Domain Name System (DNS) resolver libraries vulnerable to read buffer overflow

Overview

DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service.

Description

A read buffer overflow vulnerability exists in BIND 4 and BIND 8.2.x stub resolver libraries. Other resolver libraries derived from BIND 4 are also affected, including BSD libc, GNU/Linux glibc, and System 5 UNIX libresolv. This vulnerability is similar in scope to VU#803539 and VU#542971, which are referenced by CERT Advisory CA-2002-19.

The name server itself, named, is not affected. The vulnerability exists in DNS stub resolver libraries that are used by network applications to obtain host or network information, typically host names and IP addresses. For example, when a web browser attempts to access <http://www.cert.org/&gt;, it calls functions in a DNS stub resolver library in order to determine an IP address for www.cert.org.

Within the DNS resolver library, a buffer size value that is smaller than the maximum size of a potential DNS response is passed to the functions that perform DNS resolution. If a response is encountered that is larger than the allocated buffer, the response is truncated and returned to the calling function, along with the amount of buffer space that would be required to handle the entire response. The calling function may use this value for the size of the buffer and read beyond the end of the actual DNS response. In some cases, unmapped memory may be read, which typically causes the calling application to crash. In other cases, mapped memory may be read, and the contents included in the DNS response, which the calling application typically handles as a malformed response.

Applications that call DNS resolution functions directly may also be vulnerable, depending on how those applications handle the returned buffer size value. MIT Kerberos 5, KTH Heimdal Kerberos, nss_ldap, and fetchmail are known to be affected.

Quoting from the ISC advisory:

When looking up address (gethostbyname(), gethostbyaddr() etc.) a less than maximum sized buffer is passed to res_search() / res_query(). If the answer is too large to fit in the buffer the size of buffer required is returned along with the part of the message that will fit. This value is not checked and is passed to getanswer which then may read past the end of the buffer depending up the contents in the answer section_._

---

Impact

An attacker who is able to send DNS responses to a vulnerable system could cause a denial of service, crashing the application that made calls to a vulnerable resolver library. It does not appear that this vulnerability can be leveraged to execute arbitrary code. There may be some risk of information disclosure if a vulnerable system returns the contents of memory adjacent to a DNS response.

---

Solution

Patch or Upgrade

Apply a patch or upgrade as specified by your vendor. In the case of statically linked binaries, it is necessary to recompile using the patched version of the DNS stub resolver libraries. ISC has provided the following guidance for applications that call DNS resolution functions directly:

For application writers. Use a maximum sized buffer (64k), be prepared to redo the calls res_search(), res_query(), res_send(), res_nsearch(), res_nquery() and res_send() with a bigger buffer or take the minimum of the answer buffer size and the value returned by these calls and be aware that the answer is truncated.

---

Local Caching DNS Server Not Effective

A local caching DNS server will not prevent malicious responses from reaching vulnerable client resolvers.

---

Vendor Information

738331

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Conectiva __ Affected

Notified: August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please reference the following Conectiva Linux Announcements (English): CLSA-2002:535 (glibc) and CLSA-2002:531 (fetchmail).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Debian __ Affected

Notified: August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. Debian Security Advisory DSA-178 (superseded by DSA-185) addresses this issue in Heimdal Kerberos. See also:

<http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.6.diff.gz&gt;

Debian Security Advisory DSA-171 addresses this issue in fetchmail.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Fetchmail Affected

Updated: October 18, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

FreeBSD __ Affected

Notified: August 15, 2002 Updated: November 13, 2002

Status

Affected

Vendor Statement

Please see FreeBSD-SA-02:42.resolv.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Fujitsu __ Affected

Notified: August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

Fujitsu’s UXP/V operating system is vulnerable to the bug reported in VU#738331.

Bug fixes are currently being developed and will be available in November, 2002.

The bug fix no. for UXP/V V20L10 is UX28292.

The bug fix no. for UXP/V V10L20 is UX15055.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

GNU glibc __ Affected

Notified: August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

Version 2.2.5 of the GNU C Library is vulnerable. The following patch has been installed into the CVS sources, and should appear in the next version.

2002-09-04 Roland McGrath <[email protected]>

* resolv/nss_dns/dns-network.c (MAXPACKET): Increase minimum value
from 1024 to 65536, to avoid buffer overrun.

2002-08-24 Ulrich Drepper <[email protected]>

* resolv/nss_dns/dns-host.c (MAXPACKET): Likewise.

2002-08-16 Paul Eggert <[email protected]>

* resolv/gethnamaddr.c (MAXPACKET): Likewise.
* resolv/res_query.c (MAXPACKET): Likewise.

===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- libc/resolv/nss_dns/dns-network.c 2002/08/26 06:20:05 1.12
+++ libc/resolv/nss_dns/dns-network.c 2002/09/05 01:23:06 1.13
@@ -70,10 +70,10 @@
#define MAX_NR_ALIASES 48

-#if PACKETSZ > 1024
-#define MAXPACKET PACKETSZ
+#if PACKETSZ > 65536
+# define MAXPACKET PACKETSZ
#else
-#define MAXPACKET 1024
+# define MAXPACKET 65536
#endif

===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-host.c,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- libc/resolv/nss_dns/dns-host.c 2002/08/03 03:42:06 1.32
+++ libc/resolv/nss_dns/dns-host.c 2002/08/24 22:29:11 1.33
@@ -92,10 +92,10 @@
#define MAX_NR_ALIASES 48
#define MAX_NR_ADDRS 48

-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
# define MAXPACKET PACKETSZ
#else
-# define MAXPACKET 1024
+# define MAXPACKET 65536
#endif
/* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. */
#ifdef MAXHOSTNAMELEN
===================================================================
RCS file: /cvs/glibc/libc/resolv/gethnamaddr.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- libc/resolv/gethnamaddr.c 2002/08/03 03:40:54 1.39
+++ libc/resolv/gethnamaddr.c 2002/08/24 22:29:11 1.40
@@ -115,10 +115,10 @@
extern void addrsort __P((char **, int));
#endif

-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
#define MAXPACKET PACKETSZ
#else
-#define MAXPACKET 1024
+#define MAXPACKET 65536
#endif

/* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. */
===================================================================
RCS file: /cvs/glibc/libc/resolv/res_query.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- libc/resolv/res_query.c 2001/01/08 17:55:24 1.16
+++ libc/resolv/res_query.c 2002/08/24 22:29:11 1.17
@@ -85,10 +85,10 @@
/* Options. Leave them on. */
/* #undef DEBUG */

-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
#define MAXPACKET PACKETSZ
#else
-#define MAXPACKET 1024
+#define MAXPACKET 65536
#endif

/*

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Guardian Digital Inc. __ Affected

Notified: August 15, 2002 Updated: October 10, 2002

Status

Affected

Vendor Statement

See ESA-20021003-021.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Hewlett-Packard Company __ Affected

Notified: August 15, 2002 Updated: April 15, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Secure OS Software for Linux is affected. Please reference the following documents: HPSBTL0210-071 (fetchmail), HPSBTL0210-070 (nss_ldap), and HPSBTL0210-069/HPSBTL0211-0075 (glibc).

See also HPSBUX0208-209/SSRT2316.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Hitachi __ Affected

Notified: August 27, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

DNS resolver included in GR2000 router is potentially vulnerable to this problem. All ROUTE-OS software from the version 02-03 is affected. Below is the release schedule for the fixed version of software.

Fixed software version : 06-05-/E
Release date : September 12, 2002
Please see

<http://www.hitachi.co.jp/Prod/comp/network/notice/20020911_0_E.html&gt;
for more information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

IBM __ Affected

Notified: August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to a buffer overflow in the res_nsend() resolver function, as mentioned above, in releases 4.3.3 and 5.1.0. This problem was discovered and fixed earlier while investigating a core dump from the “host” command.

The following APAR’s are available for this fix:

AIX 4.3.3: IY31886

AIX 5.1.0: IY31889
The APAR’s can be downloaded by going to the following URL, then following the links for your system release level.

<http://techsupport.services.ibm.com/servers/fixes?view=pseries&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

ISC __ Affected

Updated: October 16, 2002

Status

Affected

Vendor Statement

Internet Software Consortium Security Advisary. LIBBIND/LIBRESOLV: Denial of Service. 8 August 2002

Versions affected: BIND 4 prior to 4.9.10 BIND 8 prior to 8.2.5 Severity: SERIOUS Exploitable: Remotely Type: Denial of service
Description:
When looking up address (gethostbyname(), gethostbyaddr() etc.) a less than maximum sized buffer is passed to res_search() / res_query(). If the answer is too large to fit in the buffer the size of buffer required is returned along with the part of the message that will fit. This value is not checked and is passed to getanswer which then may read past the end of the buffer depending up the contents in the answer section.
THIS DOES NOT AFFECT THE NAMESERVER.
THIS CAN BE TRANSMITTED THROUGH CACHES.
BIND 9 is NOT affected. BIND 8.3.x is NOT affected.
This bug may exist in other applications that call the DNS directly.
Workarounds:
None. Upgrade and re-linking required.
Impact:
Applications linked against vulnerable versions of the libraries may die with segmentation violations / bus errors.
Fix:
Upgrade to BIND 4.9.10 or preferably BIND 8.3.3.
BIND 4 is officially deprecated. Only security fixes will be issued for BIND 4.
http://www.isc.org/products/BIND
For application writers. Use a maximum sized buffer (64k), be prepared to redo the calls res_search(), res_query(), res_send(), res_nsearch(), res_nquery() and res_send() with a bigger buffer or take the minimum of the answer buffer size and the value returned by these calls and be aware that the answer is truncated.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Juniper Networks __ Affected

Notified: August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

Juniper Networks has determined that its JUNOS Internet Software, used on the M- and T-series of router products, is susceptible to this vulnerability in versions 5.2R1.4, 5.2R2.3, 5.2R3.4, 5.2R4.4, 5.3R1.2, 5.3R2.4, 5.3R3.3, and 5.4R1.4. Customers should contact Juniper or their Juniper reseller to obtain an updated version of JUNOS software.

Juniper Networks has determined that the operating software used on the ERX router products is not susceptible to this vulnerability. No software upgrade is required. However, the SDX-300 Service Deployment system may be susceptible if it is installed on a susceptible host platform. Users of SDX-300 should contact their host operating system vendor regarding this advisory.

The Juniper Networks G10 CMTS product is not susceptible to this vulnerability. No upgrade is required.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

KAME Project __ Affected

Updated: October 01, 2002

Status

Affected

Vendor Statement

The problem was fixed in the KAME tree on August 27, 2002.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

MIT Kerberos Development Team __ Affected

Notified: August 23, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

We don’t ship a resolver implementation as part of MIT krb5. Our code does call res_search() in a potentially unsafe manner, but seems to only result in a read overrun. Also, it is primarily client-side code that calls res_search(), so denial of service attacks against servers are unlikely.

This will be fixed in an upcoming release of MIT krb5. The MIT Kerberos Team is not issuing a patch at this time, as we believe that the vulnerability is limited to a client-side denial of service.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

MandrakeSoft __ Affected

Notified: August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

Mandrake Linux 7.1 and 7.2, which ship with BIND 8.x, already have been updated to BIND version 8.3.3, which is not vulnerable to this problem. Mandrake Linux 8.0 and higher ship with BIND 9.x which is also not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. MandrakeSoft has also released MDKSA-2002:063 (fetchmail) and MDKSA-2002:075 (nss_ldap).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

MetaSolv Software Inc. __ Affected

Notified: August 15, 2002 Updated: October 01, 2002

Status

Affected

Vendor Statement

The resolver code embedded in the DNS Server (Based on ISC BIND 8.2.3) on both MetaSolv Policy Services 4.1 and 4.2 are open to Vulnerability Note VU#738331. This issue is being tracked by MetaSolv under Case #28230. An upgrade to ISC BIND 8.2.6 and the ISC Sanctioned Patches to 8.2.6 for this advisory have been compiled and applied, and will be available in Policy Services 4.2 Service Pack 1 efix 1. Please contact MetaSolv Global Customer Care ([email protected]) for availability and assistance.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

NetBSD __ Affected

Notified: August 15, 2002 Updated: October 10, 2002

Status

Affected

Vendor Statement

See NetBSD Security Advisory SA2002-015 for details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Nortel Networks __ Affected

Notified: August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

Nortel Networks has determined that NetID version 4.3.1 and later is potentially affected by the vulnerability identified in CERT/CC Vulnerability Note VU#738331; a bulletin and patch are available from the following Nortel Networks support contacts:

North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009

Contacts for other regions are available at

www.nortelnetworks.com/help/contact/global/

Optivity NMS is not affected.

The former Nortel Networks product Preside Policy Server divested to MetaSolv Software, Inc. in February 2002 uses BIND 8 and may be potentially affected. Please refer to MetaSolv Software Inc.'s Vendor Statement.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Openwall GNU/*/Linux __ Affected

Notified: August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

Openwall GNU/*/Linux’s glibc package was affected. As a workaround, we have applied the patch by Olaf Kirch of SuSE which limits the return value from res_send(3) to be no greater than the provided answer buffer size. This approach has the advantage of reducing the problem for poorly written third-party applications, including those which aren’t a part of our distribution. At the same time, checks have also been added to avoid some potential reads beyond end of undersized DNS responses as pointed out by Dmitry V. Levin of ALT Linux. This change will be documented in the system-wide change log:

<http://www.openwall.com/Owl/CHANGES.shtml&gt;

The BIND 4.9.x Openwall patch (which adds a number of security-related features) has been updated to the upcoming 4.9.10 release and will be made available at:

<http://www.openwall.com/bind/&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Red Hat Inc. __ Affected

Notified: August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

All supported versions of Red Hat Linux which shipped with vulnerable versions of BIND were updated to BIND 9.x by a previous security errata issued in August 2002 and are therefore not vulnerable to this issue. Users of the Red Hat Network can make sure their systems are updated to this release using the ‘up2date’ tool.

<http://rhn.redhat.com/errata/RHSA-2002-133.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat has also released RHSA-2002:197 (glibc), RHSA-2002:215 (fetchmail), and RHSA-2002:175 (nss_ldap).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

SuSE Inc. __ Affected

Notified: August 15, 2002 Updated: October 25, 2002

Status

Affected

Vendor Statement

All SuSE versions of bind8 are affected by the bug in res_search/res_query. Fixed packages will be provided at 2002-10-01.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE Security Announcement SuSE-SA:2002:034 addresses this issue in Heimdal Kerberos.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Sun Microsystems Inc. __ Affected

Notified: August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

The Solaris DNS resolver library (libresolv.so) is affected by this issue in the following versions of Solaris:

Solaris 2.5.1, 2.6, 7, and 8
Patches have been generated for all of the above releases. Sun has published Sun Alert 45463 for this issue which is available from:

<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F45463&gt;
The patches for this issue are available from:

<http://sunsolve.sun.com/securitypatch&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Xerox Corporation __ Affected

Notified: August 15, 2002 Updated: April 15, 2003

Status

Affected

Vendor Statement

A response to this vulnerability is available from our web site:

<http://www.xerox.com/security/&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: August 15, 2002 Updated: August 23, 2002

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Computer Associates __ Not Affected

Notified: August 15, 2002 Updated: October 01, 2002

Status

Not Affected

Vendor Statement

We do not ship a resolver implementation or utilize the resolver library calls (i.e., res_*) but do utilize other native calls (e.g., gethostbyname(), gethostbyaddr() etc.) for translations.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

GNU adns Not Affected

Notified: August 15, 2002 Updated: October 03, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Lucent Technologies __ Not Affected

Notified: August 15, 2002 Updated: August 21, 2002

Status

Not Affected

Vendor Statement

LMG is not affected by the bind vulnerability. LMG uses BIND 9.2.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Microsoft Corporation __ Not Affected

Notified: August 15, 2002 Updated: August 23, 2002

Status

Not Affected

Vendor Statement

Microsoft does not use BIND resolver code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Nixu __ Not Affected

Notified: September 24, 2002 Updated: October 14, 2002

Status

Not Affected

Vendor Statement

Nixu NameSurfer itself does not contain any parts of the resolver library being discussed, nor does it call the res_* functions directly. However, parts of NameSurfer are dynamically linked with the resolver library on the DNS server machine. Therefore, if the underlying system is vulnerable, the vulnerability propagates also to NameSurfer.

Nixu recommends that the resolver on the DNS server running NameSurfer is upgraded according to ISC’s advisory as published by CERT. No further actions are required.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

SGI __ Not Affected

Notified: August 15, 2002 Updated: August 23, 2002

Status

Not Affected

Vendor Statement

SGI uses nsd (UNS name service daemon) as a resolver and it does not appear to be vulnerable as it does not use any of the res_* functions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Secure Computing Corporation __ Not Affected

Updated: October 16, 2002

Status

Not Affected

Vendor Statement

SIDEWINDER™ FIREWALL & VPN (all releases including SIDEWINDER APPLIANCE)

Not Vulnerable

As part of Sidewinder™’s defense in depth architecture, DNS queries are sandboxed by SecureOS™’s patented Type Enforcement technology. Faults in the resolver library cannot cause a comprimise of the Sidewinder™. However, since a Bind 8 caching server can still pass this attack along to vulnerable resolvers, Sidewinder™ users who wish to protect vulnerable resolvers behind their firewall from attack should upgrade to version 5.2.1.05, which replaces Bind 8 with Bind 9.

Customers should contact Customer Service to obtain version 5.2.1.05.

Gauntlet and e-ppliance

Both Gauntlet Software and Gauntlet e-ppliance utilize the Bind version that ships with Solaris 8. Please see Solaris 8 response to this vulnerability to assess applicability of any potential DOS risk. Secure Computing will test and make recommendations to customers regarding any potential software changes, if any, published by Sun Microsystems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

djbdns __ Not Affected

Notified: August 15, 2002 Updated: October 01, 2002

Status

Not Affected

Vendor Statement

djbdns does not have these bugs. djbdns has never used any BIND-derived code. djbdns, including the djbdns client library, is covered by a $500 security guarantee. The djbdns client library is free for use by other packages in place of BIND’s libresolv. See <http://cr.yp.to/djbdns.html&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

3Com Unknown

Updated: October 01, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

AT&T Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Alcatel Unknown

Notified: August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

BlueCat Networks Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Check Point __ Unknown

Notified: August 15, 2002 Updated: April 15, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://www.checkpoint.com/techsupport/documentation/smartdefense/2002/cpai-2002-09.html&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Cisco Systems Inc. Unknown

Notified: August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Cray Inc. __ Unknown

Notified: August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

Cray Inc. may be vulnerable and has opened spr 723016 to track this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Data General Unknown

Notified: August 15, 2002 Updated: September 24, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

F5 Networks Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Infoblox Unknown

Notified: August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Intel Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

KTH Kerberos Unknown

Notified: August 23, 2002 Updated: August 24, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Lotus Software Unknown

Notified: September 24, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

NEC Corporation __ Unknown

Notified: August 15, 2002 Updated: October 16, 2002

Status

Unknown

Vendor Statement

sent on October 4, 2002

[Server Products]
On investigation

[Router Products]

* IX 5000 Series

- is NOT vulnerable.

* IX 1000/2000 Series

- is NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Network Appliance Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Nominum Unknown

Notified: August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

OpenBSD Unknown

Notified: August 15, 2002 Updated: August 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

OpenLDAP Unknown

Notified: August 23, 2002 Updated: August 24, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Oracle Corporation Unknown

Notified: October 01, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Sendmail Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Sequent Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Sony Corporation Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

The SCO Group Unknown

Notified: August 15, 2002 Updated: September 24, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Unisphere Networks Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Unisys Unknown

Notified: August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

Wind River Systems Inc. Unknown

Notified: August 15, 2002 Updated: August 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23738331 Feedback>).

View all 58 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks Mark Andrews of ISC for reporting this vulnerability.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2002-1146
Severity Metric:	19.04 Date Public: