Date: Thu, 1 Feb 2001 15:37:33 -0500
From: IBM MSS Advisory Service <advisory@US.IBM.COM.>
To: [email protected]Subject: IBM-ERS Security Vulnerability Alert: IBM AIX: 4 Vulnerabilities in BIND4 and BIND8
IBM Global Services
Managed Security Services
Security Vulnerability Alert
1 FEB 2001 20:29 GMT ERS-SVA-E01-2001:002.1
-----BEGIN PGP SIGNED MESSAGE-----
VULNERABILITY SUMMARY
VULNERABILITY: 4 Vulnerabilities in BIND4 and BIND8
PLATFORMS: IBM 4.3.x
SOLUTION: Apply the fixes listed below.
THREAT: DNS can be completely disrupted on affected servers.
CERT Advisory: CA-2001-02
DETAILED INFORMATION
I. Description
See for additional details (www.cert.org):
CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
VU#196945 - ISC BIND 8 contains buffer overflow in transaction
signature (TSIG) handling code
During the processing of a transaction signature (TSIG), BIND 8 checks
for the presence of TSIGs that fail to include a valid key. If such a
TSIG is found, BIND skips normal processing of the request and jumps
directly to code designed to send an error response. Because the
error-handling code initializes variables differently than in normal
processing, it invalidates the assumptions that later function calls
make about the size of the request buffer.
Once these assumptions are invalidated, the code that adds a new
(valid) signature to the responses may overflow the request buffer and
overwrite adjacent memory on the stack or the heap. When combined with
other buffer overflow exploitation techniques, an attacker can gain
unauthorized privileged access to the system, allowing the execution
of arbitrary code.
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
The vulnerable buffer is a locally defined character array used to
build an error message intended for syslog. Attackers attempting to
exploit this vulnerability could do so by sending a specially
formatted DNS query to affected BIND 4 servers. If properly
constructed, this query could be used to disrupt the normal operation
of the DNS server process, resulting in either denial of service or
the execution of arbitrary code.
VU#868916 - ISC BIND 4 contains input validation error in
nslookupComplain()
The vulnerable buffer is a locally defined character array used to
build an error message intended for syslog. Attackers attempting to
exploit this vulnerability could do so by sending a specially
formatted DNS query to affected BIND 4 servers. If properly
constructed, this query could be used to disrupt the normal operation
of the DNS server process, resulting in the execution of arbitrary
code.
This vulnerability was patched by the ISC in an earlier version of
BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence
to suggest that some third party vendors who redistribute BIND 4 have
not included these changes in their BIND packages. Therefore, the
CERT/CC recommends that all users of BIND 4 or its derivatives base
their distributions on BIND 4.9.8.
VU#325431 - Queries to ISC BIND servers may disclose environment
variables
This vulnerability is an information leak in the query processing code
of both BIND 4 and BIND 8 that allows a remote attacker to access the
program stack, possibly exposing program and/or environment variables.
This vulnerability is triggered by sending a specially formatted query
to vulnerable BIND servers.
II. Impact
VU#196945 - ISC BIND 8 contains buffer overflow in transaction
signature (TSIG) handling code
This vulnerability may allow an attacker to execute code with the same
privileges as the BIND server. Because BIND is typically run by a
superuser account, the execution would occur with superuser
privileges.
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
This vulnerability can disrupt the proper operation of the BIND server
and may allow an attacker to execute code with the privileges of the
BIND server. Because BIND is typically run by a superuser account, the
execution would occur with superuser privileges.
VU#868916 - ISC BIND 4 contains input validation error in
nslookupComplain()
This vulnerability may allow an attacker to execute code with the
privileges of the BIND server. Because BIND is typically run by a
superuser account, the execution would occur with superuser
privileges.
VU#325431 - Queries to ISC BIND servers may disclose environment
variables
This vulnerability may allow attackers to read information from the
program stack, possibly exposing environment variables. In addition,
the information obtained by exploiting this vulnerability may aid in
the development of exploits for VU#572183 and VU#868916.
III. Solutions
A. Official fix
IBM is working on the following fix which will be available
soon:
AIX 4.3.3: IY16182
NOTE: Fix will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3.
B. How to minimize the vulnerability
A temporary fix for AIX 4.3.3 systems is available.
The temporary fix can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/multiple_bind_vulns_efix.tar.Z
This temporary fix has not been fully regression tested. Do the
following steps (as root) to install the temporary fix:
IMPORTANT: create a mksysb backup of the system and verify it is both
bootable, and readable before proceeding.
Verify you have retrieved this efix intact:
-------------------------------------------
There are 4 executables in this tarfile.
For named4:
named4-IY16182: replacement for /usr/sbin/named4
named4-xfer-IY16182: replacement for /usr/sbin/named4-xfer
For named8:
named8-IY16182: replacement for /usr/sbin/named8
named8-xfer-IY16182: replacement for /usr/sbin/named8-xfer
After you untar this tar file , then check the checksums on these
files using the sum command:
# sum named*
56903 190 named4
21309 33 named4-xfer
07515 558 named8-IY16182
29816 164 named8-xfer-IY16182
Efix Installation Instructions:
-------------------------------
You need to be at Maintenance Level 6 for AIX 4.3.3
AND you need APAR IY14512 installed.
To see if you are at ML06:
# instfix -i | grep AIX_ML
on one of the lines you should see:
"All filesets for 4330-06_AIX_ML were found."
After you are at least at ML06, then you must install APAR IY14512
which will include:
bos.64bit.4.3.3.27 <---you might not have this fileset depending
on your machine type.
bos.adt.include.4.3.3.27
bos.adt.prof.4.3.3.28
bos.net.tcp.server.4.3.3.27
bos.rte.libc.4.3.3.27
bos.rte.libpthreads.4.3.3.27
bos.rte.net.4.3.3.2
You can obtain IY14512 from :
http://techsupport.services.ibm.com/support/rs6000.support/downloads
-->click on "General Software Fixes"
--> click on "Aix Fix Distribution Service"
Enter in the LOWER entry box: IY14512 and click the "Find Fix"
button...
The next screen should show "Found 1 match containing IY14512 "
and display it's finding in a window. -Select the line in the window
with the mouse (click once on it, it will invert colors when selected).
In the lower left corner there will be a drop-down listbox entitled:
"What is your AIX Level?"
select 4.3.3.0-06 (provided you are at ML06-see instfix -i command
output above)
You should be then able to download these files:
bos.64bit.4.3.3.27 <---you might not have this fileset depending
on your machine type.
bos.adt.include.4.3.3.27
bos.adt.prof.4.3.3.28
bos.net.tcp.server.4.3.3.27
bos.rte.libc.4.3.3.27
bos.rte.libpthreads.4.3.3.27
bos.rte.net.4.3.3.2
Once all of the above are installed, and you have rebooted,
then:
# cd /usr/sbin
# stopsrc -s named
# cp named8 named8-original
# cp named8-xfer named8-xfer-original
# cp named8-IY16182 named8
# cp named8-xfer-IY16182 named8-xfer
(if you are dealing with named4 instead, repeat the above
4 lines, except the names will have a "4" in place of the "8".)
And finally:
# startsrc -s named
--verify proper operation.
IV. Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center. For more information
on FixDist, and to obtain fixes via the Internet, please reference
http://techsupport.services.ibm.com/rs6k/fixes.html
or send email to "[email protected]" with the word "FixDist" in the
"Subject:" line.
To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "[email protected]" with
the word "subscribe Security_APARs" in the "Subject:" line.
V. Acknowledgements
Many thanks to COVERT Labs and Claudio Musmarra for discovering
these vulnerabilities and to the CERT/CC for notifying us of these
security holes.
VI. Contact Information
Comments regarding the content of this announcement can be directed to:
[email protected]
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to [email protected]
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to [email protected] with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".
IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQCVAwUBOnnHgfWDLGpfj4rlAQF5ggQAkIt0Bzc5vfi8BpR02uPG2asnIzV+X/rG
IERK65u/WrMnITzsRsL9nLsnhX1oJVcPf/ESPhnqq38A5zrUZC/nCDiDFMyvfmDZ
4wi8kyhGDnE3uzlE6OP+8BrdqEq2SKntW4EEeG8MY+8v8NcOEwrj9Mi2WUlBXT4r
1itWCTTI9MY=
=+TSn
-----END PGP SIGNATURE-----
IBM's Managed Security Services (IBM MSS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. IBM's Managed Security
Services advisory service is a subscription-based service that provides
assistance
with virus risk and emergency management. By acting as an extension of
your own internal security staff, IBM MSS's team of security experts helps
you quickly detect and respond to attacks and exposures to your I/T
infrastructre.
As a part of IBM's Business Continuity Recovery Services organization,
IBM Managed Security Services is a component of IBM's SecureWay(tm) line
of security products and services. From hardware to software to
consulting, SecureWay solutions can give you the assurance and expertise
you need to protect your valuable business resources. To find out more
about IBM Managed Security Services, send an electronic mail message
to [email protected], or call 1-800-426-7378.
IBM MSS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts, team contact information, and other items.
IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for security vulnerability alerts and other distributed information. The
IBM MSS PGP* public key is available from
http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM MSS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation and
response coordination among computer security teams worldwide.
Copyright 2000 International Business Machines Corporation.
The information in this document is provided as a service to customers of
IBM Managed Security Services. Neither International Business
Machines Corporation, nor any of its employees, makes any warranty, express
or implied, or assumes any legal liability or responsibility for the
accuracy, complete- ness, or usefulness of any information, apparatus,
product, or process contained herein, or represents that its use would not
infringe any privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by IBM or its subsidiaries. The
views and opinions of authors expressed herein do not necessarily state or
reflect those of IBM or its subsidiaries, and may not be used for
advertising or product endorsement purposes.
The material in this security alert may be reproduced and distributed,
without permission, in whole or in part, by other security incident
response teams (both commercial and non-commercial), provided the above
copyright is kept intact and due credit is given to IBM MSS.
This security alert may be reproduced and distributed, without permission,
in its entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the intent
of increasing the awareness of the Internet community.
