Here's a bit from the Covert Labs announcement:

As you can see, it specifically states that it is "not dependent upon
configuraion options".

o Synopsis

BIND 8 contains a buffer overflow that allows a remote attacker to
execute arbitrary code. The overflow is in the initial processing of
a DNS request and therefore does not require an attacker to control
an authoritative DNS server. In addition, the vulnerability is not
dependent upon configuration options and affects both recursive and
non-recursive servers. This vulnerability has been designated as
CVE candidate CAN-2001-10.

gabriel rosenkoetter wrote:
>
> On Wed, Jan 31, 2001 at 02:57:59PM -0700, Somaini, Justin wrote:
> > Not that I'm aware of. DNS is not really my strongest suite so I have to
> > rely upon our DNS guys.
> > I believe that there needs to be an upgrade to fix the problem.
> >
> > If anyone disagrees please correct me.
>
> I also don't know of anything to put in named.conf to make it ignore
> TSIG queries entirely (and, anyway, wouldn't this bug be tickled in
> the act of parsing the query before recognizing it as a TSIG and
> tossing it?).
>
> Anyway, you wouldn't want to... just because a query comes in signed
> and you don't bother paying attention doesn't mean you should drop
> the query (maybe someone else *insists* on using their signature...
> screwing this up would be akin dumping every PGP-signed piece of
> mail because your mailer doesn't know what to do with the signature).
>
> Really, everybody needs to upgrade (and, considering the fact that
> BIND8 isn't being audited, but just patched as more and more of
> these buffer overflows appear, everybody ought to upgrade to BIND9
> now and be done with it), but if you keep named in a chroot, you're
> a bit better off (not much an intruder can do beyond access your
> plausibly private zones without so much as a compiler and no
> efficient way to transfer things into the chroot from outside).
>
> > One thing to do is to change the version posting in the named.conf file.
> > The scanner looking for sub 9.1 could be tricked. Actual attack failing of
> > course.
>
> Hrm. One more reason we should all have version "Surely, you must be
> joking."; in our options block...
>
> That's really not much help, though. The especially stupid script
> kiddies will just try this on every named they find running, BIND or
> otherwise. :^>
>
> ~ g r eclipsed.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]