ISSalert: ISS Alert: Remote Denial of Service Vulnerability in ISC BIND

From: X-Force (
Date: 06/05/02

Date: Tue, 4 Jun 2002 18:09:10 -0400 (EDT)
From: X-Force <>

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to Contact for help with any problems!


Internet Security Systems Security Alert
June 4, 2002

Remote Denial of Service Vulnerability in ISC BIND


ISS X-Force has learned of a serious vulnerability in ISC BIND that may
allow remote attackers to disable BIND servers. ISC BIND and its
derivatives are the most prevalent DNS (Domain Name Service) servers on
the Internet. DNS is used to translate IP addresses to their
corresponding host and domain names. Attackers may use this
vulnerability to scan for and disable DNS servers.


DNS is a core component of the Internet and is responsible for
translating IP addresses into domain names for all Internet-linked
computers, including all Web servers. If DNS is attacked locally or en
masse, it may result in local or widespread Internet instability.

Affected Versions:

BIND version 9 up to 9.2.0

Note: BIND versions 4 and 8 are not affected.


The ISC (Internet Software Consortium) is a non-profit organization that
produces and maintains Open Source software projects and also operates
one of the Internetís root DNS servers. ISC BIND is included in mot
commercial and Open Source Unix operating systems.

A logic error exists within BIND that may allow remote attackers to
cause the server program (named) to fail and shutdown. The server must
then be manually restarted. This vulnerability is present within the
dns_message_findtype() routine. Under normal operating conditions, the
rdataset variable is non-null. This exploit forces rdataset to be null,
or empty, which causes an error and calls abort(), which shuts down the


X-Force recommends that all BIND administrators upgrade to BIND version
9.2.1, which has been available since May 2002. BIND version 9.2.1 is
available at the following address:

ISS Internet Scanner 5.0, released in February 1998, implemented a check
to assess if a BIND server is vulnerable. Internet Scanner customers are
encouraged to enable the "bindvrs" check if they have not done so.

ISS RealSecure implemented Bind_Version_Request in XPU 1.3 on September
29, 2000, and ISS BlackICE 2.1 shipped with "DNS Bind version request."
These signatures may detect version probes for vulnerable versions of

ISS X-Force will provide detection support for this vulnerability in an
upcoming X-Press Update for RealSecure Network Sensor. Detection support
for this attack will also be added in a future update for BlackICE

Additional Information:


About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email for

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and's key
as well as at

Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.

Version: 2.6.2