DNS servers are a critical element of any Internet infrastructure, and they’re among the easiest targets for hackers to attack. Even so, many administrators have reportedly failed to make vital upgrades to their Berkley Internet Name Domain (BIND) servers that provide DNS services, despite the fact that most UNIX and Linux versions of BIND have a number of well-known vulnerabilities.
There appears to be an urban myth that UNIX and, in particular, Linux, are naturally more secure than other operating systems, but that is a dangerous belief that can lead to complacency. In fact, CERT has published at least 12 major advisories just on UNIX/Linux BIND vulnerabilities alone.
Recent warnings from CERT and other security organizations should provide the impetus needed to persuade IT professionals that BIND upgrades are vital, especially in light of a recent report by CERT concerning the relationship between the announcement of a vulnerability and the frequency of reported hacking incidents that try to exploit that vulnerability. Many crackers are not particularly skilled and simply follow security announcements to learn of new vulnerabilities while relying on the fact that many administrators are slow to patch even well-known problems.
In the case of BIND vulnerabilities, the attack frequency appears to peak a couple of months after the initial announcement and then taper off for almost a year after that, indicating that many sites are taking that long to make the necessary updates. Even worse, the Internet Software Consortium (ISC), the organization that manages BIND, reports that versions as old as BIND 4 (BIND 9 is current) are still widely used despite the fact that ISC no longer supports them.
Threat level—moderate to extreme
The four most recent BIND problems range from moderately to extremely dangerous, with three of them allowing a remote cracker to gain access to a system. Because BIND is normally run on a superuser (“root”) account, this access would allow a cracker complete control over the system.
These problems should concern any administrator running DNS services using BIND or companies that suspect that their ISP may be vulnerable. This can also be a problem for desktop PCs running UNIX or Linux because BIND is often installed by default. BIND should be disabled on these PCs.
A number of different versions of ISC’s BIND server are vulnerable, with each bug affecting different software versions.
- The nslookupComplain() function contains a buffer overflow vulnerability in BIND 4 versions 4.9.3, 4.9.4, 4.9.5, 4.9.5-P1, 4.9.6, 4.9.7, and possibly earlier versions of BIND 4.9.x and BIND 4.9 (based on ISC information). Again, ISC says there is no workaround. Attackers could gain access to the system or cause stack corruption. See Vulnerability Note VU#572183.
- Another nslookupComplain() problem is the input validation, which was fixed by ISC in release BIND 4.9.5-P1. CERT states that many third-party distributors of BIND 4 have not made the upgrade, so all BIND 4 versions are suspect. There is no workaround, and an upgrade is also required to fix this problem. See Vulnerability Note VU#868916.
- BIND 4.9x and 8.2x have a less critical vulnerability that can expose information contained in the program stack. Just how important this is depends in large part on what information is in the stack, which sometimes includes important environment variables that could be misused by crackers. See Vulnerability Note VU#325431.
While there are no workarounds for the most critical BIND vulnerabilities, and you must upgrade BIND to fix these problems, CERT generally recommends minimizing the impact of these and other DNS attacks by configuring your DNS environment into separate public and internal DNS servers so you can apply different security policies to each. Using a split DNS server configuration means that, in most cases, an attack on one server will not crash the other, so you will have continuous Internet service.
With regard to these vulnerabilities, The Internet Software Consortium says, “Upgrading to BIND version 9.1 is strongly recommended. If that is not possible for your site, upgrading at least to BIND version 8.2.3 is imperative.”
BIND 4.9.8 and 8.2.3 distributions are available at ftp://ftp.isc.org/isc/bind/src/. BIND 9.1 distribution is available at ftp://ftp.isc.org/isc/bind9/.
Background and links to further information
BIND is a widely used program that enables Web users to use simple host names, such as www.techrepublic.com. A simple host name is resolved into the actual four-segment IP address (220.127.116.11), which is used to locate the hosting server on the Internet. Since the IP address alone isn’t enough to reach many pages directly, merely knowing the numeric address isn’t sufficient and the DNS translation is still necessary. Obviously, any threat to BIND is a major threat to Internet access for anyone using the vulnerable servers.
For more information, check out these resources:
- CERT’s original warning, CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
- ISC’s warning about these problems
- Information posted by Red Hat
Are you running an up-to-date version of BIND?
Do you have a plan in place for regularly checking security advisories and patching your systems? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.