-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Multiple Remote Vulnerabilities in BIND Advisory number: CSSA-2003-SCO.17.1 Issue date: 2003 September 10 Cross reference: sr871560 fz526617 erg712158 ______________________________________________________________________________ 1. Problem Description ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). BIND is the most common implementation of the DNS (Domain Name Service) protocol, which is used on the vast majority of DNS servers on the Internet. DNS is a vital Internet protocol that maintains a database of easy-to-remember domain names (host names) and their corresponding numerical IP addresses. Impact: The vulnerabilities described in this advisory affect nearly all currently deployed recursive DNS servers on the Internet. The DNS network is considered a critical component of Internet infrastructure. There is no information implying that these exploits are known to the computer underground, and there are no reports of active attacks. If exploits for these vulnerabilities are developed and made public, they may lead to compromise and DoS attacks against vulnerable DNS servers. Since the vulnerability is widespread, an Internet worm may be developed to propagate by exploiting the flaws in BIND. Widespread attacks against the DNS system may lead to general instability and inaccuracy of DNS data. Affected Versions: BIND SIG Cached RR Overflow Vulnerability BIND 8, versions up to and including 8.3.3-REL BIND 4, versions up to and including 4.9.10-REL BIND OPT DoS BIND 8, versions 8.3.0 up to and including 8.3.3-REL BIND SIG Expiry Time DoS BIND 8, versions up to and including 8.3.3-REL Description: BIND SIG Cached RR Overflow Vulnerability A buffer overflow exists in BIND 4 and 8 that may lead to remote compromise of vulnerable DNS servers. An attacker who controls any authoritative DNS server may cause BIND to cache DNS information within its internal database, if recursion is enabled. Recursion is enabled by default unless explicitly disabled via command line options or in the BIND configuration file. Attackers must either create their own name server that is authoritative for any domain, or compromise any other authoritative server with the same criteria. Cached information is retrieved when requested by a DNS client. There is a flaw in the formation of DNS responses containing SIG resource records (RR) that can lead to buffer overflow and execution of arbitrary code. BIND OPT DoS Recursive BIND 8 servers can be caused to abruptly terminate due to an assertion failure. A client requesting a DNS lookup on a nonexistent sub- domain of a valid domain name may cause BIND 8 to terminate by attaching an OPT resource record with a large UDP payload size. This DoS may also be triggered for queries on domains whose authoritative DNS servers are unreachable. BIND SIG Expiry Time DoS Recursive BIND 8 servers can be caused to abruptly terminate due to a null pointer dereference. An attacker who controls any authoritative name server may cause vulnerable BIND 8 servers to attempt to cache SIG RR elements with invalid expiry times. These are removed from the BIND internal database, but later improperly referenced, leading to a DoS condition. The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-1219 BIND SIG Cached RR Overflow Vulnerability CAN-2002-1220 BIND OPT DoS CAN-2002-1221 BIND SIG Expiry Time DoS ISC BIND http://www.isc.org/products/BIND 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.7 etc/named etc/named-xfer etc/dig etc/host etc/nsupdate etc/dnsquery etc/addr OpenServer 5.0.6 etc/named etc/named-xfer etc/dig etc/host etc/nsupdate etc/dnsquery etc/addr OpenServer 5.0.5 etc/named etc/named-xfer etc/dig etc/host etc/nsupdate etc/dnsquery etc/addr 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.7 4.1 Install Maintenance pack 1. 4.2 Location of Maintenance pack 1. ftp://ftp.sco.com/pub/openserver5/osr507mp/ 4.3 Installing Maintenance pack 1. Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 5. OpenServer 5.0.6 5.1 First install oss646b - Execution Environment Supplement 5.2 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.17 5.3 Verification MD5 (VOL.000.000) = 9e8b7bd8eab2ec474b51add1217a945f md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.4 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 6. OpenServer 5.0.5 6.1 First install oss646b - Execution Environment Supplement 6.2 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.17 6.3 Verification MD5 (VOL.000.000) = 9e8b7bd8eab2ec474b51add1217a945f md5 is available for download from ftp://ftp.sco.com/pub/security/tools 6.4 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 8. References Specific references for this advisory: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1220 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221 http://www.isc.org/products/BIND/bind-security.html http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr871560 fz526617 erg712158. 9. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 10. Acknowledgments These vulnerabilities were discovered and researched by Neel Mehta of the ISS X-Force. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/X5OnaqoBO7ipriERAluRAJ0eDTa5L/x17if4aVNDXyxBO3SJ2QCcCE/6 b6VVwa/XrxyqWUfn4Jc3MZs= =qgGb -----END PGP SIGNATURE-----