ISC BIND 4 contains buffer overflow in nslookupComplain()

ID VU:572183
Type cert
Reporter CERT
Modified 2002-05-01T00:00:00



The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) by the Internet Software Consortium (ISC). There is a buffer overflow vulnerability in BIND 4.9.x, which may allow remote intruders to gain access to systems running BIND. Although BIND 4.9.x is no longer officially maintained by ISC, various versions are still widely deployed on the Internet.

This vulnerability has been successfully exploited in a laboratory environment and presents a serious threat to the Internet infrastructure.


A buffer overflow exists in the nslookupComplain() routine of several versions of ISC BIND. This vulnerability is reported to exist in all versions prior to BIND 4.9.8.

The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in either denial of service or the execution of arbitrary code. If an attacker were able to execute code or commands, they would do so with the same privileges as the BIND process, which are typically superuser privileges.

It is important to note that other vendors of DNS software may be vulnerable to this problem as well. Please contact your vendor or check the vendor section of this document for further details.


This vulnerability can disrupt the proper operation of the BIND server and may allow an attacker to execute privileged commands or code with the same permissions as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.


The ISC has released BIND version 4.9.8 to address this security issue as well as others. The CERT/CC strongly recommends that all users of BIND 4.9.x upgrade to 4.9.8 immediately.

The BIND 4.9.8 distribution can be downloaded from:

The BIND 9.1 distribution can be downloaded from:

Please note that upgrading to BIND 4.9.8 also addresses the vulnerabilities discussed in VU#325431 and VU#868916.

Systems Affected

Vendor| Status| Date Notified| Date Updated
Caldera| | 03 Jan 2001| 29 Jan 2001
Compaq Computer Corporation| | 03 Jan 2001| 04 Apr 2001
Hewlett Packard| | 03 Jan 2001| 05 Apr 2001
IBM| | 03 Jan 2001| 05 Apr 2001
ISC| | 02 Jan 2001| 04 Apr 2001
NetBSD| | 03 Jan 2001| 05 Apr 2001
OpenBSD| | 03 Jan 2001| 04 Apr 2001
SCO| | 03 Jan 2001| 01 May 2002
SGI| | 25 Jan 2001| 27 Apr 2001
Sun| | 03 Jan 2001| 07 Aug 2001
SuSE| | 03 Feb 2001| 05 Apr 2001
Apple| | 03 Jan 2001| 05 Apr 2001
FreeBSD| | 03 Jan 2001| 05 Apr 2001
MandrakeSoft| | 03 Feb 2001| 04 Apr 2001
Microsoft| | 18 Jan 2001| 30 Jan 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • VU#196945, VU#325431, VU#868916
  • <>
  • <>
  • <>
  • <>
  • <>
  • <>


The CERT/CC thanks the COVERT Labs at PGP Security for discovering and analyzing this vulnerability and the Internet Software Consortium for providing a patch to fix it.

This document was written by Jeffrey P. Lanza

Other Information

  • CVE IDs: CAN-2001-0011
  • CERT Advisory: CA-2001-02
  • Date Public: 29 Jan 2001
  • Date First Published: 27 Apr 2001
  • Date Last Updated: 01 May 2002
  • Severity Metric: 38.90
  • Document Revision: 60