CERT Finds Multiple BIND Errors

After Network Associates Corp.’s Covert security lab discovered an error in BIND, the CERT Coordination Center released a report alerting users to the vulnerability and reminding them of the hazards or failing to update software. The vulnerabilities Covert found could severely affect the operation of computers on the Internet.

Covert discovered vulnerabilities in the Berkeley Internet Name Domain (BIND) server software used to map IP addresses to alphanumeric domain names. These vulnerabilities could enable unauthorized users to change the way domain names are mapped, rerouting email, web traffic, and other Internet data.

To date, the exploits have not occurred “in the wild,” on production machines. Covert discovered the vulnerabilities in laboratory tests. However, CERT, a research unit at Carnegie Mellon University, expects scripts for launching attacks to pop up on the Internet soon.

Each of the four vulnerabilities involves sending garbage queries to a BIND server. Although the queries are meaningless to BIND, they must be specially designed to confuse function within the software. When the queries are repeated, errors such as buffer overflows can result, leaving the server open to malicious reconfiguration. Another vulnerability reveals environment variables to the user, giving him information about the server.

According to CERT, most attacks occur after the public has been alerted to a vulnerability. Statistics in its report suggest that attacks peak sixty days after notice is given. Discovery of exploits does not deter malicious users; if anything, it gives them new ideas.

According to the report, CERT published its last major BIND security alert in November, 1999. The center continued to receive reports over a year later, until December, 2000. In January 2000, two months after the report, CERT reported over fifty incidents involving the BIND vulnerability. These attacks by users would have been prevented if users applied remedies when the reports were issued.

CERT says that most BIND vendors have patches available to guard against these vulnerabilities, which can be downloaded from the vendor sites. One notable exception is the Internet Software Consortium (ISC), a group that put out BIND 4, but no longer maintains it. On its website ISC strongly recommends users upgrade their BIND software to BIND 9.1. In the case users are unable to deploy BIND 9.1, ISC suggests the secure BIND 8.2.3 release.

Although Microsoft’s DNS implementation is not based on BIND, many Unix machines with BIND are deployed as a gateway to enterprise or educational networks. – Christopher McConnell

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.