============================================================================= CERT(sm) Advisory CA-96.02 February 15, 1996 Topic: BIND Version 4.9.3 ----------------------------------------------------------------------------- Vulnerabilities in the Berkeley Internet Name Domain (BIND) program make it possible for intruders to render Domain Name System (DNS) information unreliable. At the beginning of this year, a version of BIND (4.9.3) became available that fixes several security problems that are being exploited by the intruder community. The CERT staff urges you to install the appropriate patch from your vendor. If a patch is not currently available, an alternative is to install BIND 4.9.3 yourself. (Note: Although BIND will be further improved in the future, we urge you to upgrade now because of the seriousness of the problems addressed by version 4.9.3.) If neither of the above alternatives is possible, we strongly recommend blocking or turning off DNS name-based authentication services such as rlogin. As we receive additional information relating to this advisory, we will add it to ftp://info.cert.org/pub/cert_advisories/CA-96.02.README We encourage you to check our README files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description Version 4.9.3 of the Berkeley Internet Name Domain (BIND) program fixes several security problems that are well known and being exploited by the intruder community to render Domain Name System (DNS) information unreliable. BIND is an implementation of the Domain Name System. (For details, see RFC 1035, a publication of the Internet Engineering Task Force.) The full distribution of BIND includes a number of programs and resolver library routines. The main program is "named", the daemon that provides DNS information from local configuration files and a local cache. The named daemon is often called /etc/named or /etc/in.named. Programs such as Telnet communicate with named via the resolver library routines provided in the BIND distribution. Services in widespread use that depend on DNS information for authentication include rlogin, rsh (rcp), xhost, and NFS. Sites may have installed locally other services that trust DNS information. In addition, many other services, such as Telnet, FTP, and email, trust DNS information. If these services are used only to make outbound connections or informational logs about the source of connections, the security impact is less severe than for services such as rlogin. Although you might be willing to accept the risks associated with using these services for now, you need to consider the impact that spoofed DNS information may have. Although the new BIND distributions do address important security problems, not all known problems are fixed. In particular, several problems can be fixed only with the use of cryptographic authentication techniques. Implementing and deploying this solution is non-trivial; work on this task is currently underway within the Internet community. II. Impact It is possible for intruders to spoof BIND into providing incorrect name data. Some systems and programs depend on this information for authentication, so it is possible to spoof those systems and gain unauthorized access. III. Solutions The preferred solution, described in Section A, is to install your vendor's patch if one is available. An alternative (Section B) is to install the latest version of BIND. In both cases, we encourage you to take the additional precautions described in Section C. A. Obtain the appropriate patch from your vendor and install it according to instructions included with the program. Redistributing BIND and all programs affected by these problems is not a simple matter, so some vendors are working on new named daemon as an immediate patch. Although installing a new named daemon addresses some problems, significant problems remain that can be addressed only by fully installing fixes to the library resolver routines. If your vendor's patch does not include both named and new resolver routines, we recommend that you install the current version of BIND (Solution B) if possible. We also encourage you to take the precautions described in Section C. Below is a list of the vendors and the status they have provided concerning BIND. More complete information is provided in Appendix A of this advisory and reproduced in CA-96.02.README. We will update the README file as we receive more information from vendors. If your vendor's name is not on the list, contact the vendor directly for status information and further instructions. Vendor New named available Full distribution available ------ ------------------- --------------------------- Digital Equipment Work is under way. Hewlett-Packard Under investigation. Currently porting and testing (BIND 4.9.3) for the Q1, Calendar 97 general release. Patch in process for 10.X releases. NEC Corporation Work is under way. Santa Cruz Operation Under consideration. B. Install the latest version of BIND (version 4.9.3), available from Paul Vixie, the current maintainer of BIND: ftp://ftp.vix.com/pub/bind/release/4.9.3/bind-4.9.3-REL.tar.gz MD5 (bind-4.9.3-REL.tar.gz) = da1908b001f8e6dc93fe02589b989ef1 Also get Patch #1 for 4.9.3: ftp://ftp.vix.com/pub/bind/release/4.9.3/Patch1 MD5 (Patch1) = 5d57ad13381e242cb08b5da0e1e9c5b9 C. Take additional precautions. To protect against vulnerabilities that have not yet been addressed, and as good security practice in general, filter at a router all name-based authentication services so that you do not rely on DNS information for authentication. This includes the services rlogin, rsh (rcp), xhost, NFS, and any other locally installed services that provide trust based on domain name information. --------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Paul Vixie for his efforts in responding to this problem and his aid in developing this advisory. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. ^L ...................................................................... Appendix A Current as of February 15, 1996 See CA-95:02.README for updates. Below is information we have received from vendors. If you do not see an entry for your vendor, please contact the vendor directly for status information and further instructions. --------------------------------------- Paul Vixie Paul Vixie, the current maintainer of BIND, has developed version 4.9.3 with the support of a number of experts. Version 4.9.3 is available by anonymous FTP from ftp://ftp.vix.com/pub/bind/release/4.9.3/bind-4.9.3-REL.tar.gz Size: 1682741 bytes POSIX checksum: 2183623314 1682741 MD5 checksum: da1908b001f8e6dc93fe02589b989ef1 As of Jan 11, 1996, there is a Patch #1 available for 4.9.3 ftp://ftp.vix.com/pub/bind/release/4.9.3/Patch1 MD5 checksum: 5d57ad13381e242cb08b5da0e1e9c5b9 --------------------------------------- Digital Equipment Corporation At the time of writing this advisory, Digital intends to support the final revision of BIND 4.9.3. The project plan for incorporating Version 4.9.3 BIND for Digital's ULTRIX platforms has been approved. This includes 4.3, V4.3A, V4.4 and V4.5. A similar project plan for Digital UNIX versions is under review. The first implementations will be V3.0 through V3.2D, and V4.0, when released. It is our plan to evaluate and then incorporate V4.9.3 Bind into other UNIX versions as necessary to reduce risk to our customer base. Digital will provide notice of the completion of the kits through AES services (DIA, DSNlink FLASH) and be available from your normal Digital Support channel. --------------------------------------- Hewlett-Packard Company The named daemon is under investigation. HP will provide updated information for the CERT advisory README. HP is currently porting and testing BIND 4.9.3 for a general release first quarter of 1997. A patch is in process for 10.X releases. Watch for README updates and a Security Bulletin from HP. --------------------------------------- NEC Corporation Some systems are vulnerable. We are developing the patches and plan to put them on our anonymous FTP server. You can contact us with the following e-mail address if you need. E-mail: UX48-security-support@nec.co.jp FTP server: ftp://ftp.meshnet.or.jp --------------------------------------- The Santa Cruz Operation, Inc. SCO is currently considering a port of the new BIND into its product line, but no timeline is yet available. This includes SCO OpenServer and SCO UNIXWare.