[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030910151805.A27317@caldera.com>
Date: Wed, 10 Sep 2003 15:18:05 -0700
From: security@....com
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
announce@...ts.caldera.com
Subject: [UPDATED] OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Multiple Remote Vulnerabilities in BIND
To: full-disclosure@...ts.netsys.com bugtraq@...urityfocus.com announce@...ts.caldera.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Multiple Remote Vulnerabilities in BIND
Advisory number: CSSA-2003-SCO.17.1
Issue date: 2003 September 10
Cross reference: sr871560 fz526617 erg712158
______________________________________________________________________________
1. Problem Description
ISS X-Force has discovered several serious vulnerabilities
in the Berkeley Internet Name Domain Server (BIND). BIND
is the most common implementation of the DNS (Domain Name
Service) protocol, which is used on the vast majority of
DNS servers on the Internet. DNS is a vital Internet protocol
that maintains a database of easy-to-remember domain names
(host names) and their corresponding numerical IP addresses.
Impact: The vulnerabilities described in this advisory
affect nearly all currently deployed recursive DNS servers
on the Internet. The DNS network is considered a critical
component of Internet infrastructure. There is no information
implying that these exploits are known to the computer
underground, and there are no reports of active attacks.
If exploits for these vulnerabilities are developed and
made public, they may lead to compromise and DoS attacks
against vulnerable DNS servers. Since the vulnerability is
widespread, an Internet worm may be developed to propagate
by exploiting the flaws in BIND. Widespread attacks against
the DNS system may lead to general instability and inaccuracy
of DNS data.
Affected Versions:
BIND SIG Cached RR Overflow Vulnerability
BIND 8, versions up to and including 8.3.3-REL
BIND 4, versions up to and including 4.9.10-REL
BIND OPT DoS
BIND 8, versions 8.3.0 up to and including 8.3.3-REL
BIND SIG Expiry Time DoS
BIND 8, versions up to and including 8.3.3-REL
Description:
BIND SIG Cached RR Overflow Vulnerability
A buffer overflow exists in BIND 4 and 8 that may lead to
remote compromise of vulnerable DNS servers. An attacker
who controls any authoritative DNS server may cause BIND
to cache DNS information within its internal database, if
recursion is enabled. Recursion is enabled by default unless
explicitly disabled via command line options or in the BIND
configuration file. Attackers must either create their own
name server that is authoritative for any domain, or
compromise any other authoritative server with the same
criteria. Cached information is retrieved when requested
by a DNS client. There is a flaw in the formation of DNS
responses containing SIG resource records (RR) that can
lead to buffer overflow and execution of arbitrary code.
BIND OPT DoS
Recursive BIND 8 servers can be caused to
abruptly terminate due to an assertion failure. A client
requesting a DNS lookup on a nonexistent sub- domain of a
valid domain name may cause BIND 8 to terminate by attaching
an OPT resource record with a large UDP payload size. This
DoS may also be triggered for queries on domains whose
authoritative DNS servers are unreachable.
BIND SIG Expiry Time DoS
Recursive BIND 8 servers can be caused to abruptly
terminate due to a null pointer dereference. An attacker
who controls any authoritative name server may cause
vulnerable BIND 8 servers to attempt to cache SIG RR elements
with invalid expiry times. These are removed from the BIND
internal database, but later improperly referenced, leading
to a DoS condition.
The Common Vulnerabilities and Exposures
(CVE) project has assigned the following names to these
issues. These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security
problems.
CAN-2002-1219 BIND SIG Cached RR Overflow Vulnerability
CAN-2002-1220 BIND OPT DoS
CAN-2002-1221 BIND SIG Expiry Time DoS
ISC BIND
http://www.isc.org/products/BIND
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.7
etc/named
etc/named-xfer
etc/dig
etc/host
etc/nsupdate
etc/dnsquery
etc/addr
OpenServer 5.0.6
etc/named
etc/named-xfer
etc/dig
etc/host
etc/nsupdate
etc/dnsquery
etc/addr
OpenServer 5.0.5
etc/named
etc/named-xfer
etc/dig
etc/host
etc/nsupdate
etc/dnsquery
etc/addr
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.7
4.1 Install Maintenance pack 1.
4.2 Location of Maintenance pack 1.
ftp://ftp.sco.com/pub/openserver5/osr507mp/
4.3 Installing Maintenance pack 1.
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
5. OpenServer 5.0.6
5.1 First install oss646b - Execution Environment Supplement
5.2 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.17
5.3 Verification
MD5 (VOL.000.000) = 9e8b7bd8eab2ec474b51add1217a945f
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.4 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
6. OpenServer 5.0.5
6.1 First install oss646b - Execution Environment Supplement
6.2 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.17
6.3 Verification
MD5 (VOL.000.000) = 9e8b7bd8eab2ec474b51add1217a945f
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
6.4 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
8. References
Specific references for this advisory:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1220
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221
http://www.isc.org/products/BIND/bind-security.html
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr871560 fz526617 erg712158.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
10. Acknowledgments
These vulnerabilities were discovered and researched by
Neel Mehta of the ISS X-Force.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/X5OnaqoBO7ipriERAluRAJ0eDTa5L/x17if4aVNDXyxBO3SJ2QCcCE/6
b6VVwa/XrxyqWUfn4Jc3MZs=
=qgGb
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists