Bug 8403 - NXT records improperly validated could lead to buffer overflow
Summary: NXT records improperly validated could lead to buffer overflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: bind
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL: http://www.cert.org/advisories/CA-99-...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-01-12 15:32 UTC by T. Warfield
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-01-12 16:06:59 UTC
Embargoed:


Attachments (Terms of Use)

Description T. Warfield 2000-01-12 15:32:49 UTC
I. Description
Six vulnerabilities have been found in BIND, the popular domain name server
from the Internet Software Consortium (ISC). One of these
vulnerabilities may allow remote intruders to gain privileged access to
name servers.

Vulnerability #1: the "nxt bug"

Some versions of BIND fail to properly validate NXT records. This improper
validation could allow an intruder to overflow a buffer and execute
arbitrary code with the privileges of the name server.

NXT record support was introduced in BIND version 8.2. Prior versions of
BIND, including 4.x, are not vulnerable to this problem. The
ISC-supplied version of BIND corrected this problem in version 8.2.2.

Vulnerability #2: the "sig bug"

This vulnerability involves a failure to properly validate SIG records,
allowing a remote intruder to crash named; see the impact section for
additional details.
SIG record support is found in multiple versions of BIND, including 4.9.5
through 8.x.

Vulnerability #3: the "so_linger bug"

By intentionally violating the expected protocols for closing a TCP
session, remote intruders can cause named to pause for periods up to 120
seconds.

Vulnerability #4: the "fdmax bug"

Remote intruders can consume more file descriptors than BIND can properly
manage, causing named to crash.

Vulnerability #5: the "maxdname bug"

Improper handling of certain data copied from the network could allow a
remote intruder to disrupt the normal operation of your name server,
possibly including a crash.

Vulnerability #6: the "naptr bug"

Some versions of BIND fail to validate zone information loaded from disk
files. In environments with unusual combinations of permissions and
protections, this could allow an intruder to crash named.

Comment 1 T. Warfield 2000-01-12 15:34:59 UTC
bind 8.2.2.P5 has been released to resolve this problem - but isn't available
from RH as of yet.

Comment 2 Bernhard Rosenkraenzer 2000-01-12 15:59:59 UTC
We're well aware of those and have released fixed packages several weeks ago.
Look at your favorite updates mirror.

Comment 3 Bernhard Rosenkraenzer 2000-01-12 16:06:59 UTC
Actually 8.2.2P5 *is* available from Red Hat, in Raw Hide.
8.2.2P3 (with a p4 patch applied) is available for older versions in the updates
directory on the ftp server.
8.2.2P5 does *NOT* fix any security problems, and does *NOT* have any other
important fixes 8.2.2P4 doesn't have, so there's no reason to issue yet another
update for the older versions.


Note You need to log in before you can comment on or make changes to this bug.