Debian Security Advisory

DSA-196-1 bind -- several vulnerabilities

Date Reported:

14 Nov 2002

Affected Packages:

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 6159, BugTraq ID 6160, BugTraq ID 6161.
In Mitre's CVE dictionary: CVE-2002-0029, CVE-2002-1219, CVE-2002-1220, CVE-2002-1221.
CERT's vulnerabilities, advisories and incident notes: VU#581682, VU#844360, VU#852283, VU#229595, VU#542971, CA-2002-31.

More information:

[Bind version 9, the bind9 package, is not affected by these problems.]

ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). BIND is the most common implementation of the DNS (Domain Name Service) protocol, which is used on the vast majority of DNS servers on the Internet. DNS is a vital Internet protocol that maintains a database of easy-to-remember domain names (host names) and their corresponding numerical IP addresses.

Circumstantial evidence suggests that the Internet Software Consortium (ISC), maintainers of BIND, was made aware of these issues in mid-October. Distributors of Open Source operating systems, including Debian, were notified of these vulnerabilities via CERT about 12 hours before the release of the advisories on November 12th. This notification did not include any details that allowed us to identify the vulnerable code, much less prepare timely fixes.

Unfortunately ISS and the ISC released their security advisories with only descriptions of the vulnerabilities, without any patches. Even though there were no signs that these exploits are known to the black-hat community, and there were no reports of active attacks, such attacks could have been developed in the meantime - with no fixes available.

We can all express our regret at the inability of the ironically named Internet Software Consortium to work with the Internet community in handling this problem. Hopefully this will not become a model for dealing with security issues in the future.

The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities:

CAN-2002-1219: A buffer overflow in BIND 8 versions 8.3.3 and earlier allows a remote attacker to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). This buffer overflow can be exploited to obtain access to the victim host under the account the named process is running with, usually root.
CAN-2002-1220: BIND 8 versions 8.3.x through 8.3.3 allows a remote attacker to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.
CAN-2002-1221: BIND 8 versions 8.x through 8.3.3 allows a remote attacker to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference.

These problems have been fixed in version 8.3.3-2.0woody1 for the current stable distribution (woody), in version 8.2.3-0.potato.3 for the previous stable distribution (potato) and in version 8.3.3-3 for the unstable distribution (sid). The fixed packages for unstable will enter the archive today.

We recommend that you upgrade your bind package immediately, update to bind9, or switch to another DNS server implementation.

Fixed in:

Debian GNU/Linux 2.2 (oldstable)

Source:: http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3.dsc; http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3.diff.gz; http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3.orig.tar.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/b/bind/task-dns-server_8.2.3-0.potato.3_all.deb; http://security.debian.org/pool/updates/main/b/bind/bind-doc_8.2.3-0.potato.3_all.deb
alpha (DEC Alpha):: http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_alpha.deb; http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_alpha.deb; http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_alpha.deb
arm (ARM):: http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_arm.deb; http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_arm.deb; http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_arm.deb
i386 (Intel ia32):: http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_i386.deb; http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_i386.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_i386.deb
m68k (Motorola Mc680x0):: http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_m68k.deb; http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_m68k.deb; http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_m68k.deb
powerpc (PowerPC):: http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_powerpc.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_powerpc.deb; http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_powerpc.deb
sparc (Sun SPARC/UltraSPARC):: http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_sparc.deb; http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_sparc.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_sparc.deb

Debian GNU/Linux 3.0 (stable)

Source:: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1.dsc; http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1.diff.gz; http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3.orig.tar.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/b/bind/bind-doc_8.3.3-2.0woody1_all.deb
alpha (DEC Alpha):: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_alpha.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_alpha.deb
arm (ARM):: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_arm.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_arm.deb
hppa (HP PA RISC):: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_hppa.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_hppa.deb
i386 (Intel ia32):: http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_i386.deb; http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_i386.deb
ia64 (Intel ia64):: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_ia64.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_ia64.deb
m68k (Motorola Mc680x0):: http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_m68k.deb; http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_m68k.deb
mips (MIPS (Big Endian)):: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_mips.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_mips.deb
mipsel (MIPS (Little Endian)):: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_mipsel.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_mipsel.deb
powerpc (PowerPC):: http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_powerpc.deb; http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_powerpc.deb
s390 (IBM S/390):: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_s390.deb; http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_s390.deb
sparc (Sun SPARC/UltraSPARC):: http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_sparc.deb; http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.