BIND8: Multiple vulnerabilities [LWN.net]

Package(s):

bind

CVE #(s):

CAN-2002-1219 CAN-2002-1220 CAN-2002-1221

Created:

November 13, 2002

Updated:

March 6, 2003

Description:

Three new vulnerabilities have been found in version 8 of the Berkeley Internet Domain Server; see this ISS advisory, the CERT Advisory CA-2002-31, or the November 14 LWN Security Page for details.

Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9.

Alerts:

Sorcerer	SORCERER2003-03-06	2003-03-06
SCO Group	CSSA-2002-059.0	2002-12-19
Trustix	2002-0076	2002-11-15
OpenPKG	OpenPKG-SA-2002.011	2002-11-15
Debian	DSA-196-1	2002-11-14
Conectiva	CLA-2002:546	2002-11-14
Mandrake	MDKSA-2002:077	2002-11-14
SuSE	SuSE-SA:2002:044	2002-11-13
EnGarde	ESA-20021114-029	2002-11-14

(Log in to post comments)

BIND8: Multiple vulnerabilities

Posted Nov 24, 2002 14:08 UTC (Sun) by stock (subscriber, #5849) [Link]

Date: Fri, 22 Nov 2002 07:17:41 +0100 (CET)
From: Robert M. Stockmann <stock@stokkie.net>
To: jon@lasser.org
Subject: simple bind 9.2.1 example

Hi,

I just read your article

"Caught in a BIND"
http://theregister.co.uk/content/55/28235.html

Where you state the following :

"
If you're saddled with an old version, take heart. With the latest security
holes, the programs are vulnerable only when acting as recursive name
servers. In brief, this means that the holes only affect servers that can
look up any address on the Internet. Your name servers should not respond to
such requests from external addresses anyway: to do so opens the door to DNS
cache poisoning attacks. Your name servers should respond only to
authoritative requests from outside your network, and allow recursion only
within the network.

Sadly, most BIND configurations will allow recursion from any address --
that's the default configuration of BIND, another situation that the Internet
Software Consortium should resolve.

When the Internet was designed, nobody imagined swarms of thousands of
six-foot-tall jet-black stealth woodpeckers. Today they're here, and it's
time our architects took the woodpeckers into account.
"

Well allthough i agree with you, here's a example where DNS admins with
basic skills could easily generate and figure out how to make their
setups secure :

http://crashrecovery.org/named/

Your conclusion which states transitioning to bind 9 is painfull is IMHO
not true, but merely a matter of having accessable documentation with
usefull examples.

cheers,

Robert
--
Robert M. Stockmann - RHCE
Network Engineer - UNIX Consultant
crashrecovery.org stock@stokkie.net
========================================================================
Date: Fri, 22 Nov 2002 10:41:49 -0500
From: J. Lasser <jon@lasser.org>
To: Robert M. Stockmann <stock@stokkie.net>
Subject: Re: simple bind 9.2.1 example

In the wise words of Robert M. Stockmann:

> Your conclusion which states transitioning to bind 9 is painfull is IMHO
> not true, but merely a matter of having accessable documentation with
> usefull examples.

It's painful for ISPs, like the one I worked at with 10,000 zone
records. Each of which was broken.

It's also painful if you have only ten or twenty zone records with
various errors and not a lot of time.

Thanks for your note --- it's always good to hear from readers!
Jon
--
Jon Lasser
Home: jon@lasser.org | Work:jon@cluestickconsulting.com
http://www.tux.org/~lasser/ | http://www.cluestickconsulting.com
Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/