The DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10 contains buffer overflows in code that handles responses for network name and address requests. Other resolver libraries derived from BIND 4 such as BSD libc, GNU glibc, and those used by System V UNIX systems may also be affected. An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service.
A DNS stub resolver library provides an interface for network applications to make requests and receive responses from the domain name system. The BIND 4 resolver library (libresolv.a) contains several buffer overflows in the functions that handle responses for network name and address requests (getnetbyname(), getnetbyaddr()). While reading the answer portion of a DNS response, the functions copy data received from the network into inadequately sized buffers. A specially crafted DNS response could overflow the buffers, possibly injecting arbitrary code onto the stack.
ISC BIND 4.9.2 through 4.9.10 are vulnerable. DNS stub resolver libraries that are derived from BIND 4 may vulnerable, including BSD libc, GNU glibc, and resolvers used by System V UNIX systems. In addition, some network applications provide their own resolver functions which may use vulnerable code from BIND 4.
An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service. The attacker would need to control DNS responses, possibly by spoofing responses or gaining control of a DNS server.
Apple Computer Inc.
MetaSolv Software Inc.
Sun Microsystems Inc.
The SCO Group
Cisco Systems Inc.
Guardian Digital Inc.
MiT Kerberos Development Team
Red Hat Inc.
The Open Group
Wind River Systems Inc.
This vulnerability was reported by CERT/CC staff.
This document was written by Art Manion.