92603 2003-03-04 21:57 /23 rader/ John <bugtraq@doomsday.com>
Importerad: 2003-03-04 21:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3820>
Ärende: BIND 9.2.2 Vulnerabilities?
------------------------------------------------------------
The ISC website lists the following as of today:
http://www.isc.org/products/BIND/bind-security.html
"ISC has discovered or has been notified of several bugs which can
result in vulnerabilities of varying levels of severity in BIND as
distributed by ISC. Upgrading to BIND version 9.2.2 is strongly
recommended. If you cannot upgrade, BIND 8.3.4, 8.2.7, and 4.9.11
are available."
9.2.2 apparently was just released yesterday though I've seen no
discussion about any specific vulnerabilities.
The matrix at the bottom of the list shows two vulnerabilities, one
with openssl, the other with libbind.
Can anyone elaborate on what's happened here? I susbscribe to the
BIND mailing list and haven't heard anything about this issue.
Thx
(92603) /John <bugtraq@doomsday.com>/-----(Ombruten)
Kommentar i text 92601 av Albert Sunseri <sunseri@abpi.net>
Kommentar i text 92608 av David Kennedy CISSP <david.kennedy@acm.org>
92601 2003-03-04 21:50 /58 rader/ Albert Sunseri <sunseri@abpi.net>
Importerad: 2003-03-04 21:50 av Brevbäraren
Extern mottagare: John <bugtraq@doomsday.com>
Mottagare: Bugtraq (import) <3818>
Kommentar till text 92603 av John <bugtraq@doomsday.com>
Sänt: 2003-03-04 21:57
Ärende: Re: BIND 9.2.2 Vulnerabilities?
------------------------------------------------------------
Hi!
Yesterday morning I saw no notice whatsover.
I downloaded 9.2.1 and upgraded to it.
ISC called it a 'bugfix' release.
However - I just looked at the CHANGES file for 9.2.2
There are no security notes in the section for 9.2.2
but in the notes for 9.2.2rc1 these appear:
1356. [security] Support patches OpenSSL libraries.
http://www.cert.org/advisories/CA-2002-23.html
1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
http://www.cert.org/advisories/CA-2002-23.html
as well as a zillion other changes.
Now I have to upgrade all over again :(
Should they note that there are security
bugs in the current release, or is it my responsibility to read
all of the CHNGES files for all the release candidates _before_
I upgrade from one relase to another??????
Did I miss something as well here?
--
Information wants to be priceless.
Albert Sunseri
sunseri@abpi.net
>
> The ISC website lists the following as of today:
>
> http://www.isc.org/products/BIND/bind-security.html
>
> "ISC has discovered or has been notified of several bugs which can result
> in vulnerabilities of varying levels of severity in BIND as distributed by
> ISC. Upgrading to BIND version 9.2.2 is strongly recommended. If you
> cannot upgrade, BIND 8.3.4, 8.2.7, and 4.9.11 are available."
>
> 9.2.2 apparently was just released yesterday though I've seen no
> discussion about any specific vulnerabilities.
>
> The matrix at the bottom of the list shows two vulnerabilities, one with
> openssl, the other with libbind.
>
> Can anyone elaborate on what's happened here? I susbscribe to the BIND
> mailing list and haven't heard anything about this issue.
>
> Thx
>
(92601) /Albert Sunseri <sunseri@abpi.net>/---------
92608 2003-03-04 22:49 /85 rader/ David Kennedy CISSP <david.kennedy@acm.org>
Importerad: 2003-03-04 22:49 av Brevbäraren
Extern mottagare: John <bugtraq@doomsday.com>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3824>
Kommentar till text 92603 av John <bugtraq@doomsday.com>
Ärende: Re: BIND 9.2.2 Vulnerabilities?
------------------------------------------------------------
M 3/4/03 -0600, John wrote:
Heavily edited from the bind-announce message:
>>>>
<excerpt>To: bind-announce@isc.org
From: Mark_Andrews@isc.org
Subject: BIND 9.2.2 is now available.
Date: Tue, 04 Mar 2003 12:51:37 +1100
List-Id: <<bind-announce.isc.org>
BIND 9.2.2 is now available. This is a maintenance release of BIND
9.2.
It contains no new features.
BIND 9.2.2 can be downloaded from
ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.2.tar.gz
The PGP signature of the distribution is at
ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.2.tar.gz.asc
The signature was generated with the ISC public key, which is
available at <<http://www.isc.org/ISC/isckey.txt>.
A list of changes made since 9.2.0 follows. For earlier changes,
see the file CHANGES in the distribution.
1356. [security] Support patches OpenSSL libraries.
http://www.cert.org/advisories/CA-2002-23.html
1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
http://www.cert.org/advisories/CA-2002-23.html
1318. [bug] libbind: Remote buffer overrun.
</excerpt><<<<<<<<
(many non-security fixes/bug edited out by DMK)
--
Regards,
David Kennedy CISSP /"\
Director of Research Services, \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com X Against HTML Mail
Protect what you connect; / \
Look both ways before crossing the Net.
(92608) /David Kennedy CISSP <david.kennedy@acm.org>/(Enriched)
92746 2003-03-05 22:33 /26 rader/ Gerhard den Hollander <gerhard@jasongeo.com>
Importerad: 2003-03-05 22:33 av Brevbäraren
Extern mottagare: David Kennedy CISSP <david.kennedy@acm.org>
Externa svar till: gdenhollander@jasongeo.com
Mottagare: Bugtraq (import) <3834>
Kommentar till text 92608 av David Kennedy CISSP <david.kennedy@acm.org>
Ärende: Re: BIND 9.2.2 Vulnerabilities?
------------------------------------------------------------
* David Kennedy CISSP <david.kennedy@acm.org> (Tue, Mar 04, 2003 at 04:26:05PM -0500)
> At 01:04 PM 3/4/03 -0600, John wrote:
>
> Heavily edited from the bind-announce message:
So, does this mean that we can continue running 9.2.1 , or should we
all rush out and upgrade to 9.2.2 as there is a security leak waiting
to be exploited ?
Kind regards,
--
Gerhard den Hollander Phone :+31-10.280.1515
Global IT Support manager Direct:+31-10.280.1539
Jason Geosystems BV Fax :+31-10.280.1511
(When calling please note: we are in GMT+1)
gdenhollander@jasongeo.com POBox 1573
visit us at http://www.jasongeo.com 3000 BN Rotterdam
JASON.......#1 in Reservoir Characterization The Netherlands
This e-mail and any attachment is/are intended solely for the named
addressee(s) and may contain information that is confidential and privileged.
If you are not the intended recipient, we request that you do not
disseminate, forward, distribute or copy this e-mail message.
If you have received this e-mail message in error, please notify us
immediately by telephone and destroy the original message.
(92746) /Gerhard den Hollander <gerhard@jasongeo.com>/(Ombruten)
Kommentar i text 92755 av John <bugtraq@doomsday.com>
92755 2003-03-05 23:49 /14 rader/ John <bugtraq@doomsday.com>
Importerad: 2003-03-05 23:49 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3840>
Kommentar till text 92746 av Gerhard den Hollander <gerhard@jasongeo.com>
Ärende: Re: BIND 9.2.2 Vulnerabilities?
------------------------------------------------------------
That was really what I was trying to get at. If there are
vulnerabilities I don't think that they are being discussed in a
manner that brings this to the attention of those of us who are
running 9.2.1. It seems that the announcement was rather low-key
and I stumbled across this information on the website almost by
mistake.
On Wed, 5 Mar 2003, Gerhard den Hollander wrote:
>
> So, does this mean that we can continue running 9.2.1 , or should we all
> rush out and upgrade to 9.2.2 as there is a security leak waiting to be
> exploited ?
(92755) /John <bugtraq@doomsday.com>/-----(Ombruten)
92946 2003-03-06 19:55 /27 rader/ Scott Wunsch <bugtraq@tracking.wunsch.org>
Importerad: 2003-03-06 19:55 av Brevbäraren
Extern mottagare: John <bugtraq@doomsday.com>
Mottagare: Bugtraq (import) <3857>
Kommentar till text 92755 av John <bugtraq@doomsday.com>
Ärende: Re: BIND 9.2.2 Vulnerabilities?
------------------------------------------------------------
On Wed, 05-Mar-2003 at 15:46:41 -0600, John wrote:
> That was really what I was trying to get at. If there are vulnerabilities
> I don't think that they are being discussed in a manner that brings this
> to the attention of those of us who are running 9.2.1. It seems that the
> announcement was rather low-key and I stumbled across this information on
> the website almost by mistake.
I'm rather puzzled by it too :-). Some days before before the 9.2.2
release, my 9.2.1 nameserver was getting repeatedly killed (with an
assertion failure) by a stream of DNS queries over TCP from one of
our users. Every time I restarted it, it would die again within a
few seconds. We "solved" the problem by blocking traffic from the
customer who was generating all the TCP queries.
I reported this to ISC, and was informed that this was fixed in
9.2.2rc1 (but my request for more details was ignored).
So, if nothing else, I consider 9.2.2 to be a fix for a denial of
service problem.
--
Take care,
Scott \\'unsch
... Write all complaints in this box (in triplicate): [] Thank You!
(92946) /Scott Wunsch <bugtraq@tracking.wunsch.org>/(Ombruten)
92962 2003-03-06 22:16 /41 rader/ Michael Walton <mwalton@abilene.com>
Importerad: 2003-03-06 22:16 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3865>
Bilaga (text/plain) till text 92961
Ärende: Bilaga till: [sorcerer-spells] BIND-SORCERER2003-03-06
------------------------------------------------------------
Sorcerer Update Advisory
Tap Into the Source
________________________________________________________________________
Source Name: BIND-9.2.2
Advisory ID: SORCERER2003-03-06
Date: March 6th, 2003
________________________________________________________________________
Problem Description:
ISC has discovered or has been notified of several bugs which
can result in vulnerabilities of varying levels of severity in
BIND as distributed by ISC. Upgrading to BIND version 9.2.2
is strongly recommended.
Update:
Sources have been updated to the lates version.
________________________________________________________________________
Updated Sources: bind-9.2.2
________________________________________________________________________
Recomendation:
augur synch && augur update
------------------------------------------------------------------------
Contacts:
Email: sorcerer-security@linuxmountain.org
Mail List: https://lists.berlios.de/mailman/listinfo/sorcerer-spells
Web: http://sorcerer.wox.org
Irc: irc://irc.freenode.net #sorcerer
(92962) /Michael Walton <mwalton@abilene.com>/(Ombruten)
93652 2003-03-11 18:38 /143 rader/ Mike Schiffman <mike@infonexus.com>
Importerad: 2003-03-11 18:38 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3910>
Ärende: [Summary of Responses] Bound by Tradition: A sampling of the security posture of the Internet's DNS servers
------------------------------------------------------------
- Chris Gordon <chris.gordon@gettyimages.com> has been watching DNS
traffic at www.dshield.org and was wondering if "something was coming"
and wanted to know if I had seen anything to indicate a DNS worm or
virus was propagating. Chris, I have not noticed anything along those
lines but all I did was actively scan DNS servers and process the
responses, I did not sift through arbitrary Internet DNS traffic.
- Bill Manning <bmanning@ISI.EDU> did not find the paper
"particularly new or that interesting". He thought it reinforced
work done over the last six years on the vulnerabilities in the
installed base of DNS code.
- Robert Brockway <robert@timetraveller.org> agreed with the overall
statement of the paper 100%. "Somewhat OT for your discussion but it
is high time for organisations to realise why they need
geographically & logically seperated DNS servers. The number of
organisations with 1 DNS server, all the servers on the same subnet,
or lame delegations is disgraceful. In the end DNS security must
rest on a properly configured DNS system."
- Kurt Seifried <kurt@seifried.org> found that the paper agreed with
his results: "This pretty much parallels the results I got when I did
some checking into government DNS certains for a large country. I was
able to do zone transfers for something like 60% of the subdomains
(with some interesting results, like test-oracle-server.foo), bind
versions were all over the map, and most were poorly secured if at
all, to say nothing of the classic "all servers on the same subnet"
for a few of the larger subdomains. I had them contacted, still no
change. Sigh."
- Nicholas Weaver <nweaver@CS.berkeley.edu> pointed out: "The roots
really aren't vulnerable to a DDoS: Yes they are a single point, but
they handle such little real traffic (mostly garbage) and the
responses are cached for a long time. It is the gTLDs (eg, the .com
nameservers) which are vulnerable to a DDoS, and the DDoS would
probably be a traffic load related attacks."
- Nuzman <nuzman@shreve.net> wrote "One thing that many corporations
still overlook is diversity in DNS. Remember Microsoft getting
knocked off because their DNS servers were all on one subnet (early
2001)? I did a survey recently of the largest businesses in WI (whois
on domain name) and almost half had DNS all in the same
subnet... even companies that I know have good multi-path Net access.
Heck, even adding something like granitecanyon.com as a 3rd and/or
4th DNS server would be an improvement for some businesses. One
thing I'd be interested in seeing... what's the penetration of
non-BIND DNS out there? The company I work for is a MS shop and we
use Win2k DNS for primary and Sprint for additional secondary."
And last, but not least, David Conrad <david.conrad@nominum.com> of
Nominum:
"Cute title.
In no particular order:
1) You appear to make a big deal out of number of lines of code
implying increased vulnerability, but the data you provide shows the
opposite -- BINDv9 with 300,000+ lines of code has fewer
vulnerabilities than BINDv8 (v2 in particular) with half the lines of
code. Note that these code estimates are most likely misleading as
they appear to include the entire source tree and BINDv9 has extensive
tests that BINDv8 or 4 never had.
2) Several non-BIND DNS servers respond to CHAOS TXT queries for
version.bind as if they were BIND. To get an accurate assessment of
the servers running, more elaborate and sophisticated fingerprinting
is necessary.
3) Verisign does not run all the root servers, only two, one of which
runs Atlas last I heard. The do run all the .com/.net gTLD servers.
I believe two are running Atlas now.
4) There are many other DNS servers available today, not just djbdns.
NSD, PowerDNS, MaraDNS, and Posadis, are 4 open source
implementations.
Nominum's ANS and CNS, Microsoft Win2K (and .Net or whatever it is
called today) DNS, Incognito's DNS Commander, and Cisco's CNR DNS
server are proprietary commercial implementations available for
purchase.
5) BINDv9 has never had a arbitrary code executable buffer overflow
exploit unlike BINDv8 or BINDv4. It has, however, has had denial of
service vulnerabilities until the 9.2 series, most of which do not
appear on ISC's web page. The 9.0 series, in particular, was
susceptible to remote denial of service 'packets of death'.
6) BIND 8.2.7 has no known vulnerabilities so it should be classified
as 'safe'. The difference between the 8.2 series and the 8.3 series
is primarily v6 support in 8.3.
7) "Klaatu, Barada, Nikto" is actually from the 1950s movie "The Day
The Earth Stood Still". Sam Raimi stole the line for "Army of
Darkness" (and other projects he has done)
8) Your section title "Remediation" makes several assertions without
data to back up those assertions:
* "Poor programming is obviously the main issue enabling the
vulnerabilities" -- you provide no data that demonstrates poor
programming. An assertion along the lines of "attempts to integrate
code from a wide variety of sources in the traditional open source
fashion is the main issue enabling the vulnerabilities" would probably
be more accurate.
* "BIND ... is a perfect example of what happens when security is
retrofit as opposed to designed into the product ..." -- you have not
documented a basis that there was an attempt to retrofit security into
the product.
9) Bill Manning at ISI runs a periodic survey of BIND versions and has
been doing so since 1996 or so. Stating your report "is the first to
present substantive proof quantifying just how vulnerable" the DNS
infrastructure is ... a bit of a stretch.
10) You mention the root DDoS attacks but they are unrelated to BIND.
The attacks didn't even use DNS packets.
11) BIND version 4 continues to get security patches. It is currently
at version 4.9.11 (last I looked).
12) It is a bit misleading to say djbdns has no security
vulnerabilities. While it is true that the component programs that
make up djbdns have not had a known vulnerability, the design of
djbdns relies on external services (Bernstein recommends rsync over
ssh, I believe) to replicate data from the primary to secondaries.
A vulnerability in these external services, mandatory for (the
equivalent of) normal zone maintenance data replication with djbdns,
would be at least as damaging as a vulnerability in the djbdns
package itself. However, it makes it much easier to offer 'security
guarantees' since large chunks of functionality are not covered
under the warranty (so to speak). There have been vulnerabilities
in ssh since djbdns was released.
13) Stating "BIND is mature" is misleading as BINDv9 was a complete,
from the ground up rewrite of BIND sharing no code (except for an
optionally compile backwards compatibility stub resolver library that
does not link into the server) with BINDv8. BINDv4 could be called
mature. BINDv8 is arguable. The large jump in lines of code for 8.2
was a result of integration of code from external parties (Intel,
Checkpoint, and NAI to name three). Clearly, given the number of
lines of code doubled, the maturity of the code base was reset."
--
Mike Schiffman, CISSP
http://www.packetfactory.net/schiffman.html
(93652) /Mike Schiffman <mike@infonexus.com>/(Ombruten)