ISC BIND 8.2.2-P6 vulnerable to DoS via compressed zone transfer, aka the "zxfr bug"

Overview

There is a denial-of-service vulnerability in several versions of the Internet Software Consortium’s (ISC) BIND software. This vulnerability is referred to by the ISC as the “zxfr bug.” It affects ISC BIND version 8.2.2, patch levels 1 through 6.

Description

Using this vulnerability, attackers on sites that are permitted to request zone transfers can force the name service daemon (named) running on vulnerable DNS servers to crash, disrupting name resolution service until the named daemon is restarted.

The preconditions for this attack to succeed are as follows:

* A compressed zone transfer (ZXFR) request must be made from a site allowed to make any zone transfer request (not just ZXFR).
* A subsequent name service query of an authoritative and non-cached record must be made. 

The time between the attack and the crash of named may vary from system to system.

This vulnerability has been discussed in public forums. The ISC has confirmed that all platforms running version 8.2.2 of the BIND software prior to patch level 7 are vulnerable to this attack.

Impact

A remote attacker can use malicious zone transfers to crash vulnerable BIND servers, resulting in a denial-of-service condition that disables name resolution service.

---

Solution

Apply a patch from your vendor

To address this vulnerability, the CERT/CC recommends that all users of ISC BIND upgrade to version 8.2.2-P7, which patches both VU#198355 and VU#715973. For information regarding vendor-specific versions of DNS software, please consult the Systems Affected section of this document.

---

If it is not possible to immediately upgrade systems affected by the “zxfr bug”, the ISC recommends that users block zone transfers from untrusted hosts.

---

Vendor Information

715973

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Caldera __ Affected

Notified: November 12, 2000 Updated: May 16, 2001

Status

Affected

Vendor Statement

The Advisory [is] available [at]:

``<http://www.calderasystems.com/support/security/advisories/CSSA-2000-040.0.txt>``
Updated packages will be available from
OpenLinux Desktop 2.3 ``<ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current>`` 9d8429f25c5fb3bebe2d66b1f9321e61 RPMS/bind-8.2.2p7-1.i386.rpm 0e958eb01f40826f000d779dbe6b8cb3 RPMS/bind-doc-8.2.2p7-1.i386.rpm 866ff74c77e9c04a6abcddcc11dbe17b RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm
OpenLinux eServer 2.3 ``<ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current>`` 379c4328604b4491a8f3d0de44e42347 RPMS/bind-8.2.2p7-1.i386.rpm b428b824c8b67f2d8d4bf53738a3e7e0 RPMS/bind-doc-8.2.2p7-1.i386.rpm 28311d630281976a870d38abe91f07fb RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm
OpenLinux eDesktop 2.4 ``<ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current>`` c37b6673cc9539e592013ac114846940 RPMS/bind-8.2.2p7-1.i386.rpm bbe0d7e317fde0d47cba1384f6d4b635 RPMS/bind-doc-8.2.2p7-1.i386.rpm 5c28dd5641a4550c03e9859d945a806e RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

Compaq Computer Corporation __ Affected

Notified: November 12, 2000 Updated: May 16, 2001

Status

Affected

Vendor Statement

......................................................................

COMPAQ COMPUTER CORPORATION

......................................................................
CERT-2000-20 - BIND 8 The "zxfr bug"
X-REF: SSRT1-38U, CERT-2000-20
......................................................................
Compaq Tru64 UNIX V5.1 -
patch: SSRT1-66U_v5.1.tar.Z

Compaq Tru64 UNIX V5.0 & V5.0a -
V5.0 patch: SSRT1-68U_v5.0.tar.Z
V5.0a patch: SSRT1-68U_v5.0a.tar.Z

Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable
TCP/IP Services for Compaq OpenVMS - Not Vulnerable

......................................................................
CERT02000-20 - BIND 8 The "srv bug"
X-REF: SSRT1-38U, CERT CA2000-20
......................................................................
Compaq Tru64 UNIX V5.1 -
patch: SSRT1-66U_v5.1.tar.Z

Compaq Tru64 UNIX V5.0 & V5.0a -
V5.0 patch: SSRT1-68U_v5.0.tar.Z
V5.0a patch: SSRT1-68U_v5.0a.tar.Z

Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable
TCP/IP Services for Compaq OpenVMS - Not Vulnerable

Compaq will provide notice of the completion/availability
of the patches through AES services (DIA, DSNlink FLASH),
the ** Security mailing list, and be available from your
normal Compaq Support channel.
**You may subscribe to the Security mailing list at:

_http://www.support.compaq.com/patches/mailing-list.shtml_

Software Security Response Team
COMPAQ COMPUTER CORPORATION
......................................................................

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Compaq Tru64 Unix was reported as being not vulnerable when CA-2000-20 was initially launched.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

Conectiva __ Affected

Updated: May 16, 2001

Status

Affected

Vendor Statement

Please see Conectiva Linux Security Announcement CLSA-2000:338 at:

http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000338

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please note that the updated BIND packages referred to in CLSA-2000:338 contain a packaging error which renders named inoperable. Conectiva has published CLSA-2000:339 as an update to CLSA-2000:338. For further information, please visit:

Debian __ Affected

Updated: May 16, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian has released vendor-specific information regarding this vulnerability at:

<http://www.debian.org/security/2000/20001112&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

Hewlett Packard __ Affected

Notified: November 12, 2000 Updated: May 11, 2001

Status

Affected

Vendor Statement

HP is vulnerable to the SRV issue and patches are available, see HP Security Bulletin #144.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

To locate this HP Security Bulletin online, please visit http://itrc.hp.com and search for “HPSBUX0102-144”. Please note that registration may be required to access this document.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

IBM __ Affected

Notified: November 12, 2000 Updated: May 11, 2001

Status

Affected

Vendor Statement

IBM has reported to the CERT/CC that AIX is vulnerable to the bugs described in this document. IBM initially released an e-patch in APAR IY14512.

IBM has posted an e-fix for the BIND denial-of-service vulnerabilities to ftp.software.ibm.com/aix/efixes/security. See the README file in this ftp directory for additional information.

Also, IBM has posted an e-fix to this same site that contains libc.a library that incorporates a fix to the BIND vulnerabilities and the recent locale subsystem format string vulnerability discovered by Ivan Arce of CORE, and discussed on Bugtraq. The e-fix for BIND must be downloaded and installed before implementing this e-fix. See the same README file for details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

ISC Affected

Updated: November 13, 2000

Status

Affected

Vendor Statement

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

MandrakeSoft __ Affected

Updated: November 13, 2000

Status

Affected

Vendor Statement

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MDKSA-2000:067: bind at: ``<http://www.linux-mandrake.com/en/security/MDKSA-2000-067.php3>

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

NetBSD __ Affected

Notified: November 12, 2000 Updated: November 13, 2000

Status

Affected

Vendor Statement

NetBSD is believed to be vulnerable to these problems; in response,

NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7 will be
present in the forthcoming NetBSD 1.5 release.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

RedHat __ Affected

Notified: November 12, 2000 Updated: November 13, 2000

Status

Affected

Vendor Statement

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see RHSA-2000:107-01: Updated bind packages fixing DoS attack available at: ``<http://www.redhat.com/support/errata/RHSA-2000-107-01.html>

[ not available as of 11/13/2000, 1200 UTC-0500 ]

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

Slackware __ Affected

Updated: November 13, 2000

Status

Affected

Vendor Statement

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Updated Slackware distributions for bind may be found at: ``<ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz>

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

SuSE __ Affected

Notified: November 16, 2000 Updated: May 11, 2001

Status

Affected

Vendor Statement

SuSE Linux has published a Security Announcement (below) regarding this vulnerability. For the latest version of this advisory, please visit:

http://www.suse.com/de/support/security/2000_045_bind8_txt.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE Security Announcement: bind8 (SuSE-SA:2000:45) -----BEGIN PGP SIGNED MESSAGE-----

Trustix Affected

Notified: November 16, 2000 Updated: May 16, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

FreeBSD __ Not Affected

Notified: November 12, 2000 Updated: May 11, 2001

Status

Not Affected

Vendor Statement

All versions of FreeBSD after 4.0-RELEASE (namely 4.1-RELEASE, 4.1.1-RELEASE and the forthcoming 4.2-RELEASE) are not vulnerable to this bug since they include versions of BIND 8.2.3. FreeBSD 4.0-RELEASE and earlier are vulnerable to the reported problems since they include an older version of BIND, and an update to a non-vulnerable version is scheduled to be committed to FreeBSD 3.5.1-STABLE in the next few days.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD has released the following advisory regarding this issue:

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:10.bind.asc

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

Fujitsu __ Not Affected

Notified: November 12, 2000 Updated: May 11, 2001

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V is not vulnerable to these bugs because we support a different version of BIND.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

Microsoft __ Not Affected

Notified: November 12, 2000 Updated: November 14, 2000

Status

Not Affected

Vendor Statement

We have had a chance to investigate these issues and we are

not-vulnerable. This includes both Windows 2000 and Windows NT 4.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

Immunix Unknown

Updated: May 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23715973 Feedback>).

View all 17 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/1923&gt;
• <http://www.isc.org/products/BIND/bind8.html&gt;
• <http://www.isc.org/products/BIND/bind-security.html&gt;
• <http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=20546&gt;
• <http://www.securityfocus.com/archive/82/144170&gt;

Acknowledgements

The CERT Coordination Center thanks Mark Andrews, David Conrad, and Paul Vixie of the ISC for developing a solution and assisting in the preparation of this document. We also thank Olaf Kirch for helping us to understand the exact nature of the “zxfr bug” vulnerability.

This document was written by Jeffrey S. Havrilla and Jeffrey P. Lanza.

Other Information

CVE IDs:	CVE-2000-0887
CERT Advisory:	CA-2000-20 Severity Metric: