CERT Amends DNS Flaw Fix | Internet News
Developer
SHARE
Facebook X Pinterest WhatsApp

CERT Amends DNS Flaw Fix

Written By
Clint Boulton
Clint Boulton
Aug 28, 2002
2 minute read

The Carnegie Mellon Software Engineering
Institute (CERT/CC) Wednesday said that the previous fix it offered to
thwart buffer overflows in domain name system resolver
libraries may not be enough to safeguard certain software systems.


CERT/CC made the amendment as a follow-up to its June 28 announcement that
remote attackers could send malicious DNS responses that may exploit
vulnerabilities to execute arbitrary code or cause a denial-of-service
attack on a system.


Perpetrators could
hijack computers running certain vulnerable installed software products made
by high-profile vendors, including those made by Caldera, HP, IBM and Red Hat.


Flaws in the DNS are serious, as it is responsible for translating text-based Web addresses to numeric IP addresses.


CERT/CC said that when the advisory was first published, it was thought that a
caching DNS server that reconstructs DNS responses would prevent malicious
code from reaching systems with vulnerable resolver libraries.


“This workaround is not sufficient,” Cert/CC claimed. “It does not prevent some
DNS responses that contain malicious code from reaching clients, whether or
not the responses are reconstructed by a local caching DNS server. DNS
responses containing code that is capable of exploiting the vulnerabilities
described can be cached and reconstructed before being transmitted to
clients. Since the server may cache the responses, the malicious code could
persist until the server’s cache is purged or the entries expire.”


CERT/CC said the only real remedy to the flaw is to upgrade to a corrected
version of the DNS resolver libraries.


CERT/CC published two separate vulnerability notes with additional technical
details here and here.


CERT/CC credited Joost Pol of PINE-CERT, the FreeBSD Project, the NetBSD Project, and David Conrad of Nominum for information about the flaw.


DNS vulnerabilities have been common fare among CERT/CC advisories in the past year. Particularly hard hit was the Berkeley Internet Name Domain (BIND) DNS, which was found to be susceptible to DoS attacks in June. The BIND DNS Server is used on most name serving machines on the Internet.


BIND flaws were also detected in January 2001.
Clint Boulton
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information