Risk
Medium
Overview
Symantec is aware of a denial of service (DoS) vulnerability discovered in the Internet Security Consortium (ISC) 9.x versions of the Berkley Internet Name Domain (BIND) server. Successful exploitation of this vulnerability will shut down a vulnerable name server until cleared by a manual reboot of the affected system. ISC BIND versions 4.x and 8.x are not susceptible to this vulnerability.
Affected Components
All versions of ISC BIND from 9.x through 9.2.0
Description
BIND is an implementation of the Domain Name Server (DNS), which translates domain names into IP addresses for network services. A DoS attack on a vulnerable BIND server could result in local network and, potentially, Internet instability.
ISC discovered a logic error in their 9.x version of BIND. This flaw can be exploited by sending a specifically malformed DNS packet to cause an internal consistency check failure. This results in an improperly handled error message and causes the name server to be halted. A manual restart is required.
Recommendations
ISC has released BIND version 9.2.1, which fixes this vulnerability. Symantec recommends that anyone currently running a vulnerable version of ISC BIND 9.x update immediately to version 9.2.1.
Software vendors who have implemented ISC BIND version 9.x in their operating systems are issuing updates to address this issue. Additional information on vulnerable vendor versions and fix availability can be found in "Appendix A. - Vendor Information" in CERT Advisory CA-2002-015.
Symantec Security Response
Symantec recommends the following best practice for reducing exposure to vulnerabilities such as this. Keep your patch levels up-to-date, particularly on those systems that host public services and are accessible through the firewall (for example, HTTP, FTP, mail, and DNS services). Keeping mission-critical system versions updated and all security patches applied reduces risk exposure.
Symantec Enterprise Solutions
NetRecon, Symantec's vulnerability assessment tool, currently provides several BIND checks. A check for vulnerable ISC BIND 9.x Versions is included in SU9, which is available through LiveUpdate.
NetProwler, Symantec's network-based intrusion detection tool, will include detection for remote BIND version queries in SU18, which will be available for download through the product's update capabilities.
CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0400 to this issue.
These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Reference
CERT Advisory CA-2002-015
Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Alert in medium other than electronically requires permission from
Sym Security, symsecurity@symantec.com.
Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.
Symantec Corporation, Symantec product names, Symantec Security Response, and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
