Note: The stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. To determine the severity level for this case, refer to the colored dot beside the link to this tutorial on the previous page.
11/12/02
CAN 2002-1219
A flaw in the formation of DNS responses containing cached
SIG resource records could allow a remote
attacker to execute commands on the server. In order for
this vulnerability to be exploited, the attacker must be
able to cause the victim server to cache DNS information,
which requires the attacker to have control of an
authoritative DNS server and the victim server to have
recursion enabled. BIND versions 4.9.5 through 4.9.10,
8.1, 8.2 through 8.2.6, and 8.3.0 through 8.3.3 are affected
by this vulnerability. BIND 9 is not affected.
11/12/02
CAN 2002-1220
By requesting a DNS lookup on a nonexistent sub-domain of
a valid domain and attaching an OPT resource
record with a large UDP payload, a remote attacker could
cause recursive BIND servers to crash. BIND 8.3.0 through
8.3.3 are affected by this vulnerability.
11/12/02
CAN 2002-1221
By creating cached SIG resource records
with invalid expiry times which are then deleted from the
internal database, an attacker could cause BIND to dereference
a null pointer, thus causing BIND to crash. In order to
exploit this vulnerability, an attacker
would need prior control of an authoritative name server,
and BIND would need to have recursion enabled.
BIND 8.2 through 8.2.6 and 8.3.0 through 8.3.3 are affected
by this vulnerability.
12/3/02
BIND 4 and BIND 8 allow multiple simultaneous requests.
If a client sends many simultaneous resolution requests
for the same domain name, BIND will send a query to that
domain's name server for each of the simultaneous
requests, with a unique identifier for each query.
By successfully guessing any one of these identifiers, an
attacker could create a fake response which would be accepted
by BIND, thus injecting spoofed DNS entries into the cache.
An attacker could increase his or her odds of a successful
attack by increasing the number of simultaneous requests.
DNS spoofing could allow an attacker to launch various types of attacks on other hosts which rely on the vulnerable DNS server, such as impersonation of legitimate web servers, and unauthorized access by exploitation of hostname-based trust relationships.
BIND 4 through 4.9.11, 8.0 through 8.2.7, and 8.3 through 8.3.4 are affected by this vulnerability.
BIND 8.2 through BIND 8.2.2 (all patch levels) send the program to an error handling routine when an invalid transaction signature is detected. This error handling procedure initializes variables differently from the normal procedure, such that when a valid signature is then processed a buffer overflow condition is created. This condition along with other buffer overflow exploitation techniques could allow an attacker to gain unauthorized access to the system.
Note: 8.2.3 beta versions are also vulnerable.
BIND 4.9 through BIND 4.9.7 use a fixed-length buffer to build error messages to send to syslog. An attacker could overflow this buffer by sending a specially crafted DNS query, allowing arbitrary code to be executed.
By sending a specially crafted DNS query to the server, a remote attacker could access the program stack, thus gaining knowledge of program variables. BIND 4 through BIND 4.9.7 and BIND 8 through BIND 8.2.2 (all patch levels) are affected by this vulnerability.
BIND 8.2 and BIND 8.2.1 fail to properly validate NXT records. An attacker could exploit this problem and gain access to the name server by causing a buffer to overflow. BIND 4.9 and BIND 8 prior to BIND 8.2 are not vulnerable to this problem but have other problems (see below).
Cache poisoning occurs when malicious or misleading data received from a remote name server is saved (cached) by another name server. This "bad" data is then made available to programs that request the cached data through the client interface. Cache poisoning is being used to adversely affect the mapping between host names and IP addresses. Once this mapping has been changed, any information sent between hosts on a network may be subjected to inspection, capture, or corruption.
BIND 4.9 releases prior to BIND 4.97 and BIND 8 releases prior to BIND 8.1.2 do not properly bound check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream might allow a remote intruder to gain root level access on a name server or disrupt the normal operations of the name server.
The inverse query feature is disabled by default, so only systems that have been explicitly configured to allow it are vulnerable. To determine if a system is vulnerable:
CVE 1999-0010
CVE 1999-0011
CVE 1999-0835
CVE 1999-0837
CVE 1999-0848
CVE 1999-0849
CVE 1999-0851
CVE 2000-0887
CVE 2000-0888
BIND 8 releases prior to BIND 8.2.2-P7 and all BIND 4.9 releases have a variety of problems which could allow an improperly or maliciously formatted DNS message to crash the server or yield garbage record data. Many DNS utilities that process DNS messages (e.g., dig, nslookup) also fail to do proper bounds checking. Any system running BIND 4.9 or BIND 8 prior to BIND 8.2.2-P7 is vulnerable.
Assume that the following self-referential resource record is in the cache on a name server:
foo.example. IN A CNAME foo.example.The actual domain name used does not matter; the important thing is that the target of the CNAME is the same name. The record could be in the cache either because the server was authoritative for it or because the server is recursive and someone asked for it. Once this record is in the cache, issuing a zone transfer request using its name (e.g., "dig @my_nameserver foo.example. axfr") will cause the server to abort(). Most sites will not contain such a record in their configuration files. However, it is possible for an attacker to engineer such a record into the cache of a vulnerable nameserver and thus cause a denial of service.
If the BIND 8 server is not recursive and does not fetch glue, then the problem may be exploited only if the self-referential resource record is in a zone for which the server is authoritative. If the global zone transfer ACL in the options block has been set to deny access and has no self-referential CNAMEs in its authoritative zones, then the server is not vulnerable. Otherwise, the server is probably vulnerable to this hack. The nameserver is recursive by default, fetches glue by default and the default global transfer ACL allows all hosts; so many BIND 8 servers will be vulnerable to this problem.
6/5/02
CAN 2002-0400
BIND 9 versions prior to BIND 9.2.1 have a vulnerability
that allows remote attackers to shut down BIND servers. An attacker can cause
the shutdown by sending a specific DNS packet designed to create an
improperly-handled error condition. Because the error condition is correctly
detected but is not handled properly, this vulnerability will not allow an
intruder to execute arbitrary code or write data to arbitrary locations in
memory. The error condition that triggers the shutdown occurs when the rdataset
parameter to the dns_message_findtype() function in message.c is not NULL as
expected. The condition causes the code to assert an error message and call
abort() to shutdown the BIND server.
For more information about this vulnerability, see CERT Advisory 2002-15.
For general information on securing DNS servers, see CERT's document, Securing an Internet Name Server.