OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NetBSD Security Officer (security-officerNETBSD.ORG)
Date: Sat Feb 10 2001 - 21:22:35 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

                     NetBSD Security Advisory 2001-001
                     =================================

    Topic: Multiple BIND vulnerabilities
    Version: All release versions of NetBSD, and NetBSD-current
    Severity: Remote root execution of commands is possible
    Fixed: NetBSD-current: January 27, 2001
                    NetBSD 1.5 branch: January 28, 2001
                    NetBSD 1.4 branch: January 28, 2001

    Abstract
    ========

    Several security problems were recently found in the ISC BIND
    software, used in NetBSD (and many other systems) to provide Domain
    Name System (DNS) services.

    At least one of these vulnerabilities included the possibility of a
    remote root exploit through execution of arbitrary code in an
    overflowed buffer.

    All systems running DNS servers should remove the vulnerabilities by
    updating to a current version of ISC bind by following one of several
    recommended procedures.

    Technical Details
    =================

    Technical details of the vulnerabilities are publicised in CERT
    Advisory CA-2001-02, and by the ISC at:

       http://www.isc.org/products/BIND/bind-security.html

    This information is not duplicated here. The purpose of this
    advisory is to clarify the vulnerability and appropriate remedial
    action for users of affected versions of NetBSD.

    CERT identified four separate vulnerabilities present in various
    versions of BIND. The version of BIND included with different NetBSD
    releases varies, therefore the vulnerability of those NetBSD releases
    also varies, as summarised here:

      CERT# Descr. BIND NetBSD versions vulnerable
      --------------------------------------------------------------------
      196945 Trans. Sig. buffer o/f 8 1.4.x, 1.5, current
      572183 nslookupComplain buff. o/f 4 <1.4 only
      868916 nslookupComplain input val. 4 <1.4 only
      325431 Env. variable disclosure 4,8 <1.4, 1.4.x, 1.5, current

    Note that although not all vulnerabilities apply to all systems, the
    most serious vulnerability (196945) applies to all recent releases and
    NetBSD-current, and all versions have some vulnerability.

    Users of versions prior to NetBSD 1.4 should see the special note, below.

    Solutions and Workarounds
    =========================

    All systems with BIND in use should be fixed; this is all systems
    offering DNS services through named(8).

    Systems are vulnerable if the version reported by "/usr/sbin/named -v"
    is less than 8.2.3, and named is running.

    There are several ways that systems administrators may update their
    versions of BIND. Each of these mechanisms is described in more detail
    in the following subsections.

      * System upgrade via source
      * Replace the system BIND with one from the NetBSD Packages collection.

     Updating via source:
     --------------------

        Users may update their system source, from the appropriate release
        branch or NetBSD-current, and rebuild BIND (as well as other parts
        of the system).

        This method is recommended for users of NetBSD-current and
        technically literate users of the most recent releases on each
        branch (1.4.3 or 1.5).

        Note that the NetBSD release branches contain accumulated changes
        and bugfixes since the most recent release; these changes are
        intended to improve the system, but have not yet been through the
        complete release engineering cycle. Users who wish to remain at a
        formal release should use the pkgsrc method instead.

        System sources can be updated via anonymous CVS, SUP, or via
        download of source tarfiles from the appropriate branch,
        collection or directory:

        Release CVS branch SUP collection FTP directory
        -------------------------------------------------------------------
        1.4 netbsd-1-4 release-1-4 /pub/NetBSD/NetBSD-release-1-4
        1.5 netbsd-1-5 release-1-5 /pub/NetBSD/NetBSD-release-1-4
        current HEAD current /pub/NetBSD/NetBSD-current

        Systems running NetBSD-current dated from before 2001-01-28 should
        be upgraded to NetBSD-current dated 2001-01-28 or later. For
        NetBSD-current, see /usr/src/UPDATING for additional instructions,
        as additional dependencies may need to be rebuilt before BIND.

        Systems running either NetBSD-release* branch dated from before
        2001-01-29 should be upgraded to 2001-01-29 or later.

        It is recommended that users tracking inter-release sources do a
        full system update. Once sources and dependencies have been taken
        care of, the following will rebuild *just* BIND:

          # cd /usr/src/usr.sbin/bin
          # make depend
          # make
          # make install

     Updating via pkgsrc:
     --------------------

        For many users looking for a quick and specific update, the NetBSD
        packages collection provides a simple mechanism to install a
        current version of BIND directly from the ISC distribution, to
        replace the system version.

        This technique is applicable to ALL systems, and is recommended
        for urgent fixes. It may be used as a temporary measure even by
        those intending to follow up with a full system upgrade.

        1) First, make sure you have an up-to-date pkgsrc collection (at
           least as recent as 2001-01-28). This can be obtained via
           anonymous CVS, SUP or FTP from the project servers or mirrors.

        2) Change to the appropriate subdirectory:

           # cd /usr/pkgsrc/net/bind8

        3) Ensure that the pkgsrc version is 8.2.3 or newer:

           # grep PKGNAME Makefile
           PKGNAME= bind-8.2.3

        4) Build and install the package. This will download the sources
           automatically. (If prompted to update the pkg tools first, do
           so according to the instructions presented, then return to the
           bind8 directory and resume here).

           # make install

        5) Now you have an up-to-date version of BIND installed in
           /usr/pkg/. Next, it is necessary to disable the system named,
           and replace it with a link to the new one:

           # cd /usr/sbin
           # mv named named.OFF
           # ln -s /usr/pkg/sbin/named .
           # mv ndc ndc.OFF
           # ln -s /usr/pkg/sbin/ndc .

        6) Next, place a link to the name server configuration file into
           /usr/pkg/etc/named.conf, where the pkgsrc named(8) expects to
           find it:

           # cd /usr/pkg/etc
           # ln -sf /etc/namedb/named.conf .

           (If you keep your named.conf file somewhere other than
           /etc/namedb, adjust the command above accordingly.)

        7) Then kill the running named, and restart from the new one:

           # kill <pid>
           # /usr/pkg/sbin/ndc start

        Pre-compiled binary packages of net/bind8 have been prepared for
        some architectures and NetBSD versions. These can be found under

          ftp://ftp.netbsd.org/pub/NetBSD/packages

        You may wish to use one of these instead of having the pkgsrc
        system compile for you. Download the appropriate file for your
        system if available, and use:

           # pkg_add bind-8.2.3.tgz

        to install the pre-built package. Then follow the steps from 5
        above to disable the system named and enable the new one.

     NOTE FOR SYSTEMS PRIOR TO NetBSD 1.4:
     -------------------------------------

        Systems running releases older than NetBSD 1.4 should be upgraded
        to a supported NetBSD version.

        These releases shipped a version of BIND based on BIND4. Systems
        administrators need to be aware of several configuration mechanism
        changes between BIND4 and BIND8, details can be found at the ISC
        website. BIND8 ships with a script called named-bootconf which
        will assist part of the process.

        The pkgsrc method is expected to work for these systems. It has
        been done successfully in a number of instances, but it has not
        been tested in all cases. It may very well necessitate updating of
        the pkgtools/pkg_install package prior to updating bind, if these
        systems have not had active pkgsrc installations recently.

        The use of BIND4 is no longer encouraged by NetBSD or the ISC;
        nevertheless the current ISC version of BIND4 is available in
        pkgsrc/net/bind4, to provide system adminstrators the option of
        patching the vulnerability quickly and then planning an upgrade to
        BIND8.

    Thanks To
    =========

    Thanks go to Jun-Ichiro Hagino for prompt attention to incorporating
    the BIND upgrade, and to Havard Eidnes for providing the pull-ups to
    the release branches.

    Revision History
    ================

            2001/02/10 - Initial Release

    More Information
    ================

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

    Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.

    $NetBSD: NetBSD-SA2001-001.txt,v 1.5 2001/02/10 22:28:27 dan Exp $

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv

    iQCVAwUBOoXAlD5Ru2/4N2IFAQHV+QP/S8iHeMlaKDw+Yue0cFnKpW9XhWoLZF/T
    2pRqWt2jJhwqrf3T1MsMFbfsTXkthCyDyaTy5BmJEQl9dFoiuHXJPmIyRizibfoC
    dqfQ1AJceEWndfnyTzjgghZFy4gbBoj1FOAhQZsm9bWCkWqJM/ZWmUH2N82xtknz
    ZZwTvtSftXw=
    =yQnU
    -----END PGP SIGNATURE-----