Accordingto AusCERT Security Bulletin AL-2002.13 (from Australian CERT), Internet Security Systems has discovered three serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). Since BIND is the most popular DNS software in use on the Internet today, any flaw that relates to it is a major concern.

A report also appeared in InfoWorld based on the ISS X-Force team’s information. InfoWorld warns that all three vulnerabilities can lead to denial of service (DoS) events and some may allow an attacker to run arbitrary code.

While these exploits are somewhat difficult to implement and are definitely not likely to be exploited by script kiddies, they constitute a serious remote threat that could be exploited by any serious hacker who wants to bring down some pieces of the Internet. In fact, all that attackers require to take advantage of this flaw is control of an authoritative name server from which they can launch an attack based on sending malformed requests to BIND.

In a recent column, I explored the top 10 UNIX threats as compiled by SANS and the FBI. BIND/DNS was number nine on the list of exploited vulnerabilities even before these latest flaws were disclosed. According to that report, the groups that maintain DNS software, including the Internet Software Consortium (ISC), which distributes BIND, do a good job of fixing newly discovered vulnerabilities. The problem is that many companies are still running old versions of BIND.

You’ll find descriptions of three new vulnerabilities—BIND: Remote Execution of Code, BIND: Multiple Denial of Service, and LIBRESOLV: Buffer overrun—in this ISC report. A detailed explanation of the ISS discoveries appears in its advisory Multiple Remote Vulnerabilities in BIND4 and BIND8.

All three vulnerabilities can be exploited remotely and, although the ISC report states that there are no known active exploits, the U.S. Department of Energy’s Computer Incident Advisory Capability (CIAC) Bulletin N-013 reports that exploits are being actively developed. The ISC report also includes information about a number of other serious and even critical vulnerabilities in BIND.

The newly discovered vulnerabilities are found in the following versions of BIND:

  • BIND 4.0 through 4.9.10
  • BIND 8.0 through 8.3.3

BIND 9 versions are not affected by these vulnerabilities and do not require any updates to address them.

Risk level–high
The ISC rates the vulnerabilities as a serious risk. The CIAC Bulletin N-013 rates the combined risk as high and says, “CIAC has learned exploits are actively being developed for these vulnerabilities. DNS is a vital Internet protocol, and BIND is used on the vast majority of DNS servers on the Internet.”

The ISC strongly recommends that everyone upgrade to BIND 9.2.1. A workaround for these three BIND vulnerabilities is to disable recursion where possible. At the time this information was compiled, the ISC was also reporting that new BIND releases 4 and 8 are on the way. Patches are available for those who don’t upgrade to BIND 9.2.1. There is no workaround for the LIBRESOLV buffer overrun; you have to upgrade and relink.

Final word
The recent SANS/FBI Top 20 list made it clear that most real-world attacks succeed through the exploitation of well-known vulnerabilities—ones for which patches are often readily available. Thus, security professionals and administrators must step up the effort to plug holes like these major BIND flaws, which can have serious repercussions across the Internet.