Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciaci044.txt

Bind Vulnerability





             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                             BIND Vulnerabilities

December 28, 1998 18:00 GMT                                      Number I-044A
______________________________________________________________________________
PROBLEM:       Three vulnerabilities have been identified in BIND.
               1) Improperly or maliciously formatted inverse query on a TCP
                  stream.
               2) Improperly or maliciously formatted DNS message.
               3) Self-referential CNAMEs.
PLATFORM:      1 & 2) BIND 4.9 releases prior to BIND 4.9.7 and BIND 8
                  releases prior to 8.1.2.
               3) BIND 8.
DAMAGE:        1) If exploited, a remote user may cause a buffer overrun or
                  gain root access.
               2 & 3) These two vulnerabilities could lead to Denial-of-
                  Service.
SOLUTION:      Apply patches or workarounds as listed below.
______________________________________________________________________________
VULNERABILITY  At the time this advisory was released, not all vendor
ASSESSMENT:    information was complete.  If your vendor's workaround or
               patches are not listed, you should check with your vendor
               directly.
______________________________________________________________________________

[ Appended on Dec 28, 1998 with additional patch information from Sun
  Microsystems, Inc. ]

[ Appended on Aug 21, 1998 with additional information from Hewlett-Packard ]

[ Updated on May 27, 1998 with additional information from CERT ]

[ Start CERT Advisory ]

=============================================================================
CERT* Advisory CA-98.05
Original issue date: April 08, 1998
Last Revised: May 21, 1998
Updates were made to the following portions of this advisory: 
 
   III. Solutions
 
   Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
        1.C. What To Do
        Fixing the Inverse Query Code, Bind 8 and Bind 4.9
 
   Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
        2.C. What To Do
 
   Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases
        3.C. What To Do
        Fixing the Problem
 
   Appendix A - Updated vendor information for Internet Software Consortium

A complete revision history is at the end of this file.



Topic: Multiple Vulnerabilities in BIND
Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases 
    Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases 
    Denial-of-Service Vulnerability in BIND 8 Releases 
    


I. Description
This advisory describes three distinct problems in BIND. Topic 1 describes a 
vulnerability that may allow a remote intruder to gain root access on your name 
server or to disrupt normal operation of your name server. Topics 2 and 3 deal 
with vulnerabilities that can allow an intruder to disrupt your name server. 
Detailed descriptions of each problem and its solutions are included in the 
individual sections on each topic. 
II. Impact 
Topic 1: A remote intruder can gain root-level access to your name server. 
Topics 2 and 3: A remote intruder is able to disrupt normal operation of your 
name server. 
III. Solution 
All three problems can be fixed by upgrading to the latest version of BIND, 
which may be available from your vendor (see Appendix A of this advisory). 
Questions about the availability of patches from your vendor should be directed 
to your vendor. 
Additionally, the Internet Software Consortium has announced new publicly 
available versions of BIND on the BIND WWW page (http://www.isc.org/bind.html) 
and on the USENET newsgroup comp.protocols.dns.bind. 
Additionally, patches are provided for Topics 1 and 3, along with steps to take 
until you can apply the patch or upgrade to the latest version of BIND. 



Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases 



1.A. Description 
BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not 
properly bounds check a memory copy when responding to an inverse query request. 
An improperly or maliciously formatted inverse query on a TCP stream can crash 
the server or allow an attacker to gain root privileges. 
1.B. Determining if your system is vulnerable 
The inverse query feature is disabled by default, so only the systems that have 
been explicitly configured to allow it are vulnerable. 
BIND 8 
Look at the "options" block in the configuration file (typically 
    /etc/named.conf). If there is a "fake-iquery yes;" line, then the server is 
    vulnerable. 
    BIND 4.9
Look at the "options" lines in the configuration file (typically 
    /etc/named.boot). If there is a line containing "fake-iquery", then the 
    server is vulnerable. 
    In addition, unlike BIND 8, inverse query support can be enabled when the 
    server is compiled. Examine conf/options.h in the source. If the line 
    #defining INVQ is not commented out, then the server is vulnerable. 
    1.C. What To Do
To address this problem, you can disable inverse queries, upgrade to BIND 8.1.2 
now that it is available, or apply the patch (see below for more information on 
the patch). We urge you to disable inverse queries until you can take one of the 
other steps. 
Disabling inverse queries 
BIND 8 
Disable inverse queries by editing named.conf so that either there is no 
    "fake-iquery" entry in the "options" block or the entry is "fake-iquery no;" 
    
    BIND 4.9
Disable inverse queries by editing named.boot, removing any "fake-iquery" 
    entries on "options" lines. Look at conf/options.h in the source. If INVQ 
    has been defined, comment it out and then rebuild and reinstall the server. 
    Note: Disabling inverse query support can break ancient versions of nslookup. If 
nslookup fails, replace it with a version from any BIND 4.9 or BIND 8 
distribution. 
Fixing the Inverse Query Code 
BIND 8
Upgrade to BIND 8.1.2 now that it is available 
    (http://www.isc.org/new-bind.html) or apply the patch at this URL: 
    ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND8_patch.txt 
    
    This file is not PGP signed. It has the following MD5 checksum: 
    MD5 (CA-98.05_Topic.1_BIND8_patch.txt) = 12fc9d395ff987b1aad17a882ccd7840
    BIND 4.9
Upgrade to BIND 4.9.7 now that it is available 
    (http://www.isc.org/new-bind.html) or apply the patch at this URL: 
    ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND4.9_patch.txt 
    
    This file is not PGP signed. It has the following MD5 checksum: 
    MD5 (CA-98.05_Topic.1_BIND4.9_patch.txt) = 32da0db1c27e4d484e6fcb7901267c2f
    Notes: 
We are asking sites to retrieve the patches via FTP rather than including 
    them in the advisory since our experience is that some mail handling systems 
    translate tabs into spaces. This prevents the patch(1) program from working 
    properly. 
    We have not PGP signed the files since our experience is that some 
    implementations of PGP during the extraction process will strip spaces from 
    some lines containing whitespace only. This may prevent the patch(1) program 
    from working 
    


Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases 



2.A. Description 
BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not 
properly bounds check many memory references in the server and the resolver. An 
improperly or maliciously formatted DNS message can cause the server to read 
from invalid memory locations, yielding garbage record data or crashing the 
server. Many DNS utilities that process DNS messages (e.g., dig, nslookup) also 
fail to do proper bounds checking. 
2.B. Determining if your system is vulnerable 
Any system running BIND 4.9 prior to 4.9.7 or BIND 8 prior to 8.1.2 is 
vulnerable. 
2.C. What To Do 
There are no workarounds for these problems. 
BIND 8
Upgrade to BIND 8.1.2 now that it is available. 
    BIND 4.9
Upgrade to BIND 4.9.7 now that it is available. 
    


Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases



3.A. Description 
Assume that the following self-referential resource record is in the cache on a 
name server: 
	foo.example.	IN	A	CNAME	foo.example.
The actual domain name used does not matter; the important thing is that the 
target of the CNAME is the same name. The record could be in the cache either 
because the server was authoritative for it or because the server is recursive 
and someone asked for it. Once this record is in the cache, issuing a zone 
transfer request using its name (e.g., "dig @my_nameserver foo.example. axfr") 
will cause the server to abort(). 
Most sites will not contain such a record in their configuration files. However, 
it is possible for an attacker to engineer such a record into the cache of a 
vulnerable nameserver and thus cause a denial of service. 
3.B. Determining if your system is vulnerable 
If the BIND 8 server is not recursive and does not fetch glue, then the problem 
can be exploited only if the self-referential resource record is in a zone for 
which the server is authoritative. 
If the global zone transfer ACL in the options block has been set to deny access 
and has no self-referential CNAMEs in its authoritative zones, then the server 
is not vulnerable. 
Otherwise, the server is vulnerable. The nameserver is recursive by default, 
fetches glue by default, and the default global transfer ACL allows all hosts; 
so many BIND 8 servers will be vulnerable to this problem. 
(Note: the in.named(8) man page mentions that sending a SIGINT to the in.named 
process will dump the current data base and cache to, by default, 
/var/tmp/named_dump.db. Some sites may find this useful in looking for 
self-referential CNAMEs. Please see the in.named(8) man page for further 
details.) 
3.C. What To Do 
To address this problem, you can apply the workaround described below, upgrade 
to BIND 8.1.2, or apply the patch provided at the end of this section. Until you 
can upgrade or apply the patch, we urge you to use the workaround. 
Workaround
First set the global zone transfer ACL to deny access to all hosts by adding the 
following line to the "options" block: 
           allow-transfer { none; };
Next, explicitly authorize zone transfers for each authoritative zone. For 
example, if the server was authoritative for "example", adding 
           allow-transfer { any; };
to the "zone" statement for "example" would allow anyone to transfer "example". 
None of the domains for which the server is authoritative should have 
self-referential CNAMEs. 
Fixing the Problem 
Upgrade to BIND 8.1.2, now that it is available, or apply the patch available 
from the following URL to the BIND 8.1.1 source: 
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.3_BIND8.1.1_patch.txt 

This file is not PGP signed. It has the following MD5 checksum: 
      MD5 (CA-98.05_Topic.3_BIND8.1.1_patch.txt) = 33f9dc2eaf221dd48553f490259c2a8b
Notes: 
We are asking sites to retrieve the patches via FTP rather than including 
    them in the advisory since our experience is that some mail handling systems 
    translate tabs into spaces. This prevents the patch(1) program from working 
    properly. 
    We have not PGP signed the files since our experience is that some 
    implementations of PGP during the extraction process will strip spaces from 
    some lines containing whitespace only. This may prevent the patch(1) program 
    from working properly. 
    


Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this advisory. 
We will update this appendix as we receive additional information. If you do not 
see your vendor's name, the CERT/CC did not hear from that vendor. Please 
contact the vendor directly. 
Berkeley Software Design, Inc. (BSDI) 
BSD/OS 3.0/3.1 AS SHIPPED is not vulnerable. Sites wishing to enable 
    fake-iquery can install mod M310-025, available at http://www.bsdi.com 
    BSDI will issue a 3.1 mod when a fix is available. 
    BSD/OS is not vulnerable, since we ship bind 4.9. 
    Caldera Corporation
Workaround for Topic 1: 
Disable inverse queries by editing named.conf so that either there is no 
"fake-iquery" entry in the "options" block, or so that the entry is "fake-iquery 
no;" 
Workaround for Topic 2: 
A workaround is to set the global zone transfer ACL to deny access to all hosts 
by adding the following line to the "options" block allow-transfer { none; }; 
Next, explicitly authorize zone transfers for each authoritative zone.
For example, if the server was authoritative for "example", adding 
allow-transfer { any; }; to the "zone" statement for "example" would allow 
anyone to transfer "example".
None of the domains the server is authoritative for should have self-referential 
CNAMEs.
Correction for both Topics:
The proper solution is to Upgrade to the bind-8.1.1-5 packages. They can be 
found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/006/RPMS
The corresponding source code can be found at:
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/006/SRPMS
The MD5 checksums (from the "md5sum" command) for these packages are:
b63ace6eab6eee5cf0608c8a245b5e27 bind-8.1.1-5.i386.rpm 
    4123b0167f5d5769a87cd2d9542a74b4 bind-doc-8.1.1-5.i386.rpm 
    e1d506cbcc87d7c1de915d94d03281b1 bind-utils-8.1.1-5.i386.rpm 
    eec24c0f816244c4729281867fcebbab bind-8.1.1-5.src.rpm 
    Upgrade with the following commands:
rpm -q bind && rpm -U bind-8.1.1-5.i386.rpm 
    rpm -q bind-utils && rpm -U bind-utils-8.1.1-5.i386.rpm 
    rpm -q bind-doc && rpm -U bind-doc-8.1.1-5.i386.rpm 
    This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
Digital Equipment Corporation 
Digital is investigating this problem. 
FreeBSD, Inc. 
We ship with INVQ not defined. This makes us resistent against the first 
vulnerability. This is true for all release after 2.2.0 (2.1.* releases are 
vulnerable but should be upgraded anyway). As we do not yet ship BIND 8, we are 
also not vulnerable to the 3rd vulnerability. 
We advise everyone to upgrade to BIND 4.9.7. 
Hewlett-Packard Company 
HP is Vulnerable. Patches in process. Watch for the release of the associated HP 
Security Bulletin. 
Hewlett Packard's HP-UX patches/Security Bulletins/Security patches are 
available via email and/or WWW (via the browser of your choice) on HP's 
Electronic Support Center (ESC). 
To subscribe to automatically receive future NEW HP Security Bulletins from the 
HP ESC Digest service via electronic mail, do the following: 1) From your Web 
browser, access the URL: 
http://us-support.external.hp.com (US,Canada,Asia-Pacific, and Latin-America) 
http://europe-support.external.hp.com (Europe) 
Login with your user ID and password, or register for one (remember to save the 
User ID assigned to you, and your password). Once you are on the Main Menu, 
Click on the Technical Knowledge Database, and it will connect to a HP Search 
Technical Knowledge DB page. Near the bottom is a hyperlink to our Security 
Bulletin archive. Once in the archive there is another link to our current 
security patch matrix. Updated daily, this matrix is categorized by platform/OS 
release, and by bulletin topic. 
To subscribe to receive future Security Bulletins be email, look for the 
subscription section on the Technical Knowledge Database page. 
IBM Corporation 
The version of bind shipped with AIX is vulnerable and the following APARs will 
be available soon: 
    AIX 4.1.x: IX76958  (fix for Topic 1 only)
    AIX 4.2.x: IX76959  (fix for Topic 1 only)
    AIX 4.3.x: IX76960  (fix for Topic 1 and 3 only)
    AIX 4.3.x: IX76962  (fix for Topic 1, 2, and 3.  This is bind 8.1.2.)
Until the official fixes are available, a temporary patch can be found at: 
ftp://aix.software.ibm.com/aix/efixes/security 
    File                sum               md5
    ====================================================================
    named.415.tar.Z     64980   157    0e795380b84bf29385d2d946d10406cb
    named.421.tar.Z     44963   157    15a9a006abf4a9d0a0d3210f16d619e5
    named4.430.tar.Z    48236   115    8377b14f74e207707154a9677906f20a
    named8.430.tar.Z    51175   160    e2db14b7055a7424078456bfbfd9bf2d
Detached PGP signatures are also available with a ".asc" extension. 
IBM and AIX are registered trademarks of International Business Machines 
Corporation. 
Internet Software Consortium 
The Internet Software Consortium has announced BIND version 8.1.2 and BIND 
version 4.9.7. 
If you are running BIND 8.1.1 or 8.1 you want to upgrade to 8.1.2. If you are 
still running BIND-4 rather than BIND-8, you need the security patches contained 
in 4.9.7. But, you should really just run BIND-8. 
The security fixes included in these releases fix a stack overrun that could 
occur if inverse query support was enabled, and a number of denial of service 
attacks where malformed packets could cause the server to crash. 
Links to the kits are available at: http://www.isc.org/new-bind.html. 
NEC Corporation 
Topic1 - Some systems are vulnerable. Patches will be available soon, especially 
for UX/4800 R11.x and R13.x. 
Topic2 - Some systems are vulnerable. Patches will be available soon after the 
release of bind-4.9.7, especially for UX/4800 R11.x and R13.x. 
Topic3 - We do not ship BIND 8 with our products so we are not vulnerable to 
this problem. 
Patches will be available from ftp://ftp.meshnet.or.jp/pub/48pub/security. 
The NetBSD Project 
The first problem can be fixed in NetBSD 1.3, 1.3.1, and -current prior to 
19980408 with the supplied BIND 4.9.6 patch. A patch will be made available for 
the second problem shortly (alternatively, upgrading to BIND 4.9.7 or 8.1.2 when 
available will also solve this problem.) NetBSD is not affected by the third 
problem. 
Red Hat Software, Inc. 
Red Hat fixes will be available at: 
Red Hat 5.0
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/bind-4.9.6-7.i386.rpm 
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/bind-4.9.6-7.alpha.rpm 
Red Hat 4.2
i386: 
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/bind-4.9.6-1.1.i386.rpm 
alpha: 
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/bind-4.9.6-1.1.alpha.rpm 
SPARC: 
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/bind-4.9.6-1.1.sparc.rpm 
The Santa Cruz Operation, Inc. 
The following SCO products are vulnerable: 
SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4 
    SCO OpenServer 5.0 (also SCO Internet FastStart) 
    SCO UnixWare 2.1 
    SCO UnixWare 7 
    SCO CMW+ 3.0 is not vulnerable as BIND/named is not supported on CMW+ platforms. 

Binary versions of BIND 4.9.7 will be available shortly from the SCO ftp site: 
cover letter - ftp://ftp.sco.com/SSE/sse012.ltr 
replacement binaries - ftp://ftp.sco.com/SSE/sse012.tar.Z 
The fix includes binaries for the following SCO operating systems: 
SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4 
    SCO OpenServer 5.0 
    SCO UnixWare 2.1 
    SCO UnixWare 7 
    For the latest security bulletins and patches for SCO products, please refer to 
http://www.sco.com/security/ . 
Silicon Graphics, Inc. 
At this time, Silicon Graphics does not have any public information for the DNS 
issue. Silicon Graphics is in communication with CERT and other external parties 
and is actively investigating this issue. Additional information, is expected 
shortly. 
When more Silicon Graphics information (including patch information) is 
available for release, that information will be released via the SGI security 
mailing list, wiretap. 
For subscribing to the wiretap mailing list and other SGI security related 
information, please refer to the Silicon Graphics Security Headquarters website 
located at: 
ttp://www.sgi.com/Support/security 
Sun Microsystems, Inc. 
Topic 1: Patches will be produced for Solaris 5.3, 5.4, 5.5, 5.5.1 and 5.6. 
Topic 2: Patches will be produced for Solaris 5.3, 5.4, 5.5, 5.5.1 and 5.6. 
Topic 3: Bug fix will be integrated in the upcoming release of Solaris. 



The CERT Coordination Center thanks Bob Halley and Paul Vixie of Vixie 
Enterprises, who provided most of the text of this advisory. 



Reminder: 
The Internet Software Consortium will announce new publicly available versions 
of BIND on the BIND WWW page (http://www.isc.org/bind.html) and on the USENET 
newsgroup comp.protocols.dns. 


Revision History 
May 21, 1998   Updates were made to the following portions of this advisory:
               III. Solutions
               Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
                 1.C. What To Do
                 Fixing the Inverse Query Code, Bind 8 and Bind 4.9
               Topic 2: Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
                 2.C. What To Do
               Topic 3: Denial-of-Service Vulnerability in BIND 8 Releases
                 3.C. What To Do
                 Fixing the Problem
               Appendix A - Updated vendor information for Internet Software Consortium

Apr. 16, 1998  Appendix A - Updated vendor information for Caldera
               Corporation.

- -----------------------------------------------------------------------------

[ End CERT Advisory ]

[ Start Hewlett-Packard Advisory ]

Document ID:  HPSBUX9808-083
Date Loaded:  19980819
      Title:  Security Vulnerability in BIND on HP-UX

-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD SECURITY BULLETIN: #00083, 19 August 1998
Last Revised: 20 August 1998
-------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

-------------------------------------------------------------------------
PROBLEM:  Security vulnerability in the BIND executable

PLATFORM: HP9000 Series 700/800 running HP-UX releases 9.X, 10.X & 11.00.

DAMAGE:   May allow remote users to gain root access or to disrupt
          normal operation on the name server.

SOLUTION: Install patches (below) which upgrade BIND to version 4.9.7.

AVAILABILITY: All patches are available now, except as noted.
CHANGE SUMMARY: Added patch for HP-UX release 10.16.
-------------------------------------------------------------------------
I.
   A. Background
      The CERT Advisory CA-98.05 discusses two vulnerabilities which
      affect HP-UX.  Detailed descriptions of each problem and its
      solutions are included in the advisory, available from:

         www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems

   B. Fixing the problem
      The problems can be fixed by installing the necessary patch.

**REVISED 01**
       HP-UX release  9.0, 9.01, 9.03, 9.04, 9.05, & 9.07: PHNE_13187
       HP-UX release  10.00, 10.01, 10.10 and 10.20:       PHNE_14617
--->>> HP-UX release  10.16:                              *PHNE_16232
       HP-UX release  10.24:                             **PHNE_16204
       HP-UX release  11.00:                               PHNE_12957

    NOTE: ** Patch for VVOS (10.24) is expected to be available
             after 26 Aug. 98
--->>>     * Patch for CMW (10.16) is expected to be available
--->>>       after 26 Aug. 98


   C. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP Electronic Support Center via electronic
      mail, do the following:

      Use your browser to get to the HP Electronic Support Center page
      at:

        http://us-support.external.hp.com
               (for US, Canada, Asia-Pacific, & Latin-America)
        http://europe-support.external.hp.com     (for Europe)

     Login with your user ID and password (or register for one).
     Remember to save the User ID assigned to you, and your password.
     Once you are in the Main Menu:
     To -subscribe- to future HP Security Bulletins,
       click on "Support Information Digests".
     To -review- bulletins already released from the main Menu,
       click on the "Technical Knowledge Database (Security Bulletins
     only)".
     Near the bottom of the next page, click on "Browse the HP Security
     Bulletin Archive".
     Once in the archive there is another link to our current Security
     Patch Matrix.  Updated daily, this matrix is categorizes security
     patches by platform/OS release, and by bulletin topic.


   D. To report new security vulnerabilities, send email to

           security-alert@hp.com

       Please encrypt any exploit information using the security-alert
       PGP key, available from your local key server, or by sending a
       message with a -subject- (not body) of 'get key' (no quotes) to
       security-alert@hp.com.

      Permission is granted for copying and circulating this Bulletin to
      Hewlett-Packard (HP) customers (or the Internet community) for the
      purpose of alerting them to problems, if and only if, the Bulletin
      is not edited or changed in any way, is attributed to HP, and
      provided such reproduction and/or distribution is performed for
      non-commercial purposes.

      Any other use of this information is prohibited. HP is not liable
      for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID:  HPSBUX9808-083--------------------------------------


[ End Hewlett-Packard Advisory ]

[ Start Sun Microsystems Advisory ]

________________________________________________________________________________
 		   Sun Microsystems, Inc. Security Bulletin
 		
Bulletin Number:	#00180
Date: 			December 17, 1998
Cross-Ref:		CERT Advisory CA-98.05
Title:			BIND 
________________________________________________________________________________

The information contained in this Security Bulletin is provided "AS IS." 
Sun makes no warranties of any kind whatsoever with respect to the information 
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, 
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR 
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE 
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, 
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL 
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY 
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN 
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF 
THE POSSIBILITY OF SUCH DAMAGES.

If any of the above provisions are held to be in violation of applicable law, 
void, or unenforceable in any jurisdiction, then such provisions are waived 
to the extent necessary for this disclaimer to be otherwise enforceable in 
such jurisdiction.
________________________________________________________________________________

1.  Background

    The Berkeley Internet Name Domain (BIND) is an implementation of the 
    Domain Name System (DNS).  
    
    CERT Advisory CA-98.05 describes three vulnerabilities in certain 
    versions of BIND. The first vulnerability, Inverse Query Buffer Overrun,
    can be exploited by a remote attacker to gain root access to a DNS 
    name server. The second vulnerability, Denial-of-Service Vulnerabilities,
    is concerned with buffer overflows that can be exploited to corrupt 
    DNS record data or crash the DNS server. SunOS(tm) and Solaris(tm) are 
    not vulnerable to third vulnerability described in the CERT advisory.
    For more information about the vulnerabilities, please see the 
    CERT advisory at:
    	
    	http://www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems
    
    A vulnerability has also been discovered in SunOS and Solaris's 
    implementation of BIND with their use of temporary files. This vulnerability 
    can be exploited to overwrite arbitrary files.
    
2.  Affected Supported Versions
        
    Solaris(tm) versions:   2.6, 2.6_x86, 2.5.1, 2.5.1_x86, 2.5, 2.5_x86,
                            2.4, 2.4_x86 and 2.3 
                   
    SunOS(tm) versions:     4.1.4 and 4.1.3_U1
    
3.  Recommendations

    Sun recommends that you install the respective patches immediately on
    vulnerable systems including both DNS clients and servers.
    
    Operating System	Patch ID	
    _________________   _________    
    Solaris 2.6         105755-07		
    Solaris 2.6_x86     105756-07
    Solaris 2.5.1       103663-15
    Solaris 2.5.1_x86   103664-15
    Solaris 2.5         103667-11
    Solaris 2.5_x86     103668-11
    Solaris 2.4         102479-13
    Solaris 2.4_x86     102480-11
    Solaris 2.3         101359-10
    SunOS 4.1.4         106866-02
    SunOS 4.1.3_U1      106865-02
         
_______________________________________________________________________________
APPENDICES

A.  Patches listed in this bulletin are available to all Sun customers via 
    World Wide Web at:
    
    	<URL:http://sunsolve.sun.com/sunsolve/pubpatches/patches.html>

B.  Checksums for the patches listed in this bulletin are available via 
    World Wide Web at:

    	<URL:http://sunsolve.sun.com/sunsolve/pubpatches/patches.html>

C.  Sun security bulletins are available via World Wide Web at:

	<URL:http://sunsolve.sun.com/sunsolve/secbulletins>
	
D.  Sun Security Coordination Team's PGP key is available via World Wide Web 
    at:

	<URL:http://sunsolve.sun.com/sunsolve/secbulletins/SunSCkey.txt>
		    	    	    
E.  To report or inquire about a security problem with Sun software, contact 
    one or more of the following:
  
        - Your local Sun answer centers
        - Your representative computer security response team, such as CERT 
        - Sun Security Coordination Team. Send email to:
	 
     		security-alert@sun.com

F.  To receive information or subscribe to our CWS (Customer Warning System) 
    mailing list, send email to:
    
    		security-alert@sun.com
   
    with a subject line (not body) containing one of the following commands:

        Command         Information Returned/Action Taken
        _______         _________________________________

        help            An explanation of how to get information
        
        key             Sun Security Coordination Team's PGP key
	
        list            A list of current security topics

        query [topic]   The email is treated as an inquiry and is forwarded to 
                        the Security Coordination Team

        report [topic]  The email is treated as a security report and is
                        forwarded to the Security Coordination Team. Please 
                        encrypt sensitive mail using Sun Security Coordination
                        Team's PGP key

        send topic      A short status summary or bulletin. For example, to 
                        retrieve a Security Bulletin #00138, supply the 
                        following in the subject line (not body):
        		
                                send #138

        subscribe       Sender is added to our mailing list.  To subscribe, 
                        supply the following in the subject line (not body):

                            	subscribe cws your-email-address
			
                        Note that your-email-address should be substituted
                        by your email address.
			
        unsubscribe     Sender is removed from the CWS mailing list.
________________________________________________________________________________

Copyright 1998 Sun Microsystems, Inc. All rights reserved. Sun, 
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks 
of Sun Microsystems, Inc. in the United States and other countries. This 
Security Bulletin may be reproduced and distributed, provided that this 
Security Bulletin is not modified in any way and is attributed to 
Sun Microsystems, Inc. and provided that such reproduction and distribution 
is performed for non-commercial purposes.

[ End Sun Microsystems Advisory ]
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT and Hewlett-Packard for
the information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

I-034: Internet Cookies
I-035: SGI Vulnerabilities (startmidi/stopmidi, datman/cdman, cdplayer)
I-036: FreeBSD Denial-of Service LAND Attacks
I-037: FreeBSD mmap Vulnerability
I-038: Ascend Routing Hardware Vulnerabilities
I-039: HP-UX inetd Vulnerability
I-040: SGI Netscape Navigator Vulnerabilities
I-041: Performer API Search Tool 2.2 pfdispaly.cgi Vulnerability
I-042: SGI IRIX lp(1) Security Vulnerability
I-043: SGI IRIX mailcap Vulnerability





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH