CERT Advisory CA-2000-20: Mulitple Denial-of-Service Problems in ISC BIND | Linux Today

CERT Advisory CA-2000-20: Mulitple Denial-of-Service Problems in ISC BIND

Written By
Web Webster
Web Webster
Nov 15, 2000

Date: Wed, 15 Nov 2000 10:36:36 -0800
From: Aleph One aleph1@UNDERGROUND.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: CERT Advisory CA-2000-20

CERT Advisory CA-2000-20 Mulitple Denial-of-Service Problems in
ISC BIND

Original release date: November 13, 2000 Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

     * Systems running Internet Software Consortium (ISC) BIND version
       8.2 through 8.2.2-P6
     * Systems running name servers derived from BIND version 8.2 through
       8.2.2-P6

Overview

The CERT Coordination Center has recently learned of two serious
denial-of-service vulnerabilities in the Internet Software
Consortium’s (ISC) BIND software.

The first vulnerability is referred to by the ISC as the “zxfr
bug” and affects ISC BIND version 8.2.2, patch levels 1 through 6.
The second vulnerability, the “srv bug”, affects ISC BIND versions
8.2 through 8.2.2-P6. Derivatives of the above code sets should
also be presumed vulnerable unless proven otherwise.

I. Description

The Internet Software Consortium, the maintainer of BIND, the
software used to provide domain name resolution services, has
recently posted information about several denial-of-service
vulnerabilities. If exploited, any of these vulnerabilities could
allow remote intruders to cause site DNS services to be
stopped.

For more information about these vulnerabilities and others,
please see

http://www.isc.org/products/BIND/bind-security.html

Two vulnerabilities in particular have been categorized by both
the ISC and the CERT/CC as being serious.

The “zxfr bug”

Using this vulnerability, attackers on sites which are permitted
to request zone transfers can force the named daemon running on
vulnerable DNS servers to crash, disrupting name resolution service
until the named daemon is restarted. The only preconditions for
this attack to succeed is that a compressed zone transfer (ZXFR)
request be made from a site allowed to make any zone transfer
request (not just ZXFR), and that a subsequent name service query
of an authoritative and non-cached record be made. The time between
the attack and the crash of named may vary from system to
system.

This vulnerability has been discussed in public forums. The ISC
has confirmed that all platforms running version 8.2.2 of the BIND
software prior to patch level 7 are vulnerable to this attack.

The “srv bug”

This vulnerability can cause affected DNS servers running named
to go into an infinite loop, thus preventing further name requests
to be handled. This can happen if an SRV record (defined in
RFC2782) is sent to the vulnerable server.

Microsoft’s Windows 2000 Active Directory service makes
extensive use of SRV records and is reportedly capable of
triggering this bug in the course of normal operations. This is
not, however, a vulnerability in Microsoft Active Directory. Any
network client capable of sending SRV records to vulnerable name
server systems can exercise this vulnerability.

The CERT/CC has not received any direct reports of either of
these vulnerabilities being exploited to date.

Both vulnerabilities can be used by malicious users to break the
DNS services being offered at all exposed sites on the Internet.
System administrators are strongly recommended to upgrade their DNS
software with either ISC’s current distribution or their
vendor-supplied software. See the Solution and Vendor Information
sections of this document for more details.

II. Impact

Domain name resolution services (DNS) can be disabled on
affected servers from arbitrary remote hosts.

III. Solution

Apply a patch from your vendor

The CERT/CC recommends that all users of ISC BIND upgrade to the
recently-released BIND 8.2.2-P7, which patches both of the
vulnerabilities discussed in this document. Sites running
vendor-specific distributions of domain name resolution software
should check the Vendor Information section below for more specific
information on how to upgrade to non-vulnerable software.

Restrict zone transfers to trusted hosts

If it is not possible to immediately upgrade systems affected by
the “zxfr bug”, the ISC suggests not allowing zone transfers from
untrusted hosts. This action, however, will not mitigate against
the effects of an attack using the “srv bug”.

Although it has been reported that not allowing recursive
queries may help mitigate against the “zxfr” vulnerability, ISC has
indicated that this is not the case.

Appendix A. Vendor Information

The Internet Software Consortium

For the latest information regarding these vulnerabilities,
please consult the ISC web site at:

http://www.isc.org/products/BIND/bind-security.html

Caldera

Our advisory will be available [at]:


http://www.calderasystems.com/support/security/advisories/CSSA-2000-040.0.txt

Updated packages will be available from
OpenLinux Desktop 2.3
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current

9d8429f25c5fb3bebe2d66b1f9321e61 RPMS/bind-8.2.2p7-1.i386.rpm
0e958eb01f40826f000d779dbe6b8cb3
RPMS/bind-doc-8.2.2p7-1.i386.rpm
866ff74c77e9c04a6abcddcc11dbe17b
RPMS/bind-utils-8.2.2p7-1.i386.rpm
6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm
OpenLinux eServer 2.3
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current

379c4328604b4491a8f3d0de44e42347 RPMS/bind-8.2.2p7-1.i386.rpm
b428b824c8b67f2d8d4bf53738a3e7e0
RPMS/bind-doc-8.2.2p7-1.i386.rpm
28311d630281976a870d38abe91f07fb
RPMS/bind-utils-8.2.2p7-1.i386.rpm
6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm
OpenLinux eDesktop 2.4
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current

c37b6673cc9539e592013ac114846940 RPMS/bind-8.2.2p7-1.i386.rpm
bbe0d7e317fde0d47cba1384f6d4b635
RPMS/bind-doc-8.2.2p7-1.i386.rpm
5c28dd5641a4550c03e9859d945a806e
RPMS/bind-utils-8.2.2p7-1.i386.rpm
6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm

Compaq Computer Corporation

SOURCE: Compaq Computer Corporation
Compaq Services
Software Security Response Team USA

Compaq Tru64/UNIX Operating Systems Software are not vulnerable
to these reported problems.

Conectiva

Please see Conectiva Linux Security Announcement CLSA-2000:339
at:


http://listserv.securityportal.com/SCRIPTS/WA-SECURITYPORTAL.EXE?A1=ind0011&L=linux-security#27

Note: Conectiva Linux Security Announcement CLSA-2000:338, also
regarding this issue, had a packaging error in it. Users who
downloaded updates based on CLSA-2000:338 should see CLSA-2000:339
for further information.

Debian

Please see Debian Security notice 20001112, bind at:

http://www.debian.org/security/2000/20001112

FreeBSD

All versions of FreeBSD after 4.0-RELEASE (namely 4.1-RELEASE,
4.1.1-RELEASE and the forthcoming 4.2-RELEASE) are not vulnerable
to this bug since they include versions of BIND 8.2.3. FreeBSD
4.0-RELEASE and earlier are vulnerable to the reported problems
since they include an older version of BIND, and an update to a
non-vulnerable version is scheduled to be committed to FreeBSD
3.5.1-STABLE in the next few days.

Hewlett-Packard

HP is vulnerable to these problems and is working to correct
them.

MandrakeSoft

Please see “MDKSA-2000:067: bind” at:

http://www.linux-mandrake.com/en/security/MDKSA-2000-067.php3

Microsoft Corporation

Microsoft is currently investigating these issues.

NetBSD

NetBSD is believed to be vulnerable to these problems; in
response, NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7
will be present in the forthcoming NetBSD 1.5 release.

RedHat

Please see “RHSA-2000:107-01: Updated bind packages fixing DoS
attack”, soon to be available at:

http://www.redhat.com/support/errata/

Slackware

Updated Slackware distributions for bind may be found at:


ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz


The CERT Coordination Center thanks Mark Andrews, David Conrad,
and Paul Vixie of the ISC for developing a solution and assisting
in the preparation of this advisory. We would also recognize the
contribution of Olaf Kirch in helping us understand the exact
nature of the “zxfr bug” vulnerability.


Author: This document was written by Jeffrey S. Havrilla and
Jeffrey P. Lanza. Feedback on this advisory is appreciated.


This document is available from:
http://www.cert.org/advisories/CA-2000-20.html


CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available
from our web site

http://www.cert.org/

To subscribe to the CERT mailing list for advisories and
bulletins, send email to majordomo@cert.org. Please include in the
body of your message

subscribe cert-advisory

* “CERT” and “CERT Coordination Center” are registered in the
U.S. Patent and Trademark Office.


NO WARRANTY Any material furnished by Carnegie Mellon University
and the Software Engineering Institute is furnished on an “as is”
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of
any kind with respect to freedom from patent, trademark, or
copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 2000 Carnegie Mellon University.

Revision History
November 13, 2000: Initial release

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.