92603 2003-03-04 21:57 /23 rader/ John <bugtraq@doomsday.com> Importerad: 2003-03-04 21:57 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3820> Ärende: BIND 9.2.2 Vulnerabilities? ------------------------------------------------------------ The ISC website lists the following as of today: http://www.isc.org/products/BIND/bind-security.html "ISC has discovered or has been notified of several bugs which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC. Upgrading to BIND version 9.2.2 is strongly recommended. If you cannot upgrade, BIND 8.3.4, 8.2.7, and 4.9.11 are available." 9.2.2 apparently was just released yesterday though I've seen no discussion about any specific vulnerabilities. The matrix at the bottom of the list shows two vulnerabilities, one with openssl, the other with libbind. Can anyone elaborate on what's happened here? I susbscribe to the BIND mailing list and haven't heard anything about this issue. Thx (92603) /John <bugtraq@doomsday.com>/-----(Ombruten) Kommentar i text 92601 av Albert Sunseri <sunseri@abpi.net> Kommentar i text 92608 av David Kennedy CISSP <david.kennedy@acm.org> 92601 2003-03-04 21:50 /58 rader/ Albert Sunseri <sunseri@abpi.net> Importerad: 2003-03-04 21:50 av Brevbäraren Extern mottagare: John <bugtraq@doomsday.com> Mottagare: Bugtraq (import) <3818> Kommentar till text 92603 av John <bugtraq@doomsday.com> Sänt: 2003-03-04 21:57 Ärende: Re: BIND 9.2.2 Vulnerabilities? ------------------------------------------------------------ Hi! Yesterday morning I saw no notice whatsover. I downloaded 9.2.1 and upgraded to it. ISC called it a 'bugfix' release. However - I just looked at the CHANGES file for 9.2.2 There are no security notes in the section for 9.2.2 but in the notes for 9.2.2rc1 these appear: 1356. [security] Support patches OpenSSL libraries. http://www.cert.org/advisories/CA-2002-23.html 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). http://www.cert.org/advisories/CA-2002-23.html as well as a zillion other changes. Now I have to upgrade all over again :( Should they note that there are security bugs in the current release, or is it my responsibility to read all of the CHNGES files for all the release candidates _before_ I upgrade from one relase to another?????? Did I miss something as well here? -- Information wants to be priceless. Albert Sunseri sunseri@abpi.net > > The ISC website lists the following as of today: > > http://www.isc.org/products/BIND/bind-security.html > > "ISC has discovered or has been notified of several bugs which can result > in vulnerabilities of varying levels of severity in BIND as distributed by > ISC. Upgrading to BIND version 9.2.2 is strongly recommended. If you > cannot upgrade, BIND 8.3.4, 8.2.7, and 4.9.11 are available." > > 9.2.2 apparently was just released yesterday though I've seen no > discussion about any specific vulnerabilities. > > The matrix at the bottom of the list shows two vulnerabilities, one with > openssl, the other with libbind. > > Can anyone elaborate on what's happened here? I susbscribe to the BIND > mailing list and haven't heard anything about this issue. > > Thx > (92601) /Albert Sunseri <sunseri@abpi.net>/--------- 92608 2003-03-04 22:49 /85 rader/ David Kennedy CISSP <david.kennedy@acm.org> Importerad: 2003-03-04 22:49 av Brevbäraren Extern mottagare: John <bugtraq@doomsday.com> Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3824> Kommentar till text 92603 av John <bugtraq@doomsday.com> Ärende: Re: BIND 9.2.2 Vulnerabilities? ------------------------------------------------------------ M 3/4/03 -0600, John wrote: Heavily edited from the bind-announce message: >>>> <excerpt>To: bind-announce@isc.org From: Mark_Andrews@isc.org Subject: BIND 9.2.2 is now available. Date: Tue, 04 Mar 2003 12:51:37 +1100 List-Id: <<bind-announce.isc.org> BIND 9.2.2 is now available. This is a maintenance release of BIND 9.2. It contains no new features. BIND 9.2.2 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.2.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.2.tar.gz.asc The signature was generated with the ISC public key, which is available at <<http://www.isc.org/ISC/isckey.txt>. A list of changes made since 9.2.0 follows. For earlier changes, see the file CHANGES in the distribution. 1356. [security] Support patches OpenSSL libraries. http://www.cert.org/advisories/CA-2002-23.html 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). http://www.cert.org/advisories/CA-2002-23.html 1318. [bug] libbind: Remote buffer overrun. </excerpt><<<<<<<< (many non-security fixes/bug edited out by DMK) -- Regards, David Kennedy CISSP /"\ Director of Research Services, \ / ASCII Ribbon Campaign TruSecure Corp. http://www.trusecure.com X Against HTML Mail Protect what you connect; / \ Look both ways before crossing the Net. (92608) /David Kennedy CISSP <david.kennedy@acm.org>/(Enriched) 92746 2003-03-05 22:33 /26 rader/ Gerhard den Hollander <gerhard@jasongeo.com> Importerad: 2003-03-05 22:33 av Brevbäraren Extern mottagare: David Kennedy CISSP <david.kennedy@acm.org> Externa svar till: gdenhollander@jasongeo.com Mottagare: Bugtraq (import) <3834> Kommentar till text 92608 av David Kennedy CISSP <david.kennedy@acm.org> Ärende: Re: BIND 9.2.2 Vulnerabilities? ------------------------------------------------------------ * David Kennedy CISSP <david.kennedy@acm.org> (Tue, Mar 04, 2003 at 04:26:05PM -0500) > At 01:04 PM 3/4/03 -0600, John wrote: > > Heavily edited from the bind-announce message: So, does this mean that we can continue running 9.2.1 , or should we all rush out and upgrade to 9.2.2 as there is a security leak waiting to be exploited ? Kind regards, -- Gerhard den Hollander Phone :+31-10.280.1515 Global IT Support manager Direct:+31-10.280.1539 Jason Geosystems BV Fax :+31-10.280.1511 (When calling please note: we are in GMT+1) gdenhollander@jasongeo.com POBox 1573 visit us at http://www.jasongeo.com 3000 BN Rotterdam JASON.......#1 in Reservoir Characterization The Netherlands This e-mail and any attachment is/are intended solely for the named addressee(s) and may contain information that is confidential and privileged. If you are not the intended recipient, we request that you do not disseminate, forward, distribute or copy this e-mail message. If you have received this e-mail message in error, please notify us immediately by telephone and destroy the original message. (92746) /Gerhard den Hollander <gerhard@jasongeo.com>/(Ombruten) Kommentar i text 92755 av John <bugtraq@doomsday.com> 92755 2003-03-05 23:49 /14 rader/ John <bugtraq@doomsday.com> Importerad: 2003-03-05 23:49 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3840> Kommentar till text 92746 av Gerhard den Hollander <gerhard@jasongeo.com> Ärende: Re: BIND 9.2.2 Vulnerabilities? ------------------------------------------------------------ That was really what I was trying to get at. If there are vulnerabilities I don't think that they are being discussed in a manner that brings this to the attention of those of us who are running 9.2.1. It seems that the announcement was rather low-key and I stumbled across this information on the website almost by mistake. On Wed, 5 Mar 2003, Gerhard den Hollander wrote: > > So, does this mean that we can continue running 9.2.1 , or should we all > rush out and upgrade to 9.2.2 as there is a security leak waiting to be > exploited ? (92755) /John <bugtraq@doomsday.com>/-----(Ombruten) 92946 2003-03-06 19:55 /27 rader/ Scott Wunsch <bugtraq@tracking.wunsch.org> Importerad: 2003-03-06 19:55 av Brevbäraren Extern mottagare: John <bugtraq@doomsday.com> Mottagare: Bugtraq (import) <3857> Kommentar till text 92755 av John <bugtraq@doomsday.com> Ärende: Re: BIND 9.2.2 Vulnerabilities? ------------------------------------------------------------ On Wed, 05-Mar-2003 at 15:46:41 -0600, John wrote: > That was really what I was trying to get at. If there are vulnerabilities > I don't think that they are being discussed in a manner that brings this > to the attention of those of us who are running 9.2.1. It seems that the > announcement was rather low-key and I stumbled across this information on > the website almost by mistake. I'm rather puzzled by it too :-). Some days before before the 9.2.2 release, my 9.2.1 nameserver was getting repeatedly killed (with an assertion failure) by a stream of DNS queries over TCP from one of our users. Every time I restarted it, it would die again within a few seconds. We "solved" the problem by blocking traffic from the customer who was generating all the TCP queries. I reported this to ISC, and was informed that this was fixed in 9.2.2rc1 (but my request for more details was ignored). So, if nothing else, I consider 9.2.2 to be a fix for a denial of service problem. -- Take care, Scott \\'unsch ... Write all complaints in this box (in triplicate): [] Thank You! (92946) /Scott Wunsch <bugtraq@tracking.wunsch.org>/(Ombruten) 92962 2003-03-06 22:16 /41 rader/ Michael Walton <mwalton@abilene.com> Importerad: 2003-03-06 22:16 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3865> Bilaga (text/plain) till text 92961 Ärende: Bilaga till: [sorcerer-spells] BIND-SORCERER2003-03-06 ------------------------------------------------------------ Sorcerer Update Advisory Tap Into the Source ________________________________________________________________________ Source Name: BIND-9.2.2 Advisory ID: SORCERER2003-03-06 Date: March 6th, 2003 ________________________________________________________________________ Problem Description: ISC has discovered or has been notified of several bugs which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC. Upgrading to BIND version 9.2.2 is strongly recommended. Update: Sources have been updated to the lates version. ________________________________________________________________________ Updated Sources: bind-9.2.2 ________________________________________________________________________ Recomendation: augur synch && augur update ------------------------------------------------------------------------ Contacts: Email: sorcerer-security@linuxmountain.org Mail List: https://lists.berlios.de/mailman/listinfo/sorcerer-spells Web: http://sorcerer.wox.org Irc: irc://irc.freenode.net #sorcerer (92962) /Michael Walton <mwalton@abilene.com>/(Ombruten) 93652 2003-03-11 18:38 /143 rader/ Mike Schiffman <mike@infonexus.com> Importerad: 2003-03-11 18:38 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3910> Ärende: [Summary of Responses] Bound by Tradition: A sampling of the security posture of the Internet's DNS servers ------------------------------------------------------------ - Chris Gordon <chris.gordon@gettyimages.com> has been watching DNS traffic at www.dshield.org and was wondering if "something was coming" and wanted to know if I had seen anything to indicate a DNS worm or virus was propagating. Chris, I have not noticed anything along those lines but all I did was actively scan DNS servers and process the responses, I did not sift through arbitrary Internet DNS traffic. - Bill Manning <bmanning@ISI.EDU> did not find the paper "particularly new or that interesting". He thought it reinforced work done over the last six years on the vulnerabilities in the installed base of DNS code. - Robert Brockway <robert@timetraveller.org> agreed with the overall statement of the paper 100%. "Somewhat OT for your discussion but it is high time for organisations to realise why they need geographically & logically seperated DNS servers. The number of organisations with 1 DNS server, all the servers on the same subnet, or lame delegations is disgraceful. In the end DNS security must rest on a properly configured DNS system." - Kurt Seifried <kurt@seifried.org> found that the paper agreed with his results: "This pretty much parallels the results I got when I did some checking into government DNS certains for a large country. I was able to do zone transfers for something like 60% of the subdomains (with some interesting results, like test-oracle-server.foo), bind versions were all over the map, and most were poorly secured if at all, to say nothing of the classic "all servers on the same subnet" for a few of the larger subdomains. I had them contacted, still no change. Sigh." - Nicholas Weaver <nweaver@CS.berkeley.edu> pointed out: "The roots really aren't vulnerable to a DDoS: Yes they are a single point, but they handle such little real traffic (mostly garbage) and the responses are cached for a long time. It is the gTLDs (eg, the .com nameservers) which are vulnerable to a DDoS, and the DDoS would probably be a traffic load related attacks." - Nuzman <nuzman@shreve.net> wrote "One thing that many corporations still overlook is diversity in DNS. Remember Microsoft getting knocked off because their DNS servers were all on one subnet (early 2001)? I did a survey recently of the largest businesses in WI (whois on domain name) and almost half had DNS all in the same subnet... even companies that I know have good multi-path Net access. Heck, even adding something like granitecanyon.com as a 3rd and/or 4th DNS server would be an improvement for some businesses. One thing I'd be interested in seeing... what's the penetration of non-BIND DNS out there? The company I work for is a MS shop and we use Win2k DNS for primary and Sprint for additional secondary." And last, but not least, David Conrad <david.conrad@nominum.com> of Nominum: "Cute title. In no particular order: 1) You appear to make a big deal out of number of lines of code implying increased vulnerability, but the data you provide shows the opposite -- BINDv9 with 300,000+ lines of code has fewer vulnerabilities than BINDv8 (v2 in particular) with half the lines of code. Note that these code estimates are most likely misleading as they appear to include the entire source tree and BINDv9 has extensive tests that BINDv8 or 4 never had. 2) Several non-BIND DNS servers respond to CHAOS TXT queries for version.bind as if they were BIND. To get an accurate assessment of the servers running, more elaborate and sophisticated fingerprinting is necessary. 3) Verisign does not run all the root servers, only two, one of which runs Atlas last I heard. The do run all the .com/.net gTLD servers. I believe two are running Atlas now. 4) There are many other DNS servers available today, not just djbdns. NSD, PowerDNS, MaraDNS, and Posadis, are 4 open source implementations. Nominum's ANS and CNS, Microsoft Win2K (and .Net or whatever it is called today) DNS, Incognito's DNS Commander, and Cisco's CNR DNS server are proprietary commercial implementations available for purchase. 5) BINDv9 has never had a arbitrary code executable buffer overflow exploit unlike BINDv8 or BINDv4. It has, however, has had denial of service vulnerabilities until the 9.2 series, most of which do not appear on ISC's web page. The 9.0 series, in particular, was susceptible to remote denial of service 'packets of death'. 6) BIND 8.2.7 has no known vulnerabilities so it should be classified as 'safe'. The difference between the 8.2 series and the 8.3 series is primarily v6 support in 8.3. 7) "Klaatu, Barada, Nikto" is actually from the 1950s movie "The Day The Earth Stood Still". Sam Raimi stole the line for "Army of Darkness" (and other projects he has done) 8) Your section title "Remediation" makes several assertions without data to back up those assertions: * "Poor programming is obviously the main issue enabling the vulnerabilities" -- you provide no data that demonstrates poor programming. An assertion along the lines of "attempts to integrate code from a wide variety of sources in the traditional open source fashion is the main issue enabling the vulnerabilities" would probably be more accurate. * "BIND ... is a perfect example of what happens when security is retrofit as opposed to designed into the product ..." -- you have not documented a basis that there was an attempt to retrofit security into the product. 9) Bill Manning at ISI runs a periodic survey of BIND versions and has been doing so since 1996 or so. Stating your report "is the first to present substantive proof quantifying just how vulnerable" the DNS infrastructure is ... a bit of a stretch. 10) You mention the root DDoS attacks but they are unrelated to BIND. The attacks didn't even use DNS packets. 11) BIND version 4 continues to get security patches. It is currently at version 4.9.11 (last I looked). 12) It is a bit misleading to say djbdns has no security vulnerabilities. While it is true that the component programs that make up djbdns have not had a known vulnerability, the design of djbdns relies on external services (Bernstein recommends rsync over ssh, I believe) to replicate data from the primary to secondaries. A vulnerability in these external services, mandatory for (the equivalent of) normal zone maintenance data replication with djbdns, would be at least as damaging as a vulnerability in the djbdns package itself. However, it makes it much easier to offer 'security guarantees' since large chunks of functionality are not covered under the warranty (so to speak). There have been vulnerabilities in ssh since djbdns was released. 13) Stating "BIND is mature" is misleading as BINDv9 was a complete, from the ground up rewrite of BIND sharing no code (except for an optionally compile backwards compatibility stub resolver library that does not link into the server) with BINDv8. BINDv4 could be called mature. BINDv8 is arguable. The large jump in lines of code for 8.2 was a result of integration of code from external parties (Intel, Checkpoint, and NAI to name three). Clearly, given the number of lines of code doubled, the maturity of the code base was reset." -- Mike Schiffman, CISSP http://www.packetfactory.net/schiffman.html (93652) /Mike Schiffman <mike@infonexus.com>/(Ombruten)