[Full-Disclosure] [ESA-20021114-029] BIND buffer overflow, DoS attacks.

From: EnGarde Secure Linux (security@guardiandigital.com)
Date: 11/14/02

From: security@guardiandigital.com (EnGarde Secure Linux)
Date: Thu, 14 Nov 2002 05:18:06 -0500 (EST)

Hash: SHA1

| EnGarde Secure Linux Security Advisory November 14, 2002 |
| http://www.engardelinux.org/ ESA-20021114-029 |
| |
| Packages: bind-chroot, bind-chroot-utils |
| Summary: buffer overflow, DoS attacks. |

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, e-commerce, and integrated open source
  security tools.

- --------
  Several vulnerabilities were found in the BIND nameserver. The
  vulnerabilities, discovered by ISS, range from buffer overflows to
  denial of service (DoS) attacks.

  The summaries below are from the ISS advisory which may be found at:


  * CAN-2002-1219 -- BIND SIG Cached RR Overflow Vulnerability

    "A buffer overflow exists in BIND 4 and 8 that may lead to remote
     compromise of vulnerable DNS servers. An attacker who controls any
     authoritative DNS server may cause BIND to cache DNS information
     within its internal database, if recursion is enabled. Recursion is
     enabled by default unless explicitly disabled via command line
     options or in the BIND configuration file. Attackers must either
     create their own name server that is authoritative for any domain,
     or compromise any other authoritative server with the same criteria.
     Cached information is retrieved when requested by a DNS client. There
     is a flaw in the formation of DNS responses containing SIG resource
     records (RR) that can lead to buffer overflow and execution of
     arbitrary code."

  * CAN-2002-1220 -- BIND OPT DoS

    "Recursive BIND 8 servers can be caused to abruptly terminate due to
     an assertion failure. A client requesting a DNS lookup on a
     nonexistent sub- domain of a valid domain name may cause BIND 8 to
     terminate by attaching an OPT resource record with a large UDP
     payload size. This DoS may also be triggered for queries on domains
     whose authoritative DNS servers are unreachable."

  * CAN-2002-1221 -- BIND SIG Expiry Time DoS

    "Recursive BIND 8 servers can be caused to abruptly terminate due to a
     null pointer dereference. An attacker who controls any authoritative
     name server may cause vulnerable BIND 8 servers to attempt to cache
     SIG RR elements with invalid expiry times. These are removed from the
     BIND internal database, but later improperly referenced, leading to a
     DoS condition."

  All users should upgrade as soon as possible.

- --------
  Users of the EnGarde Professional edition can use the Guardian Digital
  Secure Network to update their systems automatically.

  EnGarde Community users should upgrade to the most recent version
  as outlined in this advisory. Updates may be obtained from:


  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh files

  You must now update the LIDS configuration by executing the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

    # rpm -Kv files

- ----------------
  These updated packages are for EnGarde Secure Linux Community

  Source Packages:

      MD5 Sum: 3c845d09bcbe9b07e5395d75a8686689

  Binary Packages:

      MD5 Sum: 0c1daf47be94ae0fd5a29e4007bf68c2

      MD5 Sum: 58e0e54d895b8dc3c6f6b5e9228912fb

      MD5 Sum: 84cb58f02d228859a2fbda3ed1b46dd5

      MD5 Sum: 20fb3e4a34cecb431511308afe027941

- ----------
  Guardian Digital's public key:

  BIND's Official Web Site:

  Security Contact: security@guardiandigital.com
  EnGarde Advisories: http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20021114-029-bind-chroot,v 1.4 2002/11/14 10:02:51 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


     To unsubscribe email engarde-security-request@engardelinux.org
         with "unsubscribe" in the subject of the message.

Copyright(c) 2002 Guardian Digital, Inc. EnGardeLinux.org