Description

Recently exposed vulnerabilities in the Internet Software Consortium's BIND (Berkeley Internet Name Domain) server allow intruders to query for detailed system information and gain privileged access on the system. Two of these vulnerabilities, known as 'tsig bug' and 'complain bug', allow buffer overflow attacks that intruders use to execute rogue instructions and gain privileged system access. The 'tsig bug' affects BIND versions 8.2 through 8.2.3 betas. And the 'complain bug' affects older versions of BIND including 4.9.3, 4.9.4, 4.9.5, 4.9.5-P1, 4.9.6, and 4.9.7. BIND versions 4.9.x and 4.9 may also be vulnerable.

The third vulnerability, 'infoleak', allows intruders to discover environment variables that can be used to develop further exploits. BIND versions 4.8, 4.8.3, 4.9.3, 4.9.4, 4.9.5, 4.9.5-P1, 4.9.6, 4.9.7, 8.1, 8.1.1, 8.1.2, 8.2, 8.2-P1, 8.2.1, 8.2.2-P1, 8.2.2-P2, 8.2.2-P3, 8.2.2-P4, 8.2.2-P5, 8.2.2-P6, 8.2.2-P7 and possibly earlier versions of BIND 4.9x are vulnerable.

BIND is a DNS (Domain Name Service) server that correlates host names with IP (Internet Protocol) addresses. DNS servers are used both in public and private networks, and their operation is often essential to proper network functionality.

Symantec's NetProwler, a network intrusion detection tool, with Security Update 3 (SU3) installed is capable of detecting both 'tsig bug' and 'complain bug' buffer overflow attacks. Symantec's Intruder Alert, a host based intrusion detection tool, will detect the 'complain bug' buffer overflow attack with upcoming signature releases. Symantec's NetRecon, a network vulnerability assessment tool, will be able to identify all three vulnerabilities with its next security update. Symantec's Enterprise Security Manager (ESM) can be configured through templates to detect all three vulnerabilities.

Additional Resources

CERT Advisory CA-2001-02
ISC's BIND Security Bulletin