Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:844360
HistoryNov 13, 2002 - 12:00 a.m.

Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups

2002-11-1300:00:00
www.kb.cert.org
70

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.936 High

EPSS

Percentile

99.1%

JSON

Overview

The DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10 contains buffer overflows in code that handles responses for network name and address requests. Other resolver libraries derived from BIND 4 such as BSD libc, GNU glibc, and those used by System V UNIX systems may also be affected. An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service.

Description

A DNS stub resolver library provides an interface for network applications to make requests and receive responses from the domain name system. The BIND 4 resolver library (libresolv.a) contains several buffer overflows in the functions that handle responses for network name and address requests (getnetbyname(), getnetbyaddr()). While reading the answer portion of a DNS response, the functions copy data received from the network into inadequately sized buffers. A specially crafted DNS response could overflow the buffers, possibly injecting arbitrary code onto the stack.

ISC BIND 4.9.2 through 4.9.10 are vulnerable. DNS stub resolver libraries that are derived from BIND 4 may vulnerable, including BSD libc, GNU glibc, and resolvers used by System V UNIX systems. In addition, some network applications provide their own resolver functions which may use vulnerable code from BIND 4.

The buffer overflows described in this document are different than the network lookup vulnerability described in CA-2002-19/VU#542971/CAN-2002-0684.

When performing a DNS lookup, applications issue calls to resolver functions, at which point most applications dynamically load the relevant portion of the resolver library. Other applications are statically linked at compile time to include resolver functions. In order to use updated resolver code, dynamically linked process must be restarted, and statically linked binaries must be recompiled.

Impact

An attacker could execute arbitrary code with the privileges of the application that made the request or cause a denial of service. The attacker would need to control DNS responses, possibly by spoofing responses or gaining control of a DNS server.

Solution

Patch or Upgrade

Upgrade or apply a patch as specified by your vendor. Dynamically linked processes must be restarted and statically linked binaries must be recompiled and in order to use the fixed resolver libraries.

Local Caching DNS Server Not Effective

A local caching DNS server will not prevent malicious responses from reaching vulnerable stub resolvers.

Vendor Information

844360

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Notified: November 12, 2002 Updated: February 25, 2003

Status

Affected

Vendor Statement

Affected Systems: Mac OS X and Mac OS X Server

Mitigating Factors: BIND is not enabled by default on Mac OS X or Mac OS X Server.

Apple is working on a software update to address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Security Update 2002-11-21:

<<http://www.apple.com/support/security/security_updates.html&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

GNU glibc __ Affected

Notified: November 12, 2002 Updated: January 16, 2003

Status

Affected

Vendor Statement

Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are also vulnerable. The following patch has been installed into the CVS sources, and should appear in the next version of the GNU C Library. This patch is also available from the following URL:

<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/resolv/nss_dns/dns-network.c.diff?r1=1.17&r2=1.15&cvsroot=glibc>

2002-11-18 Roland McGrath &lt;[email protected]&gt;

* resolv/nss_dns/dns-network.c (getanswer_r): In BYNAME case, search
all aliases for one that matches the "&lt;dotted-quad&gt;.IN-ADDR.ARPA" form.
Do the parsing inline instead of copying strings and calling
inet_network, and properly skip all alias names not matching the form.

2002-11-14 Paul Eggert &lt;[email protected]&gt;

* resolv/nss_dns/dns-network.c (getanswer_r): Check for buffer
overflow when skipping the question part and when unpacking aliases.

===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v
retrieving revision 1.15
retrieving revision 1.17
diff -u -r1.15 -r1.17
--- libc/resolv/nss_dns/dns-network.c 2002/10/17 21:49:12 1.15
+++ libc/resolv/nss_dns/dns-network.c 2002/11/19 06:40:16 1.17
@@ -283,7 +283,15 @@

/* Skip the question part. */
while (question_count-- &gt; 0)
- cp += __dn_skipname (cp, end_of_message) + QFIXEDSZ;
+ {
+ int n = __dn_skipname (cp, end_of_message);
+ if (n &lt; 0 || end_of_message - (cp + n) &lt; QFIXEDSZ)
+ {
+ __set_h_errno (NO_RECOVERY);
+ return NSS_STATUS_UNAVAIL;
+ }
+ cp += n + QFIXEDSZ;
+ }

alias_pointer = result-&gt;n_aliases = &net_data-&gt;aliases[0];
*alias_pointer = NULL;
@@ -344,64 +352,94 @@
return NSS_STATUS_UNAVAIL;
}
cp += n;
- *alias_pointer++ = bp;
- n = strlen (bp) + 1;
- bp += n;
- linebuflen -= n;
- result-&gt;n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
- ++have_answer;
+ if (alias_pointer + 2 &lt; &net_data-&gt;aliases[MAX_NR_ALIASES])
+ {
+ *alias_pointer++ = bp;
+ n = strlen (bp) + 1;
+ bp += n;
+ linebuflen -= n;
+ result-&gt;n_addrtype = class == C_IN ? AF_INET : AF_UNSPEC;
+ ++have_answer;
+ }
}
}

if (have_answer)
{
- char *tmp;
- int len;
- char *in, *cp, *rp, *wp;
- int cnt, first_flag;
-
*alias_pointer = NULL;
switch (net_i)
{
case BYADDR:
- result-&gt;n_name = result-&gt;n_aliases[0];
+ result-&gt;n_name = *result-&gt;n_aliases++;
result-&gt;n_net = 0L;
- break;
- case BYNAME:
- len = strlen (result-&gt;n_aliases[0]);
- tmp = (char *) alloca (len + 1);
- tmp[len] = 0;
- wp = &tmp[len - 1];
-
- rp = in = result-&gt;n_aliases[0];
- result-&gt;n_name = ans;
-
- first_flag = 1;
- for (cnt = 0; cnt &lt; 4; ++cnt)
- {
- char *startp;
+ return NSS_STATUS_SUCCESS;

- startp = rp;
- while (*rp != '.')
- ++rp;
- if (rp - startp &gt; 1 || *startp != '0' || !first_flag)
- {
- first_flag = 0;
- if (cnt &gt; 0)
- *wp-- = '.';
- cp = rp;
- while (cp &gt; startp)
- *wp-- = *--cp;
- }
- in = rp + 1;
- }
-
- result-&gt;n_net = inet_network (wp);
+ case BYNAME:
+ {
+ char **ap = result-&gt;n_aliases++;
+ while (*ap != NULL)
+ {
+ /* Check each alias name for being of the forms:
+ 4.3.2.1.in-addr.arpa = net 1.2.3.4
+ 3.2.1.in-addr.arpa = net 0.1.2.3
+ 2.1.in-addr.arpa = net 0.0.1.2
+ 1.in-addr.arpa = net 0.0.0.1
+ */
+ uint32_t val = 0; /* Accumulator for n_net value. */
+ unsigned int shift = 0; /* Which part we are parsing now. */
+ const char *p = *ap; /* Consuming the string. */
+ do
+ {
+ /* Match the leading 0 or 0[xX] base indicator. */
+ unsigned int base = 10;
+ if (*p == '0' && p[1] != '.')
+ {
+ base = 8;
+ ++p;
+ if (*p == 'x' || *p == 'X')
+ {
+ base = 16;
+ ++p;
+ if (*p == '.')
+ break; /* No digit here. Give up on alias. */
+ }
+ if (*p == '\0')
+ break;
+ }
+
+ uint32_t part = 0; /* Accumulates this part's number. */
+ do
+ {
+ if (isdigit (*p) && (*p - '0' &lt; base))
+ part = (part * base) + (*p - '0');
+ else if (base == 16 && isxdigit (*p))
+ part = (part &lt;&lt; 4) + 10 + (tolower (*p) - 'a');
+ ++p;
+ } while (*p != '\0' && *p != '.');
+
+ if (*p != '.')
+ break; /* Bad form. Give up on this name. */
+
+ /* Install this as the next more significant byte. */
+ val |= part &lt;&lt; shift;
+ shift += 8;
+ ++p;
+
+ /* If we are out of digits now, there are two cases:
+ 1. We are done with digits and now see "in-addr.arpa".
+ 2. This is not the droid we are looking for. */
+ if (!isdigit (*p) && !strcasecmp (p, "in-addr.arpa"))
+ {
+ result-&gt;n_net = val;
+ return NSS_STATUS_SUCCESS;
+ }
+
+ /* Keep going when we have seen fewer than 4 parts. */
+ } while (shift &lt; 32);
+ }
+ }
break;
}
-
- ++result-&gt;n_aliases;
- return NSS_STATUS_SUCCESS;
}

__set_h_errno (TRY_AGAIN);

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Hewlett-Packard Company __ Affected

Notified: November 12, 2002 Updated: April 15, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See: SSRT2270, SSRT2322/HPSBUX0303-209

<<http://ftp.support.compaq.com/patches/.new/unix.shtml&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

IBM __ Affected

Notified: November 12, 2002 Updated: February 27, 2003

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to the named and DNS resolver issues in releases 4.3.3, 5.1.0 and 5.2.0. The following APARs are available:

> AIX 4.3.3 APAR IY37088 (available)AIX 5.1.0 APAR IY37091 (available)AIX 5.2.0 APAR IY37289 (available)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

ISC __ Affected

Notified: October 22, 2002 Updated: November 13, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please reference the “LIBRESOLV: buffer overrun” section of the ISC BIND Vulnerabilities web page.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

MetaSolv Software Inc. __ Affected

Notified: November 12, 2002 Updated: November 15, 2002

Status

Affected

Vendor Statement

VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to buffer overflows via network name or address lookups (VU#852283 - CAN-2002-1219 / VU#229595 - CAN-2002-1220 / VU#581682 - CAN-2002-1221/ VU#844360 - CAN-2002-0029) was addressed in Policy Services 4.2 Service Pack 1 efix 1. The vulnerability can be avoided by upgrading to Policy Services 4.2 Service Pack 1 efix 1 from MetaSolv Policy Services 4.1 and 4.2 (base). The efix includes all ISC sanctioned patches to BIND 8.2.6. to remedy this vulnerability. Please contact MetaSolv Global Customer Care [email protected] for assistance.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

NetBSD __ Affected

Notified: November 12, 2002 Updated: February 25, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-028.txt.asc&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Openwall GNU/*/Linux __ Affected

Notified: November 12, 2002 Updated: November 14, 2002

Status

Affected

Vendor Statement

BIND 4.9.10-OW2 includes the patch provided by ISC and thus has the two vulnerabilities affecting BIND 4 fixed. Previous versions of BIND 4.9.x-OW patches, if used properly, significantly reduced the impact of the “named” vulnerability. The patches are available at their usual location:

<http://www.openwall.com/bind/&gt;

A patch against BIND 4.9.11 will appear as soon as this version is officially released, although it will likely be effectively the same as the currently available 4.9.10-OW2.

It hasn’t been fully researched whether the resolver code in glibc, and in particular on Openwall GNU/*/Linux, shares any of the newly discovered BIND 4 resolver library vulnerabilities. Analysis is in progress.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

SGI __ Affected

Notified: November 12, 2002 Updated: December 05, 2002

Status

Affected

Vendor Statement

Please see SGI Security Advisory 20021201-01-P.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Sun Microsystems Inc. __ Affected

Notified: November 12, 2002 Updated: November 15, 2002

Status

Affected

Vendor Statement

The Solaris DNS resolver library (libresolv(3LIB)) is affected by VU#844360 in the following supported versions of Solaris:

Solaris 2.6

Patches are being generated for all of the above releases. Sun will be publishing a Sun Alert for this issue at the following location shortly:

<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F48818&gt;

The patches will be available from:

<http://sunsolve.sun.com/securitypatch&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

The SCO Group __ Affected

Notified: November 12, 2002 Updated: February 27, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

OpenLinux

<<ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-059.0.txt&gt;&gt;

UnixWare 7.1.1
<<ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.2/CSSA-2003-SCO.2.txt&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Xerox Corporation __ Affected

Notified: November 12, 2002 Updated: April 24, 2003

Status

Affected

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

FreeBSD __ Not Affected

Notified: November 12, 2002 Updated: November 14, 2002

Status

Not Affected

Vendor Statement

The FreeBSD libc resolver is not affected by the issues described in VU#844360.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

NcFTP Software __ Not Affected

Updated: December 05, 2002

Status

Not Affected

Vendor Statement

NcFTPd Server, NcFTP Client, and LibNcFTP are not affected. We do not use the getnetbyname() or getnetbyaddr() functions in our code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

OpenBSD Not Affected

Notified: November 12, 2002 Updated: November 14, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

PADL Software __ Not Affected

Notified: November 14, 2002 Updated: November 14, 2002

Status

Not Affected

Vendor Statement

I don’t believe nss_ldap is vulnerable. We implement our own getnetby*() but it has nothing to do with the resolver library (except insofaras we support the BIND IRS).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

AT&T Unknown

Notified: November 12, 2002 Updated: April 04, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Alcatel __ Unknown

Notified: November 12, 2002 Updated: February 25, 2003

Status

Unknown

Vendor Statement

Following CERT advisory CA-2002-31 on security vulnerabilities in the ISC BIND implementation, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that the following products (OmniSwitch 6600, 7700, 8800) may be impacted. Customers may wish to contact their support for more details. The security of our customers’ networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential ISC BIND security vulnerabilities and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Avaya Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

BlueCat Networks Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Check Point Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Cisco Systems Inc. Unknown

Notified: November 12, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Computer Associates Unknown

Notified: November 12, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Conectiva Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Cray Inc. __ Unknown

Notified: November 12, 2002 Updated: November 14, 2002

Status

Unknown

Vendor Statement

Cray Inc. may be vulnerable and has opened spr 723892 to investigate.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

D-Link Systems Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Data General Unknown

Notified: November 12, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Debian Unknown

Notified: November 12, 2002 Updated: February 26, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

F5 Networks Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

FreeRADIUS Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Fujitsu Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Funk Software Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

GNU adns Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Guardian Digital Inc. Unknown

Notified: November 12, 2002 Updated: April 04, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Intel Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Juniper Networks Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

KTH Kerberos __ Unknown

Notified: November 14, 2002 Updated: November 14, 2002

Status

Unknown

Vendor Statement

Neither Heimdal nor KTH Kerberos 4 use getnetby*() directly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Lotus Software Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Lucent Technologies Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

MandrakeSoft Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Men&Mice Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

MiT Kerberos Development Team Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Microsoft Corporation Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

MontaVista Software Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

NEC Corporation Unknown

Notified: November 12, 2002 Updated: April 04, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Network Appliance Unknown

Notified: November 12, 2002 Updated: April 04, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Nixu Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Nokia Unknown

Notified: November 12, 2002 Updated: November 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Nominum Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Nortel Networks __ Unknown

Notified: November 12, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

Nortel Networks is determining whether NetID or Optivity NMS are potentially affected by the vulnerabilities identified in CERT/CC Advisory CA-2002-31 and will update this Vendor Statement accordingly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

OpenSSH Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

PuTTY Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Red Hat Inc. Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Sequent Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Sony Corporation Unknown

Notified: November 12, 2002 Updated: November 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

SuSE Inc. Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

The Open Group Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Trend Micro Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Trustix __ Unknown

Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://www.trustix.net/errata/misc/2002/TSL-2002-0076-bind.asc.txt&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Unisys Unknown

Notified: November 12, 2002 Updated: April 04, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Wind River Systems Inc. Unknown

Notified: November 12, 2002 Updated: November 12, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Wirex Unknown

Notified: November 12, 2002 Updated: November 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

Xi Graphics Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

YARD RADIUS Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

djbdns Unknown

Notified: November 12, 2002 Updated: February 27, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

fetchmail Unknown

Notified: November 14, 2002 Updated: November 14, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23844360 Feedback>).

View all 66 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by CERT/CC staff.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2002-0029
CERT Advisory: CA-2002-31 Severity Metric:

Related

nessus 11
openvas 6
securityvulns 1
cert 5
osv 1
debian 1
suse 2
nvd 5
cvelist 5
cve 5
debiancve 5
f5 2
redhat 1
freebsd 1
nmap 1
nessus
nessus
Debian DSA-196-1 : bind - several vulnerabilities
2004-09-29 00:00:00
ISC BIND < 8.3.4 Multiple Remote Vulnerabilities
2002-03-08 00:00:00
SUSE-SA:2002:044: bind8
2004-07-25 00:00:00
openvas
openvas
HP-UX Update for BIND HPSBUX00233
2009-05-05 00:00:00
HP-UX Update for BIND HPSBUX00233
2009-05-05 00:00:00
Debian Security Advisory DSA 196-1 (bind)
2008-01-17 00:00:00
securityvulns
securityvulns
CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND
2002-11-14 00:00:00
cert
cert
Various DNS service implementations generate multiple simultaneous queries for the same resource record
2002-11-19 00:00:00
Cached malformed SIG record buffer overflow
2002-11-13 00:00:00
ISC BIND 8 fails to properly dereference cache SIG RR elements with invalid expiry times from the internal database
2002-11-13 00:00:00
osv
osv
bind - several vulnerabilities
2002-11-14 00:00:00
debian
debian
[SECURITY] [DSA-196-1] New BIND packages fix several vulnerabilities
2002-11-14 17:04:23
suse
suse
remote command execution in bind8
2002-11-14 10:23:37
buffer overflow in bind, glibc
2002-07-10 20:26:06
nvd
nvd
CVE-2002-0029
2002-11-29 05:00:00
CVE-2002-0684
2002-08-12 04:00:00
CVE-2002-1221
2002-11-29 05:00:00
cvelist
cvelist
CVE-2002-0029
2002-11-21 05:00:00
CVE-2002-0684
2002-07-31 04:00:00
CVE-2002-1221
2004-09-01 04:00:00
cve
cve
CVE-2002-0029
2002-11-29 05:00:00
CVE-2002-0684
2002-08-12 04:00:00
CVE-2002-1220
2004-09-01 04:00:00
debiancve
debiancve
CVE-2002-0029
2002-11-29 05:00:00
CVE-2002-1221
2004-09-01 04:00:00
CVE-2002-0684
2002-08-12 04:00:00
f5
f5
SOL3284 - Buffer overflows in stub resolver libraries - CAN-2002-0029
2004-08-10 00:00:00
Buffer overflows in stub resolver libraries - CAN-2002-0029
2004-08-11 04:00:00
redhat
redhat
(RHSA-2004:383) glibc security update
2004-08-04 00:00:00
freebsd
freebsd
linux_base -- vulnerabilities in Red Hat 7.1 libraries
2004-09-27 00:00:00
nmap
nmap
vulners NSE Script
2019-06-26 17:06:44

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.936 High

EPSS

Percentile

99.1%

JSON
Related for VU:844360
nessus11openvas6securityvulns1cert5osv1debian1suse2nvd5cvelist5cve5debiancve5f52redhat1freebsd1nmap1