News

CERT Reports Multiple BIND Vulnerabilities

The CERT Coordination Center has discovered an error in BIND that could severely affect the operation of the Internet. Malicious users can exploit these vulnerabilities to change the operation of Internet addresses.

CERT, an organization at Carnegie Mellon University, has discovered vulnerabilities in the Berkeley Internet Name Domain (BIND) server software used to map IP addresses to alphanumeric domain names. These vulnerabilities could enable unauthorized users to change the way domain names are mapped, rerouting email, web traffic, and other Internet data.

Each of the four vulnerabilities involve sending garbage queries to a BIND server. Although the queries are meaningless to BIND, they must be specially designed to confuse function within the software. When the queries are repeated, errors such as buffer overflows can result, leaving the server open to malicious reconfiguration. Another vulnerability reveals environment variables to the user, giving him information about the server.

CERT says that most BIND vendors have patches available to guard against these vulnerabilities, which can be downloaded from the vendor sites. One notable exception is the Internet Software Consortium (ISC), a group that put out BIND 4, but no longer maintains it. ISC recommends users upgrade their BIND software to BIND 8.2.3 or BIND 9.1.

BIND servers are typically deployed on Unix machines, as a gateway to enterprise or educational networks.

The full text of the CERT report is available at http://www.cert.org/advisories/CA-2001-02.html - Christopher McConnell

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Releases CodeQL for Detecting Solorigate Tampering

    Microsoft announced on Thursday that its CodeQL queries, which were used to detect possible compromise in its source code after the Solorigate attacks, are now publicly available at the GitHub repository.

  • Microsoft Bumping Up SLA Support for Azure Active Directory B2C Service

    Microsoft had lots to say this month about its Azure Active Directory service.

  • Black Sky White Cloud Graphic

    Microsoft Expands Cloud Programs for Specific Industries

    Microsoft on Wednesday described an expansion of its industry-specific cloud efforts by announcing three new program additions, centered on the needs of finance, manufacturing and nonprofit organizations.

  • Reusing Content Within Microsoft Word

    A new Microsoft Word feature lets you insert a block of text (or other content) from a different file without leaving the document you're currently working on.

comments powered by Disqus