News
CERT Finds Multiple BIND Errors
- By Scott Bekker
- 02/02/2001
After
Network Associates Corp.’s Covert
security lab discovered an error in BIND, the
CERT Coordination Center released a report alerting users to the
vulnerability and reminding them of the hazards or failing to update software.
The vulnerabilities Covert found could severely affect the operation of
computers on the Internet.
Covert
discovered vulnerabilities in the Berkeley Internet Name Domain (BIND) server
software used to map IP addresses to alphanumeric domain names. These
vulnerabilities could enable unauthorized users to change the way domain names
are mapped, rerouting email, web traffic, and other Internet data.
To date,
the exploits have not occurred “in the wild,” on production machines. Covert
discovered the vulnerabilities in laboratory tests. However, CERT, a research
unit at Carnegie Mellon University, expects scripts for launching attacks to
pop up on the Internet soon.
Each of the
four vulnerabilities involves sending garbage queries to a BIND server.
Although the queries are meaningless to BIND, they must be specially designed
to confuse function within the software. When the queries are repeated, errors
such as buffer overflows can result, leaving the server open to malicious
reconfiguration. Another vulnerability reveals environment variables to the
user, giving him information about the server.
According
to CERT, most attacks occur after the public has been alerted to a
vulnerability. Statistics in its report suggest that attacks peak sixty days
after notice is given. Discovery of exploits does not deter malicious users; if
anything, it gives them new ideas.
According
to the report, CERT published its last major BIND security alert in November,
1999. The center continued to receive reports over a year later, until
December, 2000. In January 2000, two months after the report, CERT reported
over fifty incidents involving the BIND vulnerability. These attacks by users
would have been prevented if users applied remedies when the reports were
issued.
CERT says
that most BIND vendors have patches available to guard against these
vulnerabilities, which can be downloaded from the vendor sites. One notable
exception is the Internet Software
Consortium (ISC), a group that put out BIND 4, but no longer maintains it.
On its website ISC strongly recommends users upgrade their BIND software to
BIND 9.1. In the case users are unable to deploy BIND 9.1, ISC suggests the
secure BIND 8.2.3 release.
Although
Microsoft’s DNS implementation is not based on BIND, many Unix machines with
BIND are deployed as a gateway to enterprise or educational networks. –
Christopher McConnell
About the Author
Scott Bekker is editor in chief of Redmond Channel Partner magazine.