NetBSD Security Advisory 2002-029: named(8) multiple denial of service and remote execution of code

[NetBSD Security Officer <security-officer () netbsd org>]

-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2002-029
                 =================================

Topic:          named(8) multiple denial of service and remote execution of code

Version:        NetBSD-current: November 15, 2002
                NetBSD 1.6:     affected
                NetBSD-1.5.3:   affected
                NetBSD-1.5.2:   affected
                NetBSD-1.5.1:   affected
                NetBSD-1.5:     affected
                pkgsrc: bind-4.9.10 and prior, bind-8.3.3 and prior

Severity:       Remote root compromise

Fixed:          NetBSD-current:         November 15, 2002
                NetBSD-1.6 branch:      November 16, 2002
                NetBSD-1.5 branch:      November 16, 2002
                pkgsrc: bind-4.9.10nb1, bind-8.3.3nb1


Abstract
========

named(8) version 8.3.3, which is shipped with NetBSD, is vulnerable to
remote execution of malicious code, and multiple denial of service attacks. 


Technical Details
=================

http://www.isc.org/products/BIND/bind-security.html
See the sections named: BIND: Remote Execution of Code"
                        and "BIND: Multiple Denial of Service


Solutions and Workarounds
=========================

If you are not running named(8), your system is not affected.

BIND 9 is not affected by these vulnerabilities.  Upgrading to BIND 9 is
recommended. BIND 9 is available in the NetBSD Pkgsrc Collection
(pkgsrc/net/bind9).

onfiguration files differ between BIND 8 and 9. Plan such a migration
appropriately.

BIND 8 servers with recursion disabled are not vulnerable to the `BIND SIG
Cached RR Overflow Vulnerability' nor to the `BIND SIG Expiry Time DoS'.
to disable recursion, edit the BIND 8 configuration file (default path
/etc/namedb/named.conf) to add `recursion no;' and `fetch-glue no;' to
the options statement as shown:

                options {
                    recursion no;
                    fetch-glue no;
                   /* ... other options ... */
                };



The following instructions describe how to upgrade your named
binaries by updating your source tree and rebuilding and
installing a new version of named.

Be sure to restart running instance of named(8) after installation.


* NetBSD-current:

        Systems running NetBSD-current dated from before 2002-11-15
        should be upgraded to NetBSD-current dated 2002-11-15 or later.

        The following directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                dist/bind
                usr.sbin/bind

        To update from CVS, re-build, and re-install named:
                # cd src
                # cvs update -d -P dist/bind usr.sbin/bind

                # cd usr.sbin/bind
                # make obj dependall
                # make install


* NetBSD 1.6:

        Systems running NetBSD 1.6 dated from before 2002-11-16 should
        be upgraded to NetBSD 1.6 dated 2002-11-16 or later.

        The following directories need to be updated from the
        netbsd-1-6 CVS branch:
                dist/bind
                usr.sbin/bind

        To update from CVS, re-build, and re-install named:
                # cd src
                # cvs update -d -P -r netbsd-1-6 dist/bind usr.sbin/bind

                # cd usr.sbin/bind
                # make obj dependall
                # make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

        Systems running NetBSD 1.5, 1.5.1, 1.5.2 or 1.5.3 dated from before
        2002-11-16 should be upgraded to NetBSD 1.5 dated 2002-11-16 or
        later.

        The following directories need to be updated from the
        netbsd-1-5 CVS branch:
                dist/bind
                usr.sbin/bind

        To update from CVS, re-build, and re-install named:
                # cd src
                # cvs update -d -P -r netbsd-1-5 dist/bind usr.sbin/bind

                # cd usr.sbin/bind
                # make obj dependall
                # make install


* pkgsrc

        bind-4.9.10 and prior, as well as bind-8.3.3 and prior are vulnerable.
        Upgrade to bind-4.9.10nb1, or bind-8.3.3nb1 (or later).


Thanks To
=========

FreeBSD Security-Officer, for portions of the workaround text.


Revision History
===============

        2002-11-20      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-029.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-029.txt,v 1.7 2002/11/19 17:09:59 david Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPdpxjj5Ru2/4N2IFAQH26AP/Zn+HG+u0Lwryq/fflxUJLO3Ib3QXZH14
hD/SWfkCExbZmd/5kkDdcMRfe33VTvSqZRw0IRGacErkO8cC8sbUUA9RYxAsxmpG
VMVNGMTaYlFDzGKPzyVmt9/4lAPvtR/Rd/bfJSUEfOIygNcQIvCpYN895aAFBWzl
gL8QNrRO7LY=
=1XM+
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html