Security Flaws Found
In Popular DNS Software

With the Internet community's attention turned increasingly toward security in the wake of last week's high profile attacks against Microsoft Corp., the CERT Coordination Center this week raised the possibility of vulnerabilities in software that serves as the basic foundation for the Internet.

by Thor Olavsrud of internetnews.com [January 30, 2001]

CERT released an advisory detailing four security holes in older versions of the Berkeley Internet Name Domain (BIND) DNS software—maintained by the Internet Software Consortium (ISC), which maps URLs to IP addresses.

Remote possibilities
CERT urged all users of BIND software to upgrade to BIND 4.9.8, BIND 8.2.3 or BIND 9.1. However, BIND 4 is no longer actively maintained and ISC recommends using either BIND 8.2.3 or BIND 9.1.

Shawn Hernan, team leader for vulnerability handling at CERT, told InternetNews Radio Monday that more than 80 percent of the DNS servers in operation today run BIND, including the 16 root DNS servers to which all other name servers on the Internet turn when attempting to map a URL to an IP address. Those 16 root servers run a modified version of BIND.

Hernan said the four flaws exposed Monday could seriously compromise security.

"They allow a remote intruder to gain access to a machine that's exposed directly to the Internet," he said. "And of course, if it's a name server, then the consequences can be very serious.

"One possible manifestation is that the site will be unavailable to external users or the rest of the Internet will appear to be unavailable to internal users. But a more serious manifestation is that the mapping between names and numbers gets changed so that when you type in, for example www.cert.org, you end up at a completely different site that has nothing to do with CERT but appears, to your perspective, to be CERT.

"Another possible impact is that mail gets rerouted to some third-party location so if you send mail to CERT at CERT.org it gets sent off to some intruder site and they can read your mail."

The four flaws are:

• ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code—This vulnerability may allow an attacker to execute code with the same privileges as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.
• ISC BIND 4 contains buffer overflow in nslookupComplain—This vulnerability can disrupt the proper operation of the BIND server and may allow an attacker to execute code with the privileges of the BIND server.
• ISC BIND 4 contains an input validation error in nslookupComplain— This vulnerability may also be used to allow an attacker to execute code with the privileges of the BIND server.
• Queries to ISC BIND servers may disclose environment variables—This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables. Also, the information obtained by exploiting this vulnerability may aid in the development of exploits for the second and third flaws above.

Finders not necessarily keepers
The first three flaws were uncovered by the COVERT Labs at PGP Security, while the fourth was discovered by Claudio Musmarra.

The BIND 4.9.8 and 8.2.3 distributions can be downloaded here. The BIND 9.1 distribution can be downloaded here.

However, even though distributions not vulnerable to the four flaws are available, Hernan doubted that all sites will upgrade their software.

"We know from history that a large number of sites won't upgrade for some reason or another," he said. "So that's really what has us concerned here—which sites aren't going to upgrade and which sites are going to be compromised. We also know that exploits for BIND tend to appear pretty quickly. The last major vulnerability in BIND, an exploit appeared in about a week, so we're running against the clock here a little bit."

Desultory DNS bind
These are not the first vulnerabilities found in BIND. Since 1997, the CERT Coordination Center has published 12 documents detailing vulnerabilities in the software.

Some critics of BIND point to those flaws and argue that some of its bugs are major design flaws. One critic, who called BIND (which he refers to as Buggy Internet Name Daemon) the Microsoft Windows of DNS software, wrote a scathing critique of the software. He went so far as to create his own DNS mapping software and even offered a reward to the first person to report a verifiable security hole in the software. While Hernan conceded that BIND has problems, he argued that no software is impenetrable.

"The history of BIND is rather checkered," he said. "It is a favorite target of intruders. Fundamentally, we believe that no individual piece of software is immune from all accidents, attacks and failures. There will be vulnerabilities discovered in the future as serious as this or more serious than this. But most of the compromises can be avoided if people will begin taking action today."

—End