From security-advisories@FreeBSD.org Wed Jan 31 23:39:10 2001 From: FreeBSD Security Advisories To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 31 Jan 2001 13:23:21 -0800 Subject: [BUGTRAQ] FreeBSD Security Advisory: FreeBSD-SA-01:18.bind -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:18 Security Advisory FreeBSD, Inc. Topic: BIND remotely exploitable buffer overflow Category: core, ports Module: bind Announced: 2001-01-31 Credits: COVERT Labs Claudio Musmarra Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Ports collection prior to the correction date. Corrected: 2001-01-30 (FreeBSD 3.5-STABLE) 2001-01-29 (FreeBSD 4.2-STABLE) 2001-01-29 (Ports collection) Vendor status: Updated version released FreeBSD only: NO I. Background BIND is an implementation of the Domain Name Service (DNS) protocols. II. Problem Description An overflowable buffer related to the processing of transaction signatures (TSIG) exists in all versions of BIND prior to 8.2.3-RELEASE. The vulnerability is exploitable regardless of configuration options and affects both recursive and non-recursive DNS servers. Additional vulnerabilities allow the leaking of environment variables and the contents of the program stack. These vulnerabilities may assist the ability of attackers to exploit the primary vulnerability described above, and make provide additional information about the state or configuration of the system. All previous versions of BIND 8, such as the beta versions included in FreeBSD 4.x prior to the correction date (designated the version number BIND 8.2.3-T<#>B) are vulnerable to this problem. Systems running versions of BIND 9.x (available in the FreeBSD ports collection) are unaffected. Further information about the vulnerabilities is contained in the CERT advisory located at: http://www.cert.org/advisories/CA-2001-02.html Note that this advisory also describes vulnerabilities in the BIND 4.x software, which is not included in any recent version of FreeBSD. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem, if they have been configued to run named (this is not enabled by default). In addition, the bind8 port in the ports collection (versions prior to 8.2.3) is also vulnerable. To check whether a DNS server is running a vulnerable version of BIND, perform the following command as any user: % dig @serverip version.bind. CHAOS TXT The following segment of output indicates a non-vulnerable server running BIND 8.2.3-RELEASE: ... ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.2.3-REL" ... III. Impact Malicious remote users can cause arbitrary code to be executed as the user running the named daemon. This is often the root user, although FreeBSD provides built-in support for the execution of named as an unprivileged 'bind' user, which greatly limits the scope of the vulnerability should a successful penetration take place. IV. Workaround There is no known practical workaround to prevent the vulnerability from being exploited, short of upgrading the software. A partial workaround to limit the impact of the vulnerability should it be exploited is to run named as an unprivileged user. Add the following line to /etc/rc.conf: named_flags="-u bind -g bind" # Flags for named Add the following line to your /etc/namedb/named.conf file, in the "options" section: pid-file "/var/named/named.pid"; See the named.conf(5) manual page for more details about configuring named. Perform the following commands as root: Create a directory writable by the bind user where named can store its pid file: # mkdir /var/named # chown bind:bind /var/named Shut down the DNS server: # ndc stop Restart it using the non-privileged user and group: # ndc -p /var/named/named.pid start -u bind -g bind Note that when not running as the root user, named will lose the ability to re-bind to interfaces which change address, or which are added to the system after named has been started. If such an event takes place, named will need to be stopped and restarted in order to re-bind to the interface(s). See the ndc(8) manual page for more information about how to do this. Use of the -t option to named will also increase security when run as a non-privileged user by confining the named process to a chroot environment and thereby partially limiting the access it has to the rest of the system. Configuration of these options is beyond the scope of the advisory. The following website contains information which may be useful to administrators wishing to perform this step: http://www.losurs.org/docs/howto/Chroot-BIND.html Note that this tutorial does not specifically relate to FreeBSD, and the information contained therein may need to be modified for FreeBSD systems. Note that such a penetration of the unprivileged bind user may still allow the attacker to take advantage of a local security vulnerability or misconfiguration to further increase privileges. Therefore this should only be considered a temporary workaround while preparations can be made to upgrade permanently. It is recommended that all affected users upgrade their systems immediately as described in the following section. V. Solution Note that BIND 8.2.3-RELEASE is more strict about invalid zone file syntax than older versions. DNS zones which contain errors may need to be corrected before the new version can be run. [Base system] Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. A binary tarball containing the updated BIND files may be released in a few days, but is being held back for quality assurance reasons. In the meantime an unofficial tarball is available from the following location. Users are advised that the following tarball has not been tested on a production system, and those wishing to perform an upgrade without upgrading the entire OS are advised to use the bind8 port as described below. http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc To fetch and install it, perform the following actions as root: # fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz # fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc Verify the detached PGP signature using your PGP utility. # cd / # tar xvfz /path/to/bind-8.2.3-4.x.tgz Stop and restart the named process as shown: # ndc restart See the note in the previous section about how to restart ndc as a non-privileged user if it has been configued to run that way. [Ports collection] If you have chosen to install BIND from the ports collection and are using it instead of the version in the base system, perform one of the following steps: 1) Update your entire ports collection and rebuild the bind8 port. If you are installing the port for the first time, be sure to edit the named_program variable in /etc/rc.conf to point to the installed location of the named executable. The bind8 port can be configured to install itself in /usr and read configuration data from /etc so that it is drop-in compatible with the system version of BIND. Install the port as follows: # cd /usr/ports/net/bind8 # make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \ DESTRUN=/var/run all install clean If you install the BIND port over the top of the system version in this way, be sure to add the following line to /etc/make.conf to prevent the future rebuilding of the system version during 'make world': NO_BIND= true # do not build BIND 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.3.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the bind8 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOniArlUuHi5z0oilAQGE+AQAiwizuORMqyzOw21QFyap2Z7lv7BkYuiC 9zZ97X3WR+i8AujTfIrhwK1UdO6KFbp5Rjc54f3XHtaMotoRcp3x24xADpGQDP4s Xyw267ZoV7ZYuG6VcAgBzq9pqiCnU9rqRQy2aRn/8iCvcl/G5249B3DuMMtLiMw+ Iuz0OOxWeLM= =hanM -----END PGP SIGNATURE-----