DoS Hole Has Some DNS Servers In a BIND

A weakness discovered Tuesday in Domain Name System (DNS) servers running ISC BIND 9 prior to 9.2.1 forced officials to issue an advisory to potential denial-of-service attacks.

The memo sent out by the Computer Emergency Response Team Coordination Center (CERT) said the threat could be widespread considering that the BIND DNS Server is used on the vast majority of name serving machines on the Internet.

The problem could even impact non-BIND servers since the normal operation of most services on the Internet, “depends on the proper operation of DNS servers,” CERT said.

In its advisory, CERT said, “a vulnerability exists in version 9 of BIND that allows remote attackers to shut down BIND servers. An attacker can cause the shutdown by sending a specific DNS packet designed to trigger an internal consistency check. However, this vulnerability will not allow an attacker to execute arbitrary code or write data to arbitrary locations in memory.”

The researchers said the weakness does not seem to affect ISC (Internet Software Consortium) BIND versions 8 and 4 or any other non-BIND server software like IRIX.

According to the advisory, the internal consistency check that triggers the shutdown occurs when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL as expected. The condition causes the code to assert an error message and call abort to shut down the BIND server. CERT said it is also possible to accidentally trigger this vulnerability using common queries found in routine operation, especially queries originating from SMTP servers.

The vulnerability was found through routine bug analysis. ISC said it strongly recommends that all BIND 9 users upgrade immediately to 9.2.1.

A quick check of server manufacturers and software makers found that servers from Caldera Open Unix, Hewlett-Packard , MandrakeSoft Linux 8.x, Red Hat Linux versions 7.1, 7.2, and 7.3 and SuSE, Inc. Linux.

Each of the vendors said they were aware of the problem and were either currently working on producing errata packages or had them available for download.

At press time, Nortel Networks said it is reviewing its portfolio to determine if any products are affected by the vulnerability noted in CERT Advisory.

The Berkeley Internet Name Domain package was originally written at University of California at Berkeley as a graduate student project under a grant from the US Defense Advanced Research Projects Administration (DARPA). Versions of BIND through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. The package maps URLs to IP addresses.

The protocol server software controls major components of the Domain Name System including: a Domain Name System server (named); a Domain Name System resolver library; and tools for verifying the proper operation of the DNS server.

The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service.

This is not the first time CERT has had to issue a warning about vulnerabilities in BIND’s architecture. CERT released an advisory detailing four security holes in older versions of the BIND in January 2001, which urged all users of BIND software to upgrade to BIND 4.9.8, BIND 8.2.3 or BIND 9.1. Since 1997, CERT has published 12 documents detailing vulnerabilities in the software, lending itself to the reputation of sometimes being called the Buggy Internet Name Daemon.

CERT has posted a copy of the advisory describing the current problem at:

News Around the Web