Check or Attack Name: Bind bo

A buffer overflow exists in BIND versions prior to 4.9.7, and BIND versions prior to 8.1.2. A malicious remote user can send a specially formatted inverse-query TCP stream that would crash the BIND server and allow the attacker to gain root access.

Disable inverse queries, upgrade to BIND 8.1.2 (or, less desirably, upgrade to BIND 4.9.7), or apply the patch.

The inverse query feature is disabled by default, so only the systems that have been explicitly configured to allow it are vulnerable. In BIND 8, review the "options" block in the configuration file (typically /etc/named.conf). If there is a "fake-iquery yes;" line, then the server is vulnerable. In BIND 4.9, examine the "options" lines in the configuration file (typically /etc/named.boot). If there is a line containing "fake-iquery," then the server is vulnerable.

In addition, unlike BIND 8, inverse query support can be enabled when the server is compiled. Examine conf/options.h in the source. If the line #defining INVQ is not commented out, then the server is vulnerable.

Disabling inverse query support can break ancient versions of nslookup. If nslookup fails, replace it with a version from any BIND 4.9 or BIND 8 distribution.

Upgrade to version 8.1.2 or 4.9.7, available at http://www.isc.org/new-bind.html.

Obtain patch at for BIND 8 at ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND8_patch.txt, or BIND 4.9 at ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND4.9_patch.txt.

See CERT Advisory CA-98.05 for vulnerable systems and vendor-specific patches.

CERT Advisory CA-98.05, Multiple Vulnerabilities in BIND, http://www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems

CIAC Information Bulletin I-044A, BIND Vulnerabilities, http://ciac.llnl.gov/ciac/bulletins/i-044a.shtml

Sun Microsystems, Inc. Security Bulletin #00180, BIND, http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/180&type=0&nav=sec.sba

SCO Security Bulletin 98-03, Security Vulnerability in named, ftp://ftp.sco.com/SSE/security_bulletins/SB-98.03a

Hewlett-Packard Security Bulletin HPSBUX9808-083, Security Vulnerability in BIND on HP-UX, http://us-support.external.hp.com/

Silicon Graphics Inc. Security Advisory 19980603-02-PX, IRIX BIND DNS Vulnerabilities, ftp://sgigate.sgi.com/security/19980603-02-PX

Silicon Graphics Inc. Security Advisory 19980603-01-PX, IRIX BIND DNS Vulnerabilities, ftp://sgigate.sgi.com/security/19980603-01-PX