BIND is the most widely used DNS on the Internet. Following the recent Microsoft attacks, CERT and several other security organizations have released announcements concerning the most recent BIND vulnerabilities.
The four vulnerabilities addressed may allow an attacker to execute arbitrary code and read unauthorized information from a DNS server. The affected systems are versions 4.9.x prior to 4.9.8, and versions 8.2.x prior to 8.2.3.
The first vulnerability is a buffer overflow in the transaction signature (TSIG) handling code.
When BIND processes a TSIG, BIND 8 checks for the presence of TSIGs that do not include a valid key. When a matching TSIG is discovered, BIND suspends normal processing and jumps to code that is designed to send an error.
The problem occurs because the error-handling code initializes variables and invalidates assumptions concerning allocated buffer size.
When a valid signature is added it may overflow the buffer and write code to adjacent memory. If the vulnerability is exploited, an attacker can execute arbitrary code with the same permissions as the DNS/BIND server, which is usually superuser. This vulnerability specifically affects BIND 8.2.x.
There are two similar buffer overflow vulnerabilities in the nslookupComplain() routine. A locally defined character array designed to build an error message for the syslog is also vulnerable to a buffer overflow. An attacker can send a specially formatted DNS query to vulnerable BIND servers. This could disrupt the normal function of the server by executing arbitrary code or by causing a denial of service (DoS). An attacker can execute arbitrary code with the same permissions as the DNS/BIND server, which is usually superuser. The first nslookupComplain() vulnerability specifically affects all versions prior to BIND 4.9.8. The second nslookupComplain() vulnerability was supposed to be fixed with BIND 4.9.5-P1. However, reports suggest that third-party vendors who redistribute BIND 4 may not have included the necessary changes.
The fourth vulnerability can allow a remote attacker access to the program stack, which may expose program and environmental variables. Attackers can exploit the vulnerability by sending a specially formatted query. They can also gain sensitive information concerning the program and its variables. This vulnerability affects BIND versions 4.9.x and 8.2.x.
Patches are available.