IBM Global Services
                         Managed Security Services
                       Security Vulnerability Alert

1 FEB 2001  20:29 GMT                             ERS-SVA-E01-2001:002.1
===========================================================================
 -----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:    4 Vulnerabilities in BIND4 and BIND8

PLATFORMS:        IBM 4.3.x

SOLUTION:         Apply the fixes listed below.

THREAT:           DNS can be completely disrupted on affected servers.

CERT Advisory:    CA-2001-02

===========================================================================
                           DETAILED INFORMATION

I.  Description

    See for additional details (www.cert.org):
    CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND

   VU#196945 - ISC BIND 8 contains buffer overflow in transaction
   signature (TSIG) handling code

   During the processing of a transaction signature (TSIG), BIND 8 checks
   for the presence of TSIGs that fail to include a valid key. If such a
   TSIG is found, BIND skips normal processing of the request and jumps
   directly to code designed to send an error response. Because the
   error-handling code initializes variables differently than in normal
   processing, it invalidates the assumptions that later function calls
   make about the size of the request buffer.

   Once these assumptions are invalidated, the code that adds a new
   (valid) signature to the responses may overflow the request buffer and
   overwrite adjacent memory on the stack or the heap. When combined with
   other buffer overflow exploitation techniques, an attacker can gain
   unauthorized privileged access to the system, allowing the execution
   of arbitrary code.

   VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()

   The vulnerable buffer is a locally defined character array used to
   build an error message intended for syslog. Attackers attempting to
   exploit this vulnerability could do so by sending a specially
   formatted DNS query to affected BIND 4 servers. If properly
   constructed, this query could be used to disrupt the normal operation
   of the DNS server process, resulting in either denial of service or
   the execution of arbitrary code.

   VU#868916 - ISC BIND 4 contains input validation error in
   nslookupComplain()

   The vulnerable buffer is a locally defined character array used to
   build an error message intended for syslog. Attackers attempting to
   exploit this vulnerability could do so by sending a specially
   formatted DNS query to affected BIND 4 servers. If properly
   constructed, this query could be used to disrupt the normal operation
   of the DNS server process, resulting in the execution of arbitrary
   code.

   This vulnerability was patched by the ISC in an earlier version of
   BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence
   to suggest that some third party vendors who redistribute BIND 4 have
   not included these changes in their BIND packages. Therefore, the
   CERT/CC recommends that all users of BIND 4 or its derivatives base
   their distributions on BIND 4.9.8.

   VU#325431 - Queries to ISC BIND servers may disclose environment
   variables

   This vulnerability is an information leak in the query processing code
   of both BIND 4 and BIND 8 that allows a remote attacker to access the
   program stack, possibly exposing program and/or environment variables.
   This vulnerability is triggered by sending a specially formatted query
   to vulnerable BIND servers.

II. Impact

   VU#196945 - ISC BIND 8 contains buffer overflow in transaction
   signature (TSIG) handling code

   This vulnerability may allow an attacker to execute code with the same
   privileges as the BIND server. Because BIND is typically run by a
   superuser account, the execution would occur with superuser
   privileges.

   VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()

   This vulnerability can disrupt the proper operation of the BIND server
   and may allow an attacker to execute code with the privileges of the
   BIND server. Because BIND is typically run by a superuser account, the
   execution would occur with superuser privileges.

   VU#868916 - ISC BIND 4 contains input validation error in
   nslookupComplain()

   This vulnerability may allow an attacker to execute code with the
   privileges of the BIND server. Because BIND is typically run by a
   superuser account, the execution would occur with superuser
   privileges.

   VU#325431 - Queries to ISC BIND servers may disclose environment
   variables

   This vulnerability may allow attackers to read information from the
   program stack, possibly exposing environment variables. In addition,
   the information obtained by exploiting this vulnerability may aid in
   the development of exploits for VU#572183 and VU#868916.



III.  Solutions

  A.  Official fix

      IBM is working on the following fix which will be available
      soon:

      AIX 4.3.3:  IY16182

      NOTE: Fix will not be provided for versions prior to 4.3 as
      these are no longer supported by IBM. Affected customers are
      urged to upgrade to 4.3.3.

  B.  How to minimize the vulnerability

    A temporary fix for AIX 4.3.3 systems is available.

    The temporary fix can be downloaded via ftp from:


ftp://aix.software.ibm.com/aix/efixes/security/multiple_bind_vulns_efix.tar.Z

    This temporary fix has not been fully regression tested. Do the
    following steps (as root) to install the temporary fix:


    IMPORTANT: create a mksysb backup of the system and verify it is both
    bootable, and readable before proceeding.

    Verify you have retrieved this efix intact:
    -------------------------------------------
    There are 4 executables in this tarfile.

    For named4:
    named4-IY16182: replacement for /usr/sbin/named4
    named4-xfer-IY16182: replacement for /usr/sbin/named4-xfer

    For named8:
    named8-IY16182: replacement for /usr/sbin/named8
    named8-xfer-IY16182: replacement for /usr/sbin/named8-xfer

    After you untar this tar file , then check the checksums on these
    files using the sum command:

    # sum named*
    56903   190 named4
    21309    33 named4-xfer
    07515   558 named8-IY16182
    29816   164 named8-xfer-IY16182

    Efix Installation Instructions:
    -------------------------------
    You need to be at Maintenance Level 6 for AIX 4.3.3
    AND you need APAR IY14512 installed.

    To see if you are at ML06:
    # instfix -i | grep AIX_ML
    on one of the lines you should see:
    "All filesets for 4330-06_AIX_ML were found."

    After you are at least at ML06, then you must install APAR IY14512
    which will include:

    bos.64bit.4.3.3.27       <---you might not have this fileset depending
on your machine type.
    bos.adt.include.4.3.3.27
    bos.adt.prof.4.3.3.28
    bos.net.tcp.server.4.3.3.27
    bos.rte.libc.4.3.3.27
    bos.rte.libpthreads.4.3.3.27
    bos.rte.net.4.3.3.2
    You can obtain IY14512 from :
    http://techsupport.services.ibm.com/support/rs6000.support/downloads

    -->click on "General Software Fixes"
    --> click on "Aix Fix Distribution Service"
    Enter in the LOWER entry box: IY14512 and click the "Find Fix"
button...
    The next screen should show "Found 1 match containing IY14512 "
    and display it's finding in a window. -Select the line in the window
    with the mouse (click once on it, it will invert colors when selected).
    In the lower left corner there will be a drop-down listbox entitled:
    "What is your AIX Level?"
    select 4.3.3.0-06 (provided you are at ML06-see instfix -i command
output above)
    You should be then able to download these files:
    bos.64bit.4.3.3.27       <---you might not have this fileset depending
on your machine type.
    bos.adt.include.4.3.3.27
    bos.adt.prof.4.3.3.28
    bos.net.tcp.server.4.3.3.27
    bos.rte.libc.4.3.3.27
    bos.rte.libpthreads.4.3.3.27
    bos.rte.net.4.3.3.2

    Once all of the above are installed, and you have rebooted,
    then:

   # cd /usr/sbin
   # stopsrc -s named
   # cp named8 named8-original
   # cp named8-xfer named8-xfer-original
   # cp named8-IY16182 named8
   # cp named8-xfer-IY16182 named8-xfer
   (if you are dealing with named4 instead, repeat the above
   4 lines, except the names will have a "4" in place of the "8".)


   And finally:
   # startsrc -s named

   --verify proper operation.


IV. Obtaining Fixes

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information
on FixDist, and to obtain fixes via the Internet, please reference

        http://techsupport.services.ibm.com/rs6k/fixes.html

or send email to "[EMAIL PROTECTED]" with the word "FixDist" in the
"Subject:" line.

To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "[EMAIL PROTECTED]" with
the word "subscribe Security_APARs" in the "Subject:" line.


V.  Acknowledgements

    Many thanks to COVERT Labs and Claudio Musmarra for discovering
    these vulnerabilities and to the CERT/CC for notifying us of these
    security holes.


VI.  Contact Information

Comments regarding the content of this announcement can be directed to:

   [EMAIL PROTECTED]

To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to [EMAIL PROTECTED]
with a subject of "get key".

If you would like to subscribe to the AIX security newsletter, send a
note to [EMAIL PROTECTED] with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".

IBM and AIX are a registered trademark of International Business
Machines Corporation.  All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQCVAwUBOnnHgfWDLGpfj4rlAQF5ggQAkIt0Bzc5vfi8BpR02uPG2asnIzV+X/rG
IERK65u/WrMnITzsRsL9nLsnhX1oJVcPf/ESPhnqq38A5zrUZC/nCDiDFMyvfmDZ
4wi8kyhGDnE3uzlE6OP+8BrdqEq2SKntW4EEeG8MY+8v8NcOEwrj9Mi2WUlBXT4r
1itWCTTI9MY=
=+TSn
-----END PGP SIGNATURE-----
===========================================================================
IBM's Managed Security Services (IBM MSS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  IBM's Managed Security
Services advisory service is a subscription-based service that provides
assistance
with virus risk and emergency management.  By acting as an extension of
your own internal security staff, IBM MSS's team of security experts helps
you quickly detect and respond to attacks and exposures to your I/T
infrastructre.

As a part of IBM's Business Continuity Recovery Services organization,
IBM Managed Security Services is a component of IBM's SecureWay(tm) line
of security products and services.  From hardware to software to
consulting, SecureWay solutions can give you the assurance and expertise
you need to protect your valuable business resources.  To find out more
about IBM Managed Security Services, send an electronic mail message
to [EMAIL PROTECTED], or call 1-800-426-7378.

IBM MSS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts, team contact information, and other items.

IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for security vulnerability alerts and other distributed information.  The
IBM MSS PGP* public key is available from
http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM MSS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation and
response coordination among computer security teams worldwide.

Copyright 2000 International Business Machines Corporation.

The information in this document is provided as a service to customers of
IBM Managed Security Services.  Neither International Business
Machines Corporation, nor any of its employees, makes any warranty, express
or implied, or assumes any legal liability or responsibility for the
accuracy, complete- ness, or usefulness of any information, apparatus,
product, or process contained herein, or represents that its use would not
infringe any privately owned rights.  Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by IBM or its subsidiaries.  The
views and opinions of authors expressed herein do not necessarily state or
reflect those of IBM or its subsidiaries, and may not be used for
advertising or product endorsement purposes.

The material in this security alert may be reproduced and distributed,
without permission, in whole or in part, by other security incident
response teams (both commercial and non-commercial), provided the above
copyright is kept intact and due credit is given to IBM MSS.

This security alert may be reproduced and distributed, without permission,
in its entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the intent
of increasing the awareness of the Internet community.
===========================================================================

Reply via email to