[LWN Logo]
[Timeline]
Date:         Wed, 31 Jan 2001 13:23:21 -0800
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
Subject:      FreeBSD Security Advisory: FreeBSD-SA-01:18.bind
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:18                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          BIND remotely exploitable buffer overflow

Category:       core, ports
Module:         bind
Announced:      2001-01-31
Credits:	COVERT Labs <seclabs@NAI.COM>
                Claudio Musmarra
Affects:        All released versions of FreeBSD 3.x, 4.x.
		FreeBSD 3.5-STABLE prior to the correction date.
		FreeBSD 4.2-STABLE prior to the correction date.
		Ports collection prior to the correction date.
Corrected:      2001-01-30 (FreeBSD 3.5-STABLE)
		2001-01-29 (FreeBSD 4.2-STABLE)
		2001-01-29 (Ports collection)
Vendor status:  Updated version released
FreeBSD only:   NO

I.   Background

BIND is an implementation of the Domain Name Service (DNS) protocols.

II.  Problem Description

An overflowable buffer related to the processing of transaction
signatures (TSIG) exists in all versions of BIND prior to
8.2.3-RELEASE.  The vulnerability is exploitable regardless of
configuration options and affects both recursive and non-recursive DNS
servers.

Additional vulnerabilities allow the leaking of environment variables
and the contents of the program stack.  These vulnerabilities may
assist the ability of attackers to exploit the primary vulnerability
described above, and make provide additional information about the
state or configuration of the system.

All previous versions of BIND 8, such as the beta versions included in
FreeBSD 4.x prior to the correction date (designated the version
number BIND 8.2.3-T<#>B) are vulnerable to this problem.  Systems
running versions of BIND 9.x (available in the FreeBSD ports
collection) are unaffected.

Further information about the vulnerabilities is contained in the CERT
advisory located at:

http://www.cert.org/advisories/CA-2001-02.html

Note that this advisory also describes vulnerabilities in the BIND 4.x
software, which is not included in any recent version of FreeBSD.

All versions of FreeBSD 3.x and 4.x prior to the correction date
including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this
problem, if they have been configued to run named (this is not enabled
by default).  In addition, the bind8 port in the ports collection
(versions prior to 8.2.3) is also vulnerable.

To check whether a DNS server is running a vulnerable version of BIND,
perform the following command as any user:

% dig @serverip version.bind. CHAOS TXT

The following segment of output indicates a non-vulnerable server
running BIND 8.2.3-RELEASE:

...
;; ANSWER SECTION:
VERSION.BIND.           0S CHAOS TXT    "8.2.3-REL"
...

III. Impact

Malicious remote users can cause arbitrary code to be executed as the
user running the named daemon.  This is often the root user, although
FreeBSD provides built-in support for the execution of named as an
unprivileged 'bind' user, which greatly limits the scope of the
vulnerability should a successful penetration take place.

IV.  Workaround

There is no known practical workaround to prevent the vulnerability
from being exploited, short of upgrading the software.  A partial
workaround to limit the impact of the vulnerability should it be
exploited is to run named as an unprivileged user.

Add the following line to /etc/rc.conf:

named_flags="-u bind -g bind"  # Flags for named

Add the following line to your /etc/namedb/named.conf file, in the
"options" section:

	pid-file "/var/named/named.pid";

See the named.conf(5) manual page for more details about configuring
named.

Perform the following commands as root:

Create a directory writable by the bind user where named can store its
pid file:

# mkdir /var/named
# chown bind:bind /var/named

Shut down the DNS server:

# ndc stop

Restart it using the non-privileged user and group:

# ndc -p /var/named/named.pid start -u bind -g bind

Note that when not running as the root user, named will lose the
ability to re-bind to interfaces which change address, or which are
added to the system after named has been started.  If such an event
takes place, named will need to be stopped and restarted in order to
re-bind to the interface(s).  See the ndc(8) manual page for more
information about how to do this.

Use of the -t option to named will also increase security when run as
a non-privileged user by confining the named process to a chroot
environment and thereby partially limiting the access it has to the
rest of the system.  Configuration of these options is beyond the
scope of the advisory.  The following website contains information
which may be useful to administrators wishing to perform this step:

http://www.losurs.org/docs/howto/Chroot-BIND.html

Note that this tutorial does not specifically relate to FreeBSD, and
the information contained therein may need to be modified for FreeBSD
systems.

Note that such a penetration of the unprivileged bind user may still
allow the attacker to take advantage of a local security vulnerability
or misconfiguration to further increase privileges.  Therefore this
should only be considered a temporary workaround while preparations
can be made to upgrade permanently.

It is recommended that all affected users upgrade their systems
immediately as described in the following section.

V.   Solution

Note that BIND 8.2.3-RELEASE is more strict about invalid zone file
syntax than older versions.  DNS zones which contain errors may need
to be corrected before the new version can be run.

[Base system]

Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the respective correction dates.

A binary tarball containing the updated BIND files may be released in
a few days, but is being held back for quality assurance reasons.  In
the meantime an unofficial tarball is available from the following
location.  Users are advised that the following tarball has not been
tested on a production system, and those wishing to perform an upgrade
without upgrading the entire OS are advised to use the bind8 port as
described below.

http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz
http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc

To fetch and install it, perform the following actions as root:

# fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz
# fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc

Verify the detached PGP signature using your PGP utility.

# cd /
# tar xvfz /path/to/bind-8.2.3-4.x.tgz

Stop and restart the named process as shown:

# ndc restart

See the note in the previous section about how to restart ndc as a
non-privileged user if it has been configued to run that way.

[Ports collection]

If you have chosen to install BIND from the ports collection and are
using it instead of the version in the base system, perform one of the
following steps:

1) Update your entire ports collection and rebuild the bind8 port.

If you are installing the port for the first time, be sure to edit the
named_program variable in /etc/rc.conf to point to the installed
location of the named executable.

The bind8 port can be configured to install itself in /usr and read
configuration data from /etc so that it is drop-in compatible with the
system version of BIND.  Install the port as follows:

# cd /usr/ports/net/bind8
# make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \
 DESTRUN=/var/run all install clean

If you install the BIND port over the top of the system version in
this way, be sure to add the following line to /etc/make.conf to
prevent the future rebuilding of the system version during 'make
world':

NO_BIND=       true    # do not build BIND

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.3.tgz

NOTE: It may be several days before updated packages are available.

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

3) download a new port skeleton for the bind8 port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above.  The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBOniArlUuHi5z0oilAQGE+AQAiwizuORMqyzOw21QFyap2Z7lv7BkYuiC
9zZ97X3WR+i8AujTfIrhwK1UdO6KFbp5Rjc54f3XHtaMotoRcp3x24xADpGQDP4s
Xyw267ZoV7ZYuG6VcAgBzq9pqiCnU9rqRQy2aRn/8iCvcl/G5249B3DuMMtLiMw+
Iuz0OOxWeLM=
=hanM
-----END PGP SIGNATURE-----