Serious BIND Server Flaws Detected

Exploitation of the vulnerabilities could lead to more DoS attacks against vulnerable NS servers. Flaws in BIND 4 and 8 could compromise security if not upgraded.

by Ryan Naraine of internetnews.com [November 13, 2002]

Internet Security Systems (ISS) on Tuesday warned that several serious vulnerabilities have been detected in the Berkeley Internet Name Domain (BIND) Server, the most common implementation of the DNS protocol.

In a security alert, IIS said the most serious security flaws were found in BIND 4.9.5 to 4.9.10 and BIND 8.1, 8.2 to 8.2.6, 8.3.0 to 8.3.3 and affected nearly all currently deployed recursive DNS servers on the Internet. "Upgrading to BIND version 9.2.1 is strongly recommended," IIS said.

While there are no active exploits of the flaws, the IIS has warned that if exploits are developed and made public, they may lead to compromise and DoS attacks against vulnerable DNS servers.

The immediate fear is that an Internet worm may be developed to propagate by exploiting the flaws in BIND," the outfit said, warning that widespread attacks against the DNS system may lead to general instability and inaccuracy of DNS data.

The security outfit said a buffer overflow exists in BIND 4 and 8 that may lead to remote compromise of vulnerable DNS servers. An attacker with controls of any authoritative DNS server may cause BIND to cache DNS information within its internal database, if recursion is enabled (recursion is enabled by default unless explicitly disabled via command line options or in the BIND configuration file).

"There is a flaw in the formation of DNS responses containing SIG resource records (RR) that can lead to buffer overflow and execution of arbitrary code," it warned.

The second flaw concerns recursive BIND 8 servers that can abruptly terminate due to an assertion failure. The denial-of-service vulnerability is triggered if a client requesting a DNS lookup on a nonexistent sub-domain of a valid domain name. This may cause BIND 8 to terminate by attacking an OPT resource record with a large UDP payload size, it said, warning that the DoS can also be triggered for queries on domains whose authoritative DNS servers are unreachable.

The IIS also warned of a BIND SIG Expiry Time denial-of-service bug that affects recursive BIND 8 servers. "An attacker who controls any authoritative name server may cause vulnerable BIND 8 servers to attempt to cache SIG RR elements with invalid expiry times. These are removed from the BIND internal database, but later improperly referenced, leading to a DoS condition," the firm said.

While encouraging the immediate upgrade to BIND version 4.9.11, 8.2.7, 8.3.4 or to BIND version 9, IIS said a workaround for DNS servers that do not need recursive DNS functionality can also be done by disabling recursion within the BIND configuration file.

— End