News

CERT Reports Multiple BIND Vulnerabilities

The CERT Coordination Center has discovered an error in BIND that could severely affect the operation of the Internet. Malicious users can exploit these vulnerabilities to change the operation of Internet addresses.

CERT, an organization at Carnegie Mellon University, has discovered vulnerabilities in the Berkeley Internet Name Domain (BIND) server software used to map IP addresses to alphanumeric domain names. These vulnerabilities could enable unauthorized users to change the way domain names are mapped, rerouting email, web traffic, and other Internet data.

Each of the four vulnerabilities involve sending garbage queries to a BIND server. Although the queries are meaningless to BIND, they must be specially designed to confuse function within the software. When the queries are repeated, errors such as buffer overflows can result, leaving the server open to malicious reconfiguration. Another vulnerability reveals environment variables to the user, giving him information about the server.

CERT says that most BIND vendors have patches available to guard against these vulnerabilities, which can be downloaded from the vendor sites. One notable exception is the Internet Software Consortium (ISC), a group that put out BIND 4, but no longer maintains it. ISC recommends users upgrade their BIND software to BIND 8.2.3 or BIND 9.1.

BIND servers are typically deployed on Unix machines, as a gateway to enterprise or educational networks.

The full text of the CERT report is available at http://www.cert.org/advisories/CA-2001-02.html - Christopher McConnell

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.