ISC BIND 8 fails to properly dereference cache SIG RR elements with invalid expiry times from the internal database

Overview

A remotely exploitable denial-of-service vulnerability exists in BIND.

Description

A remotely exploitable denial-of-service vulnerability exists in BIND 8.2 - 8.2.6 and BIND 8.3.0 - 8.3.3. ISC’s description of this vulnerability states:

It is possible to de-reference a NULL pointer for certian [sic] signature expire values.

---

Impact

The BIND daemon will shut down. As a result, clients will not be able to connect to the service to resolve queries.

---

Solution

Apply a patch from your vendor. In the absence of a patch, you may wish to consider ISC’s recommendation, which is upgrading to “BIND 4.9.11, BIND 8.2.7, BIND 8.3.4 or preferably BIND 9.” Additionally, ISC indicates, “BIND 4 is officially deprecated. Only security fixes will be issued for BIND 4.”

---

Disable recursion if possible.

---

Vendor Information

581682

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Updated: December 02, 2002

Status

Affected

Vendor Statement

Affected Systems: Mac OS X and Mac OS X Server with BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3

Mitigating Factors: BIND is not enabled by default on Mac OS X or Mac OS X Server

This is addressed in Security Update 2002-11-21 <http://www.apple.com/support/security/security_updates.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23581682 Feedback>).

Nortel Networks __ Affected

Updated: December 03, 2002

Status

Affected

Vendor Statement

NetID version 4.3.1 and below is affected by the vulnerabilities identified in CERT/CC Advisory CA-2002-31. A bulletin and patched builds are available from the following Nortel Networks support contacts:

North America: 1-800-4NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009

Optivity NMS is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please note that there was a delay in posting Nortel’s vendor statement update. Their update was sent to the CERT/CC on Nov 27, 2002.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23581682 Feedback>).

Red Hat Inc. __ Affected

Notified: November 12, 2002 Updated: November 13, 2002

Status

Affected

Vendor Statement

Older releases (6.2, 7.0) of Red Hat Linux shipped with versions of BIND which may be vulnerable to these issues however a Red Hat security advisory in July 2002 upgraded all our supported distributions to BIND 9.2.1 which is not vulnerable to these issues.

All users who have BIND installed should ensure that they are running these updated versions of BIND.

<http://rhn.redhat.com/errata/RHSA-2002-133.html&gt; Red Hat Linux
<http://rhn.redhat.com/errata/RHSA-2002-119.html&gt; Advanced Server 2.1

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23581682 Feedback>).

MontaVista Software __ Not Affected

Notified: November 12, 2002 Updated: November 13, 2002

Status

Not Affected

Vendor Statement

MontaVista ships BIND 9, thus is not vulnerably to these advisories.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23581682 Feedback>).

Nominum __ Not Affected

Updated: November 13, 2002

Status

Not Affected

Vendor Statement

Nominum “Foundation” Authoritative Name Server (ANS) is not affected by this vulnerability. Also, Nominum “Foundation” Caching Name Server (CNS) is not affected by this vulnerability. Nominum’s commercial DNS server products, which are part of Nominum “Foundation” IP Address Suite, are not based on BIND and do not contain any BIND code, and so are not affected by vulnerabilities discovered in any version of BIND.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23581682 Feedback>).

Alcatel __ Unknown

Updated: February 25, 2003

Status

Unknown

Vendor Statement

Following CERT advisory CA-2002-31 on security vulnerabilities in the ISC BIND implementation, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that the following products (OmniSwitch 6600, 7700, 8800) may be impacted. Customers may wish to contact their support for more details. The security of our customers’ networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential ISC BIND security vulnerabilities and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23581682 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469&gt;
• <http://www.isc.org/products/BIND/bind-security.html&gt;
• <http://www.ciac.org/ciac/bulletins/n-013.shtml&gt;

Acknowledgements

Internet Security Systems is credited for discovering this vulnerability.

This document was written by Ian A Finlay.

Other Information

CVE IDs:	CVE-2002-1221
Severity Metric:	27.54 Date Public: