Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs

Multiple Vendor libc DNS Resolver Buffer Overflow Vulnerability

Solution:
An initial workaround of using a trusted caching DNS server to reconstruct DNS answers was a sufficient workaround. It has since been discovered that this is not a sufficient workaround, and that the only way to properly resolve this vulnerability is to installed fixed resolver libraries.

For users of BIND 8, Tim Gladding <tim@gladding.com> has contributed an unofficial BIND 9 patch which may alleviate some difficulties with migration involving the 'multiple-cnames yes;' option in BIND 8. Details are available in his BugTraq post, available as a reference.

Upgrade to the latest version of BIND to eliminate vulnerabilities found in earlier versions. As of this writing, the most current version is 9.2.2.

BIND is available for download from URL:
http://www.isc.org/products/BIND/bind9.html

An alternative solution is to a apply vendor specific patch. Users should check with their particular vendor to determine the status of their specific patches.

It should be noted that binaries statically linked to libc will need to be recompiled with fixed libraries.

System administrators should contact their individual vendor for upgrade or patch information to fix the BIND DNS resolver code buffer overflow vulnerability.

DNS resolver libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.

Applications that are statically linked must be recompiled using patched resolver libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched resolver libraries.

System administrators should consider the following process when addressing this issue:
1. Patch or obtain updated resolver libraries.
2. Restart any dynamically linked services that make use of the resolver libraries.
3. Recompile any statically linked applications using the patched or updated resolver libraries.

HP has released a revised advisory (HPSBUX0208-209(rev.15)) to address this issue in affected HP-UX systems. Customers who are affected by this issue are advised to apply appropriate patches. Further information regarding obtaining and applying patches is available in the referenced advisory.

HP has released an updated advisory HPSBUX0208-209(rev.14) for HP-UX systems. Preliminary updates for HP-UX 11 and 11.11 are available. Further information on obtaining and applying fixes is available in the referenced HP advisory (HPSBUX0208-209).

FreeBSD releases RELENG_4_5 and RELENG_4_6 are fixed as of 06 June 2002.

FreeBSD has released other upgrades. Users are advised to upgrade their Ports
collection and reinstall the affected port.

OpenBSD and FreeBSD patches are available.

Compaq has stated that the impact of this vulnerability is currently being investigated, and has been assigned incident number x-ref:SSRT2270.

Cray has announced that UNICOS is affected by this issue, and has assigned incident ID SPR 722619 to track this issue.

The ISC has announced that BIND 9 is also affected by this vulnerability. ISC BIND 9.2.2 has been released to address this issue in BIND 9.2.x.

Network Appliance has stated that some NetApp systems may be affected, but has not made details publicly available. Users are advised to check NOW (http://now.netapp.com) for further information.

SGI has stated that they are investigating the impact, but have made no further details available.

Apple has announced that Mac OS X and OS X Server are not affected by this issue.

Users of Astaro Secure Linux 2.x are advised to use Up2Date to upgrade to version 2.027.

Users of GNU glibc are advised to update to versions more recent than 2.1.2. Additional vulnerabilities in the process of resolving network names and addresses through DNS can be worked around by editing the file /etc/nsswitch.conf and ensuring that the 'networks:' line does not specify that DNS be used.

SuSE has suggested that users set the approriate line to read 'networks: files'. SuSE reports that updated glibc packages will be made available in the near future.

HP has recommended that users of HP Secure OS version 1.0 apply the appropriate fixes described in Red Hat Security Advisory RHSA-2002:139.

Caldera has released an advisory with updates. See the attached Caldera advisory for details on obtaining fixes.

HP has made temporary BIND upgrades available for HP-UX installations. The files are located at the following server:

System: hprc.external.hp.com (192.170.19.51)
Login: bind
Password: bind1

HP has updated the fix for HP-UX 10.20. In HP-UX 10.20, the DNS API was part of the C library. The fix now includes an update for the statically linked library. Any programs which used the DNS API must be relinked. HP claims to know of no such programs included by default, however they may be detected by issuing the following command:

strings -a suspect_program | grep "Too many addresses (%d)"

If the string is present, the suspected program should be relinked with the corrected libc.a included in PHCO_26152.depot.

HP has released an updated advisory, HPSBUX0209-218 (rev .1), stating several HP peripheral devices are vulnerable. A firmware upgrade which addresses this issue is available for HP JetDirect Print Servers. Further information on how to obtain and apply the firmware can be found in the attached advisory.

Users of EnGarde Secure Linux are advised to upgrade vulnerable glibc libraries by installing the RPMs listed in the advisory. Further details can be found in the referenced advisory.

NetBSD has issued a new advisory 2002-015. NetBSD 1.6 is not affected by this issue. Users are strongly urged to upgrade their systems to NetBSD 1.6 or to update to the most recent sources of the appropriate branches. Further details are available in the referenced NetBSD advisory.

Conectiva has released an advisory (CLA-2002:535) which contains upgrades. See the referenced advisory for further details on obtaining fixes.

A security fix was provided on October 1st, 2002 for Openwall GNU/*/Linux. Users should contact the vendor to obtain fixed glibc packages.

Red Hat has released a new advisory (RHSA-2002:197-09). Updated glibc and nscd RPMs are available. See the attached advisory for details on obtaining fixes.

Updates are available for Sorceror Linux. These updates can be applied using the following command:

augur synch && augur update

HP has updated security bulletin HPSBUX0208-209. New information about obtaining and applying fixes are available in the referenced advisory.

HP has released HPSBUX0208-209 (rev.12) containing fix information for HP-UX B.10.20 and B.11.04. See the updated advisory for details.

HP has released HPSBUX0208-209 (rev.16) containing fix information. See the updated advisory for details.

Updates are available:


Sun Solaris 8

OpenBSD OpenBSD 3.0

IBM AIX 5.1
  • IBM IY32746


Sun Solaris 7.0

OpenBSD OpenBSD 3.1

HP HP-UX 11.22

GNU glibc 2.1.3

GNU glibc 2.2.2

GNU glibc 2.2.3

GNU glibc 2.2.4

IBM AIX 4.3
  • IBM IY32719


FreeBSD FreeBSD 4.5 -RELEASE

FreeBSD FreeBSD 4.6

ISC BIND 4.9

ISC BIND 4.9.4

ISC BIND 4.9.5

ISC BIND 4.9.6

ISC BIND 4.9.7

ISC BIND 4.9.8

SCO Open Server 5.0.5

SCO Open Server 5.0.6

ISC BIND 8.1.1

ISC BIND 8.1.2

ISC BIND 8.2

ISC BIND 8.2.1

ISC BIND 8.2.2 p4

ISC BIND 8.2.2 p7

ISC BIND 8.2.2 p1

ISC BIND 8.2.2 p3

ISC BIND 8.2.2 p6

ISC BIND 8.2.2 p5

ISC BIND 8.2.3

ISC BIND 8.2.4

ISC BIND 8.2.5

ISC BIND 9.0

ISC BIND 9.1

ISC BIND 9.1.2

ISC BIND 9.2.1







 

Privacy Statement
Copyright 2008, SecurityFocus