Contacts for other regions are available at

www.nortelnetworks.com/help/contact/global/

Optivity NMS is not affected.

The former Nortel Networks product Preside Policy Server divested to MetaSolv Software, Inc. in February 2002 uses BIND 8 and may be potentially affected. Please refer to MetaSolv Software Inc.'s Vendor Statement.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  August 15, 2002 Updated:  October 16, 2002

Status

  Vulnerable

Vendor Statement

Openwall GNU/*/Linux's glibc package was affected. As a workaround, we have applied the patch by Olaf Kirch of SuSE which limits the return value from res_send(3) to be no greater than the provided answer buffer size. This approach has the advantage of reducing the problem for poorly written third-party applications, including those which aren't a part of our distribution. At the same time, checks have also been added to avoid some potential reads beyond end of undersized DNS responses as pointed out by Dmitry V. Levin of ALT Linux. This change will be documented in the system-wide change log:

http://www.openwall.com/Owl/CHANGES.shtml

The BIND 4.9.x Openwall patch (which adds a number of security-related features) has been updated to the upcoming 4.9.10 release and will be made available at:

http://www.openwall.com/bind/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  August 15, 2002 Updated:  November 08, 2002

Status

  Vulnerable

Vendor Statement

All supported versions of Red Hat Linux which shipped with vulnerable versions of BIND were updated to BIND 9.x by a previous security errata issued in August 2002 and are therefore not vulnerable to this issue. Users of the Red Hat Network can make sure their systems are updated to this release using the 'up2date' tool.

http://rhn.redhat.com/errata/RHSA-2002-133.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat has also released RHSA-2002:197 (glibc), RHSA-2002:215 (fetchmail), and RHSA-2002:175 (nss_ldap).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  August 15, 2002 Updated:  October 25, 2002

Status

  Vulnerable

Vendor Statement

All SuSE versions of bind8 are affected by the bug in res_search/res_query. Fixed packages will be provided at 2002-10-01.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE Security Announcement SuSE-SA:2002:034 addresses this issue in Heimdal Kerberos.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  August 15, 2002 Updated:  November 08, 2002

Status

  Vulnerable

Vendor Statement

The Solaris DNS resolver library (libresolv.so) is affected by this issue in the following versions of Solaris:

Solaris 2.5.1, 2.6, 7, and 8
Patches have been generated for all of the above releases. Sun has published Sun Alert 45463 for this issue which is available from:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F45463
The patches for this issue are available from:

http://sunsolve.sun.com/securitypatch

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation

Notified:  August 15, 2002 Updated:  April 15, 2003

Status

  Vulnerable

Vendor Statement

A response to this vulnerability is available from our web site:

http://www.xerox.com/security/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Notified:  August 15, 2002 Updated:  August 23, 2002

Status

  Not Vulnerable

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  August 15, 2002 Updated:  October 01, 2002

Status

  Not Vulnerable

Vendor Statement

We do not ship a resolver implementation or utilize the resolver library calls (i.e., res_*) but do utilize other native calls (e.g., gethostbyname(), gethostbyaddr() etc.) for translations.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU adns

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  August 15, 2002 Updated:  August 21, 2002

Status

  Not Vulnerable

Vendor Statement

LMG is not affected by the bind vulnerability. LMG uses BIND 9.2.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  August 15, 2002 Updated:  August 23, 2002

Status

  Not Vulnerable

Vendor Statement

Microsoft does not use BIND resolver code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nixu

Notified:  September 24, 2002 Updated:  October 14, 2002

Status

  Not Vulnerable

Vendor Statement

Nixu NameSurfer itself does not contain any parts of the resolver library being discussed, nor does it call the res_* functions directly. However, parts of NameSurfer are dynamically linked with the resolver library on the DNS server machine. Therefore, if the underlying system is vulnerable, the vulnerability propagates also to NameSurfer.

Nixu recommends that the resolver on the DNS server running NameSurfer is upgraded according to ISC's advisory as published by CERT. No further actions are required.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  August 15, 2002 Updated:  August 23, 2002

Status

  Not Vulnerable

Vendor Statement

SGI uses nsd (UNS name service daemon) as a resolver and it does not appear to be vulnerable as it does not use any of the res_* functions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Corporation

Updated:  October 16, 2002

Status

  Not Vulnerable

Vendor Statement

SIDEWINDER(tm) FIREWALL & VPN (all releases including SIDEWINDER APPLIANCE)

Not Vulnerable

As part of Sidewinder(tm)'s defense in depth architecture, DNS queries are sandboxed by SecureOS(tm)'s patented Type Enforcement technology. Faults in the resolver library cannot cause a comprimise of the Sidewinder(tm). However, since a Bind 8 caching server can still pass this attack along to vulnerable resolvers, Sidewinder(tm) users who wish to protect vulnerable resolvers behind their firewall from attack should upgrade to version 5.2.1.05, which replaces Bind 8 with Bind 9.

Customers should contact Customer Service to obtain version 5.2.1.05.

Gauntlet and e-ppliance

Both Gauntlet Software and Gauntlet e-ppliance utilize the Bind version that ships with Solaris 8. Please see Solaris 8 response to this vulnerability to assess applicability of any potential DOS risk. Secure Computing will test and make recommendations to customers regarding any potential software changes, if any, published by Sun Microsystems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

djbdns

Notified:  August 15, 2002 Updated:  October 01, 2002

Status

  Not Vulnerable

Vendor Statement

djbdns does not have these bugs. djbdns has never used any BIND-derived code. djbdns, including the djbdns client library, is covered by a $500 security guarantee. The djbdns client library is free for use by other packages in place of BIND's libresolv. See http://cr.yp.to/djbdns.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Updated:  October 01, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  August 15, 2002 Updated:  October 01, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BlueCat Networks

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point

Notified:  August 15, 2002 Updated:  April 15, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.checkpoint.com/techsupport/documentation/smartdefense/2002/cpai-2002-09.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Notified:  August 15, 2002 Updated:  October 01, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  August 15, 2002 Updated:  October 01, 2002

Status

  Unknown

Vendor Statement

Cray Inc. may be vulnerable and has opened spr 723016 to track this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  August 15, 2002 Updated:  September 24, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Infoblox

Notified:  August 15, 2002 Updated:  October 01, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KTH Kerberos

Notified:  August 23, 2002 Updated:  August 24, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  September 24, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  August 15, 2002 Updated:  October 16, 2002

Status

  Unknown

Vendor Statement

sent on October 4, 2002

[Server Products]
On investigation

[Router Products]

    • IX 5000 Series
- is NOT vulnerable.
    • IX 1000/2000 Series
- is NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nominum

Notified:  August 15, 2002 Updated:  October 01, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  August 15, 2002 Updated:  August 15, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenLDAP

Notified:  August 23, 2002 Updated:  August 24, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  October 01, 2002 Updated:  October 01, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sendmail

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group

Notified:  August 15, 2002 Updated:  September 24, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisphere Networks

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  August 15, 2002 Updated:  October 03, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  August 15, 2002 Updated:  August 15, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks Mark Andrews of ISC for reporting this vulnerability.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2002-1146
Severity Metric: 19.04
Date Public: 2002-10-01
Date First Published: 2002-10-01
Date Last Updated: 2003-04-15 19:39 UTC
Document Revision: 40

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.