UNIRAS (UK Gov CERT) Advisory Type: Alert Title: Vulnerability Issues with the BIND 8 Software
Abstract: BIND uses a certain array to track nameservers/addresses that have been queried; it is possible to remotely overrun the buffer for this array and hence cause a denial-of-service.
NISCC Comment: A remote buffer overrun vulnerability concerning BIND 8 has been discovered by the Internet
Systems Consortium, Inc. (ISC). Vendors affected: Operating Systems affected: Applications/Services affected: BIND v8.4.4 and v8.4.5 Patch: Avaliable on-line Patch effective: Yes Impact: Denial of service NISCC Vulnerability Advisory 454305/NISCC/BIND8
Vulnerability Issues with the BIND 8 Software
Version Information
-------------------
Advisory Reference 454305/NISCC/BIND8
Release Date 25 Jan 2005
Last Revision 21 Jan 2005
Version Number 1.0
What is affected?
-----------------
The vulnerability only affects BIND v8.4.4 and v8.4.5.
Severity
--------
This is rated as low, although if exploited this could potentially result in a
denial-of-service.
Summary
-------
A remote buffer overrun vulnerability concerning BIND 8 has been discovered by the Internet
Systems Consortium, Inc. (ISC).
ISC have solutions available that can rectify these issues, please refer to the
'Solution' section for further information.
[Please note that revisions to this advisory will not be notified by email. All
subscribers are advised to regularly check the NISCC website
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.]
Details
-------
CVE ID: CAN-2005-0033
BIND uses a certain array to track nameservers/addresses that have been queried; it is possible to
remotely overrun the buffer for this array and hence cause a denial-of-service.
Mitigation
----------
ISC have recommended the following work-around:
- Disable recursion and glue fetching
Solution
--------
ISC have released an updated version of BIND to rectify this issue:
- BIND 8.4.6
This is available from the ISC website at http://www.isc.org/sw/bind/.
ISC have also produced a patch for users who cannot upgrade to BIND 8.4.6; please contact
the NISCC Vulnerability Team at vulteam@niscc.gov.uk if you wish to receive the patch.
Vendor Information
------------------
Internet Systems Consortium, Inc. (ISC) is a non-profit public benefit corporation
dedicated to supporting the infrastructure of the Internet. Please visit
http://www.isc.org for further information regarding ISC.
Credits
-------
The NISCC Vulnerability Team would like to thank ISC for reporting this issue to NISCC and
for their assistance in the handling of this vulnerability.
Contact Information
-------------------
The NISCC Vulnerability Management Team can be contacted as follows:
Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line
Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00
Fax +44 (0)870 487 0749
Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG
We encourage those who wish to communicate via email to make use of our PGP key. This is available
from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.
Please note that UK government protectively marked material should not be sent to the email address
above.
If you wish to be added to our email distribution list please email your request to
uniras@niscc.gov.uk.
|