__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
BIND Vulnerabilities
December 28, 1998 18:00 GMT Number I-044A
______________________________________________________________________________
PROBLEM: Three vulnerabilities have been identified in BIND.
1) Improperly or maliciously formatted inverse query on a TCP
stream.
2) Improperly or maliciously formatted DNS message.
3) Self-referential CNAMEs.
PLATFORM: 1 & 2) BIND 4.9 releases prior to BIND 4.9.7 and BIND 8
releases prior to 8.1.2.
3) BIND 8.
DAMAGE: 1) If exploited, a remote user may cause a buffer overrun or
gain root access.
2 & 3) These two vulnerabilities could lead to Denial-of-
Service.
SOLUTION: Apply patches or workarounds as listed below.
______________________________________________________________________________
VULNERABILITY At the time this advisory was released, not all vendor
ASSESSMENT: information was complete. If your vendor's workaround or
patches are not listed, you should check with your vendor
directly.
______________________________________________________________________________
[ Appended on Dec 28, 1998 with additional patch information from Sun
Microsystems, Inc. ]
[ Appended on Aug 21, 1998 with additional information from Hewlett-Packard ]
[ Updated on May 27, 1998 with additional information from CERT ]
[ Start CERT Advisory ]
=============================================================================
CERT* Advisory CA-98.05
Original issue date: April 08, 1998
Last Revised: May 21, 1998
Updates were made to the following portions of this advisory:
III. Solutions
Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
1.C. What To Do
Fixing the Inverse Query Code, Bind 8 and Bind 4.9
Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
2.C. What To Do
Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases
3.C. What To Do
Fixing the Problem
Appendix A - Updated vendor information for Internet Software Consortium
A complete revision history is at the end of this file.
Topic: Multiple Vulnerabilities in BIND
Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
Denial-of-Service Vulnerability in BIND 8 Releases
I. Description
This advisory describes three distinct problems in BIND. Topic 1 describes a
vulnerability that may allow a remote intruder to gain root access on your name
server or to disrupt normal operation of your name server. Topics 2 and 3 deal
with vulnerabilities that can allow an intruder to disrupt your name server.
Detailed descriptions of each problem and its solutions are included in the
individual sections on each topic.
II. Impact
Topic 1: A remote intruder can gain root-level access to your name server.
Topics 2 and 3: A remote intruder is able to disrupt normal operation of your
name server.
III. Solution
All three problems can be fixed by upgrading to the latest version of BIND,
which may be available from your vendor (see Appendix A of this advisory).
Questions about the availability of patches from your vendor should be directed
to your vendor.
Additionally, the Internet Software Consortium has announced new publicly
available versions of BIND on the BIND WWW page (http://www.isc.org/bind.html)
and on the USENET newsgroup comp.protocols.dns.bind.
Additionally, patches are provided for Topics 1 and 3, along with steps to take
until you can apply the patch or upgrade to the latest version of BIND.
Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
1.A. Description
BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not
properly bounds check a memory copy when responding to an inverse query request.
An improperly or maliciously formatted inverse query on a TCP stream can crash
the server or allow an attacker to gain root privileges.
1.B. Determining if your system is vulnerable
The inverse query feature is disabled by default, so only the systems that have
been explicitly configured to allow it are vulnerable.
BIND 8
Look at the "options" block in the configuration file (typically
/etc/named.conf). If there is a "fake-iquery yes;" line, then the server is
vulnerable.
BIND 4.9
Look at the "options" lines in the configuration file (typically
/etc/named.boot). If there is a line containing "fake-iquery", then the
server is vulnerable.
In addition, unlike BIND 8, inverse query support can be enabled when the
server is compiled. Examine conf/options.h in the source. If the line
#defining INVQ is not commented out, then the server is vulnerable.
1.C. What To Do
To address this problem, you can disable inverse queries, upgrade to BIND 8.1.2
now that it is available, or apply the patch (see below for more information on
the patch). We urge you to disable inverse queries until you can take one of the
other steps.
Disabling inverse queries
BIND 8
Disable inverse queries by editing named.conf so that either there is no
"fake-iquery" entry in the "options" block or the entry is "fake-iquery no;"
BIND 4.9
Disable inverse queries by editing named.boot, removing any "fake-iquery"
entries on "options" lines. Look at conf/options.h in the source. If INVQ
has been defined, comment it out and then rebuild and reinstall the server.
Note: Disabling inverse query support can break ancient versions of nslookup. If
nslookup fails, replace it with a version from any BIND 4.9 or BIND 8
distribution.
Fixing the Inverse Query Code
BIND 8
Upgrade to BIND 8.1.2 now that it is available
(http://www.isc.org/new-bind.html) or apply the patch at this URL:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND8_patch.txt
This file is not PGP signed. It has the following MD5 checksum:
MD5 (CA-98.05_Topic.1_BIND8_patch.txt) = 12fc9d395ff987b1aad17a882ccd7840
BIND 4.9
Upgrade to BIND 4.9.7 now that it is available
(http://www.isc.org/new-bind.html) or apply the patch at this URL:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND4.9_patch.txt
This file is not PGP signed. It has the following MD5 checksum:
MD5 (CA-98.05_Topic.1_BIND4.9_patch.txt) = 32da0db1c27e4d484e6fcb7901267c2f
Notes:
We are asking sites to retrieve the patches via FTP rather than including
them in the advisory since our experience is that some mail handling systems
translate tabs into spaces. This prevents the patch(1) program from working
properly.
We have not PGP signed the files since our experience is that some
implementations of PGP during the extraction process will strip spaces from
some lines containing whitespace only. This may prevent the patch(1) program
from working
Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
2.A. Description
BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not
properly bounds check many memory references in the server and the resolver. An
improperly or maliciously formatted DNS message can cause the server to read
from invalid memory locations, yielding garbage record data or crashing the
server. Many DNS utilities that process DNS messages (e.g., dig, nslookup) also
fail to do proper bounds checking.
2.B. Determining if your system is vulnerable
Any system running BIND 4.9 prior to 4.9.7 or BIND 8 prior to 8.1.2 is
vulnerable.
2.C. What To Do
There are no workarounds for these problems.
BIND 8
Upgrade to BIND 8.1.2 now that it is available.
BIND 4.9
Upgrade to BIND 4.9.7 now that it is available.
Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases
3.A. Description
Assume that the following self-referential resource record is in the cache on a
name server:
foo.example. IN A CNAME foo.example.
The actual domain name used does not matter; the important thing is that the
target of the CNAME is the same name. The record could be in the cache either
because the server was authoritative for it or because the server is recursive
and someone asked for it. Once this record is in the cache, issuing a zone
transfer request using its name (e.g., "dig @my_nameserver foo.example. axfr")
will cause the server to abort().
Most sites will not contain such a record in their configuration files. However,
it is possible for an attacker to engineer such a record into the cache of a
vulnerable nameserver and thus cause a denial of service.
3.B. Determining if your system is vulnerable
If the BIND 8 server is not recursive and does not fetch glue, then the problem
can be exploited only if the self-referential resource record is in a zone for
which the server is authoritative.
If the global zone transfer ACL in the options block has been set to deny access
and has no self-referential CNAMEs in its authoritative zones, then the server
is not vulnerable.
Otherwise, the server is vulnerable. The nameserver is recursive by default,
fetches glue by default, and the default global transfer ACL allows all hosts;
so many BIND 8 servers will be vulnerable to this problem.
(Note: the in.named(8) man page mentions that sending a SIGINT to the in.named
process will dump the current data base and cache to, by default,
/var/tmp/named_dump.db. Some sites may find this useful in looking for
self-referential CNAMEs. Please see the in.named(8) man page for further
details.)
3.C. What To Do
To address this problem, you can apply the workaround described below, upgrade
to BIND 8.1.2, or apply the patch provided at the end of this section. Until you
can upgrade or apply the patch, we urge you to use the workaround.
Workaround
First set the global zone transfer ACL to deny access to all hosts by adding the
following line to the "options" block:
allow-transfer { none; };
Next, explicitly authorize zone transfers for each authoritative zone. For
example, if the server was authoritative for "example", adding
allow-transfer { any; };
to the "zone" statement for "example" would allow anyone to transfer "example".
None of the domains for which the server is authoritative should have
self-referential CNAMEs.
Fixing the Problem
Upgrade to BIND 8.1.2, now that it is available, or apply the patch available
from the following URL to the BIND 8.1.1 source:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.3_BIND8.1.1_patch.txt
This file is not PGP signed. It has the following MD5 checksum:
MD5 (CA-98.05_Topic.3_BIND8.1.1_patch.txt) = 33f9dc2eaf221dd48553f490259c2a8b
Notes:
We are asking sites to retrieve the patches via FTP rather than including
them in the advisory since our experience is that some mail handling systems
translate tabs into spaces. This prevents the patch(1) program from working
properly.
We have not PGP signed the files since our experience is that some
implementations of PGP during the extraction process will strip spaces from
some lines containing whitespace only. This may prevent the patch(1) program
from working properly.
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this advisory.
We will update this appendix as we receive additional information. If you do not
see your vendor's name, the CERT/CC did not hear from that vendor. Please
contact the vendor directly.
Berkeley Software Design, Inc. (BSDI)
BSD/OS 3.0/3.1 AS SHIPPED is not vulnerable. Sites wishing to enable
fake-iquery can install mod M310-025, available at http://www.bsdi.com
BSDI will issue a 3.1 mod when a fix is available.
BSD/OS is not vulnerable, since we ship bind 4.9.
Caldera Corporation
Workaround for Topic 1:
Disable inverse queries by editing named.conf so that either there is no
"fake-iquery" entry in the "options" block, or so that the entry is "fake-iquery
no;"
Workaround for Topic 2:
A workaround is to set the global zone transfer ACL to deny access to all hosts
by adding the following line to the "options" block allow-transfer { none; };
Next, explicitly authorize zone transfers for each authoritative zone.
For example, if the server was authoritative for "example", adding
allow-transfer { any; }; to the "zone" statement for "example" would allow
anyone to transfer "example".
None of the domains the server is authoritative for should have self-referential
CNAMEs.
Correction for both Topics:
The proper solution is to Upgrade to the bind-8.1.1-5 packages. They can be
found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/006/RPMS
The corresponding source code can be found at:
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/006/SRPMS
The MD5 checksums (from the "md5sum" command) for these packages are:
b63ace6eab6eee5cf0608c8a245b5e27 bind-8.1.1-5.i386.rpm
4123b0167f5d5769a87cd2d9542a74b4 bind-doc-8.1.1-5.i386.rpm
e1d506cbcc87d7c1de915d94d03281b1 bind-utils-8.1.1-5.i386.rpm
eec24c0f816244c4729281867fcebbab bind-8.1.1-5.src.rpm
Upgrade with the following commands:
rpm -q bind && rpm -U bind-8.1.1-5.i386.rpm
rpm -q bind-utils && rpm -U bind-utils-8.1.1-5.i386.rpm
rpm -q bind-doc && rpm -U bind-doc-8.1.1-5.i386.rpm
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
Digital Equipment Corporation
Digital is investigating this problem.
FreeBSD, Inc.
We ship with INVQ not defined. This makes us resistent against the first
vulnerability. This is true for all release after 2.2.0 (2.1.* releases are
vulnerable but should be upgraded anyway). As we do not yet ship BIND 8, we are
also not vulnerable to the 3rd vulnerability.
We advise everyone to upgrade to BIND 4.9.7.
Hewlett-Packard Company
HP is Vulnerable. Patches in process. Watch for the release of the associated HP
Security Bulletin.
Hewlett Packard's HP-UX patches/Security Bulletins/Security patches are
available via email and/or WWW (via the browser of your choice) on HP's
Electronic Support Center (ESC).
To subscribe to automatically receive future NEW HP Security Bulletins from the
HP ESC Digest service via electronic mail, do the following: 1) From your Web
browser, access the URL:
http://us-support.external.hp.com (US,Canada,Asia-Pacific, and Latin-America)
http://europe-support.external.hp.com (Europe)
Login with your user ID and password, or register for one (remember to save the
User ID assigned to you, and your password). Once you are on the Main Menu,
Click on the Technical Knowledge Database, and it will connect to a HP Search
Technical Knowledge DB page. Near the bottom is a hyperlink to our Security
Bulletin archive. Once in the archive there is another link to our current
security patch matrix. Updated daily, this matrix is categorized by platform/OS
release, and by bulletin topic.
To subscribe to receive future Security Bulletins be email, look for the
subscription section on the Technical Knowledge Database page.
IBM Corporation
The version of bind shipped with AIX is vulnerable and the following APARs will
be available soon:
AIX 4.1.x: IX76958 (fix for Topic 1 only)
AIX 4.2.x: IX76959 (fix for Topic 1 only)
AIX 4.3.x: IX76960 (fix for Topic 1 and 3 only)
AIX 4.3.x: IX76962 (fix for Topic 1, 2, and 3. This is bind 8.1.2.)
Until the official fixes are available, a temporary patch can be found at:
ftp://aix.software.ibm.com/aix/efixes/security
File sum md5
====================================================================
named.415.tar.Z 64980 157 0e795380b84bf29385d2d946d10406cb
named.421.tar.Z 44963 157 15a9a006abf4a9d0a0d3210f16d619e5
named4.430.tar.Z 48236 115 8377b14f74e207707154a9677906f20a
named8.430.tar.Z 51175 160 e2db14b7055a7424078456bfbfd9bf2d
Detached PGP signatures are also available with a ".asc" extension.
IBM and AIX are registered trademarks of International Business Machines
Corporation.
Internet Software Consortium
The Internet Software Consortium has announced BIND version 8.1.2 and BIND
version 4.9.7.
If you are running BIND 8.1.1 or 8.1 you want to upgrade to 8.1.2. If you are
still running BIND-4 rather than BIND-8, you need the security patches contained
in 4.9.7. But, you should really just run BIND-8.
The security fixes included in these releases fix a stack overrun that could
occur if inverse query support was enabled, and a number of denial of service
attacks where malformed packets could cause the server to crash.
Links to the kits are available at: http://www.isc.org/new-bind.html.
NEC Corporation
Topic1 - Some systems are vulnerable. Patches will be available soon, especially
for UX/4800 R11.x and R13.x.
Topic2 - Some systems are vulnerable. Patches will be available soon after the
release of bind-4.9.7, especially for UX/4800 R11.x and R13.x.
Topic3 - We do not ship BIND 8 with our products so we are not vulnerable to
this problem.
Patches will be available from ftp://ftp.meshnet.or.jp/pub/48pub/security.
The NetBSD Project
The first problem can be fixed in NetBSD 1.3, 1.3.1, and -current prior to
19980408 with the supplied BIND 4.9.6 patch. A patch will be made available for
the second problem shortly (alternatively, upgrading to BIND 4.9.7 or 8.1.2 when
available will also solve this problem.) NetBSD is not affected by the third
problem.
Red Hat Software, Inc.
Red Hat fixes will be available at:
Red Hat 5.0
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/bind-4.9.6-7.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/bind-4.9.6-7.alpha.rpm
Red Hat 4.2
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/bind-4.9.6-1.1.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/bind-4.9.6-1.1.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/bind-4.9.6-1.1.sparc.rpm
The Santa Cruz Operation, Inc.
The following SCO products are vulnerable:
SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4
SCO OpenServer 5.0 (also SCO Internet FastStart)
SCO UnixWare 2.1
SCO UnixWare 7
SCO CMW+ 3.0 is not vulnerable as BIND/named is not supported on CMW+ platforms.
Binary versions of BIND 4.9.7 will be available shortly from the SCO ftp site:
cover letter - ftp://ftp.sco.com/SSE/sse012.ltr
replacement binaries - ftp://ftp.sco.com/SSE/sse012.tar.Z
The fix includes binaries for the following SCO operating systems:
SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4
SCO OpenServer 5.0
SCO UnixWare 2.1
SCO UnixWare 7
For the latest security bulletins and patches for SCO products, please refer to
http://www.sco.com/security/ .
Silicon Graphics, Inc.
At this time, Silicon Graphics does not have any public information for the DNS
issue. Silicon Graphics is in communication with CERT and other external parties
and is actively investigating this issue. Additional information, is expected
shortly.
When more Silicon Graphics information (including patch information) is
available for release, that information will be released via the SGI security
mailing list, wiretap.
For subscribing to the wiretap mailing list and other SGI security related
information, please refer to the Silicon Graphics Security Headquarters website
located at:
ttp://www.sgi.com/Support/security
Sun Microsystems, Inc.
Topic 1: Patches will be produced for Solaris 5.3, 5.4, 5.5, 5.5.1 and 5.6.
Topic 2: Patches will be produced for Solaris 5.3, 5.4, 5.5, 5.5.1 and 5.6.
Topic 3: Bug fix will be integrated in the upcoming release of Solaris.
The CERT Coordination Center thanks Bob Halley and Paul Vixie of Vixie
Enterprises, who provided most of the text of this advisory.
Reminder:
The Internet Software Consortium will announce new publicly available versions
of BIND on the BIND WWW page (http://www.isc.org/bind.html) and on the USENET
newsgroup comp.protocols.dns.
Revision History
May 21, 1998 Updates were made to the following portions of this advisory:
III. Solutions
Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
1.C. What To Do
Fixing the Inverse Query Code, Bind 8 and Bind 4.9
Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
2.C. What To Do
Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases
3.C. What To Do
Fixing the Problem
Appendix A - Updated vendor information for Internet Software Consortium
Apr. 16, 1998 Appendix A - Updated vendor information for Caldera
Corporation.
- -----------------------------------------------------------------------------
[ End CERT Advisory ]
[ Start Hewlett-Packard Advisory ]
Document ID: HPSBUX9808-083
Date Loaded: 19980819
Title: Security Vulnerability in BIND on HP-UX
-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD SECURITY BULLETIN: #00083, 19 August 1998
Last Revised: 20 August 1998
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Security vulnerability in the BIND executable
PLATFORM: HP9000 Series 700/800 running HP-UX releases 9.X, 10.X & 11.00.
DAMAGE: May allow remote users to gain root access or to disrupt
normal operation on the name server.
SOLUTION: Install patches (below) which upgrade BIND to version 4.9.7.
AVAILABILITY: All patches are available now, except as noted.
CHANGE SUMMARY: Added patch for HP-UX release 10.16.
-------------------------------------------------------------------------
I.
A. Background
The CERT Advisory CA-98.05 discusses two vulnerabilities which
affect HP-UX. Detailed descriptions of each problem and its
solutions are included in the advisory, available from:
www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems
B. Fixing the problem
The problems can be fixed by installing the necessary patch.
**REVISED 01**
HP-UX release 9.0, 9.01, 9.03, 9.04, 9.05, & 9.07: PHNE_13187
HP-UX release 10.00, 10.01, 10.10 and 10.20: PHNE_14617
--->>> HP-UX release 10.16: *PHNE_16232
HP-UX release 10.24: **PHNE_16204
HP-UX release 11.00: PHNE_12957
NOTE: ** Patch for VVOS (10.24) is expected to be available
after 26 Aug. 98
--->>> * Patch for CMW (10.16) is expected to be available
--->>> after 26 Aug. 98
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP Electronic Support Center via electronic
mail, do the following:
Use your browser to get to the HP Electronic Support Center page
at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID assigned to you, and your password.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review- bulletins already released from the main Menu,
click on the "Technical Knowledge Database (Security Bulletins
only)".
Near the bottom of the next page, click on "Browse the HP Security
Bulletin Archive".
Once in the archive there is another link to our current Security
Patch Matrix. Updated daily, this matrix is categorizes security
patches by platform/OS release, and by bulletin topic.
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBUX9808-083--------------------------------------
[ End Hewlett-Packard Advisory ]
[ Start Sun Microsystems Advisory ]
________________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00180
Date: December 17, 1998
Cross-Ref: CERT Advisory CA-98.05
Title: BIND
________________________________________________________________________________
The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
________________________________________________________________________________
1. Background
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS).
CERT Advisory CA-98.05 describes three vulnerabilities in certain
versions of BIND. The first vulnerability, Inverse Query Buffer Overrun,
can be exploited by a remote attacker to gain root access to a DNS
name server. The second vulnerability, Denial-of-Service Vulnerabilities,
is concerned with buffer overflows that can be exploited to corrupt
DNS record data or crash the DNS server. SunOS(tm) and Solaris(tm) are
not vulnerable to third vulnerability described in the CERT advisory.
For more information about the vulnerabilities, please see the
CERT advisory at:
http://www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems
A vulnerability has also been discovered in SunOS and Solaris's
implementation of BIND with their use of temporary files. This vulnerability
can be exploited to overwrite arbitrary files.
2. Affected Supported Versions
Solaris(tm) versions: 2.6, 2.6_x86, 2.5.1, 2.5.1_x86, 2.5, 2.5_x86,
2.4, 2.4_x86 and 2.3
SunOS(tm) versions: 4.1.4 and 4.1.3_U1
3. Recommendations
Sun recommends that you install the respective patches immediately on
vulnerable systems including both DNS clients and servers.
Operating System Patch ID
_________________ _________
Solaris 2.6 105755-07
Solaris 2.6_x86 105756-07
Solaris 2.5.1 103663-15
Solaris 2.5.1_x86 103664-15
Solaris 2.5 103667-11
Solaris 2.5_x86 103668-11
Solaris 2.4 102479-13
Solaris 2.4_x86 102480-11
Solaris 2.3 101359-10
SunOS 4.1.4 106866-02
SunOS 4.1.3_U1 106865-02
_______________________________________________________________________________
APPENDICES
A. Patches listed in this bulletin are available to all Sun customers via
World Wide Web at:
<URL:http://sunsolve.sun.com/sunsolve/pubpatches/patches.html>
B. Checksums for the patches listed in this bulletin are available via
World Wide Web at:
<URL:http://sunsolve.sun.com/sunsolve/pubpatches/patches.html>
C. Sun security bulletins are available via World Wide Web at:
<URL:http://sunsolve.sun.com/sunsolve/secbulletins>
D. Sun Security Coordination Team's PGP key is available via World Wide Web
at:
<URL:http://sunsolve.sun.com/sunsolve/secbulletins/SunSCkey.txt>
E. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
security-alert@sun.com
F. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
security-alert@sun.com
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
_______ _________________________________
help An explanation of how to get information
key Sun Security Coordination Team's PGP key
list A list of current security topics
query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team
report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key
send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
send #138
subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
subscribe cws your-email-address
Note that your-email-address should be substituted
by your email address.
unsubscribe Sender is removed from the CWS mailing list.
________________________________________________________________________________
Copyright 1998 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.
[ End Sun Microsystems Advisory ]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of CERT and Hewlett-Packard for
the information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
I-034: Internet Cookies
I-035: SGI Vulnerabilities (startmidi/stopmidi, datman/cdman, cdplayer)
I-036: FreeBSD Denial-of Service LAND Attacks
I-037: FreeBSD mmap Vulnerability
I-038: Ascend Routing Hardware Vulnerabilities
I-039: HP-UX inetd Vulnerability
I-040: SGI Netscape Navigator Vulnerabilities
I-041: Performer API Search Tool 2.2 pfdispaly.cgi Vulnerability
I-042: SGI IRIX lp(1) Security Vulnerability
I-043: SGI IRIX mailcap Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
