HPE Community
Operating System - HP-UX
1838134 Members
4478 Online
110124 Solutions
New Discussion

Re: Bind 9.2.1 vulnerability

 
Fabio Longo
Occasional Contributor

‎02-28-2003 12:33 AM

‎02-28-2003 12:33 AM

Bind 9.2.1 vulnerability

Hi All,

I'm going to implement a DNS infrastructure based on DNS BIND 9.2.1 on HP-UX 11.0 o.s.

Customer states versione 9.2.1 has the following problem:
a) OpenSSL buffer overflow
b) libbind buffer overflow

that potentially permits to run programs on the DNS machine.

My questions are:

1. Is it true ?
2. Is there any patch available.

Thanks in advance
0 Kudos
Reply
3 REPLIES 3
Stefan Farrelly
Honored Contributor

‎02-28-2003 12:41 AM

‎02-28-2003 12:41 AM

Re: Bind 9.2.1 vulnerability

Check this out;

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x9f0931ec5e34d711abdc0090277a778c,00.html
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎02-28-2003 12:46 AM

‎02-28-2003 12:46 AM

Re: Bind 9.2.1 vulnerability

Hi,

Hope this Reference from my collection will be useful for you too.

Name: "OpenSSL buffer overflow"
Versions affected: BIND 9.1.
BIND 9.2 if built with OpenSSL (configure --with-openssl).
Severity: Medium
Exploitable: Remotely
Type: Potential execution of arbitrary code via buffer overflow.

Description:
BIND 9.1.x ship with a copy of the vulnerable sections of OpenSSL crypto library (obj_dat.c and asn1_lib.c).
Vendors shipping product based on BIND 9.1 should contact bind9-bugs@isc.org.


BIND 9.2.x is vulnerable if linked against a vulnerable library. By default BIND 9.2 does not link against OpenSSL.

Workarounds:
Disable DNSSEC validation of responses by commenting out any trusted keys in named.conf.

Fix:
Upgrade BIND 9.1.x to BIND 9.2.1 and/or link with fixed OpenSSL library
e.g. configure --with-openssl=/path/to/fixed/openssl
Link BIND 9.2.x with a fixed OpenSSL library.

Active Exploits:
None known



Name: "libbind buffer overflow"
Versions affected: All versions of the stub resolver library from BIND 4 prior to 4.9.9.
All versions of the stub resolver library from BIND 8 prior to 8.2.6.
The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2.
The BIND 8 compatibility stub resolver library (NOT the lwres library) from BIND versions 9.2.0, 9.2.1.
(Disabled by default in BIND 9, enabled if you added --enable-libbind to the configure statement)
Severity: SERIOUS
Exploitable: Remotely
Type: Potential for execution of arbitrary code via buffer overflow.

Description:
It is possible to construct a response to a DNS query issued by an application linked to vulnerable versions of the stub resolver library included in the BIND distributions mentioned above that may potentially result in a buffer overflow of a few bytes. This bug does NOT affect the name server (named) itself, but rather applications linked to the resolver library.

NOTE: Upgrading the name server DOES NOT remove this vulnerability. To remove this vulnerability, ALL applications linked to a vulnerable version of the stub resolver library must be re-linked with a non-vulnerable version. Note that if static libraries were used, the the static library must be updated and all applications must be relinked. If shared libraries were used, then upgrading the shared library will suffice.

Workarounds:
None.

Fix:
Update libbind to a version that is not affected and relink all applications that use it.

Active Exploits:
None known

regards,

U.SivaKumar



Innovations are made when conventions are broken
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-28-2003 06:42 AM

‎02-28-2003 06:42 AM

Re: Bind 9.2.1 vulnerability

DNS/BIND is an inherently difficult process to keep secure.

The best way to do so is to have a user other than root owning and starting the named/Bind process(s)

The easiest way to do that is to install this tool, and run it.

Bastille Security Hardening free tool.
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

It has a step that lets you have non-root user doing BIND/DNS. This means that if there is a hack on DNS, it won't get root priviledges, so the damage will be minimal if noticeable other than on lookup performance.

Here is a way to get notified of patches that relate to system security, BIND included.

Security Patch Check, also free.

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6834AA&date=

Good luck, these two tools will make you sleep better, if this kind of stuff keeps you up at night.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.