This file contains summary information on AIX security alerts published
by the Computer Emergency Response Team (CERT), and the IBM Emergency
Response Team (ERS). The full text of these alerts can be obtained from
this mail server by requesting the 'CERT' and 'ERS' files. This
information (and more) is available from CERT and ERS directly on the
world-wide web at the following URLs:

  CERT: http://www.cert.org/

   ERS: http://www.ers.ibm.com/

In order to keep the size of this file reasonable, it contains only
advisories for the current year.. You can obtain a list of previous
advisories either from the above URLs, or by requesting one of the
"Security_YYYY" documents from this mail server.

The fixes mentioned in this document, when available, will be available
from FixDist. Information on obtaining and using FixDist is available
by requesting the 'FixDist' document from this mail server, or at the
following URL on the world-wide web:

  http://techsupport.services.ibm.com/rs6k/fixes.html

The 'Security_APARs' document on this mail server contains a list of
security related APARs.
===============================================================================
===============================================================================
CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND

Last revised: February 7, 2001

Systems Affected

   Domain Name System (DNS) Servers running various versions of ISC BIND
   (including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is
   not affected) and derivatives. Because the normal operation of most
   services on the Internet depends on the proper operation of DNS
   servers, other services could be impacted if these vulnerabilities are
   exploited.

Overview

   The CERT/CC has recently learned of four vulnerabilities spanning
   multiple versions of the Internet Software Consortium's (ISC) Berkeley
   Internet Name Domain (BIND) server. BIND is an implementation of the
   Domain Name System (DNS) that is maintained by the ISC. Because the
   majority of name servers in operation today run BIND, these
   vulnerabilities present a serious threat to the Internet
   infrastructure.

   Three of these vulnerabilities (VU#196945, VU#572183, and VU#868916)
   were discovered by the COVERT Labs at PGP Security, who have posted an
   advisory regarding these issues at

          http://www.pgp.com/research/covert/advisories/047.asp

   The fourth vulnerability (VU#325431) was discovered by Claudio
   Musmarra.

   The Internet Software Consortium has posted information about all four
   vulnerabilities at

          http://www.isc.org/products/BIND/bind-security.html

I. Description

   VU#196945 - ISC BIND 8 contains buffer overflow in transaction
   signature (TSIG) handling code

   During the processing of a transaction signature (TSIG), BIND 8 checks
   for the presence of TSIGs that fail to include a valid key. If such a
   TSIG is found, BIND skips normal processing of the request and jumps
   directly to code designed to send an error response. Because the
   error-handling code initializes variables differently than in normal
   processing, it invalidates the assumptions that later function calls
   make about the size of the request buffer.

   Once these assumptions are invalidated, the code that adds a new
   (valid) signature to the responses may overflow the request buffer and
   overwrite adjacent memory on the stack or the heap. When combined with
   other buffer overflow exploitation techniques, an attacker can gain
   unauthorized privileged access to the system, allowing the execution
   of arbitrary code.

   VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()

   The vulnerable buffer is a locally defined character array used to
   build an error message intended for syslog. Attackers attempting to
   exploit this vulnerability could do so by sending a specially
   formatted DNS query to affected BIND 4 servers. If properly
   constructed, this query could be used to disrupt the normal operation
   of the DNS server process, resulting in either denial of service or
   the execution of arbitrary code.

   VU#868916 - ISC BIND 4 contains input validation error in
   nslookupComplain()

   The vulnerable buffer is a locally defined character array used to
   build an error message intended for syslog. Attackers attempting to
   exploit this vulnerability could do so by sending a specially
   formatted DNS query to affected BIND 4 servers. If properly
   constructed, this query could be used to disrupt the normal operation
   of the DNS server process, resulting in the execution of arbitrary
   code.

   This vulnerability was patched by the ISC in an earlier version of
   BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence
   to suggest that some third party vendors who redistribute BIND 4 have
   not included these changes in their BIND packages. Therefore, the
   CERT/CC recommends that all users of BIND 4 or its derivatives base
   their distributions on BIND 4.9.8.

   VU#325431 - Queries to ISC BIND servers may disclose environment
   variables

   This vulnerability is an information leak in the query processing code
   of both BIND 4 and BIND 8 that allows a remote attacker to access the
   program stack, possibly exposing program and/or environment variables.
   This vulnerability is triggered by sending a specially formatted query
   to vulnerable BIND servers.

II. Impact

   VU#196945 - ISC BIND 8 contains buffer overflow in transaction
   signature (TSIG) handling code

   This vulnerability may allow an attacker to execute code with the same
   privileges as the BIND server. Because BIND is typically run by a
   superuser account, the execution would occur with superuser
   privileges.

   VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()

   This vulnerability can disrupt the proper operation of the BIND server
   and may allow an attacker to execute code with the privileges of the
   BIND server. Because BIND is typically run by a superuser account, the
   execution would occur with superuser privileges.

   VU#868916 - ISC BIND 4 contains input validation error in
   nslookupComplain()

   This vulnerability may allow an attacker to execute code with the
   privileges of the BIND server. Because BIND is typically run by a
   superuser account, the execution would occur with superuser
   privileges.

   VU#325431 - Queries to ISC BIND servers may disclose environment
   variables

   This vulnerability may allow attackers to read information from the
   program stack, possibly exposing environment variables. In addition,
   the information obtained by exploiting this vulnerability may aid in
   the development of exploits for VU#572183 and VU#868916.

IV. Solution

   IBM has posted an emergency fix for all four of the vulnerabilities
   described in this Advisory.

   This fix can be downloaded from:

     ftp://ftp.software.ibm.com/aix/efixes/security

   The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation
   instructions and other important information are given in the README
   file that is included in the tarball.

   The official fix for the four BIND4 and BIND8 vulnerabilities will be
   in APAR IY16182.
===============================================================================

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]