SA-1997.05.txt
051e1c0b52402c30ab56f76d7da8b4e2d1b47c2d4cb38e75b59ed00332895b37
-----BEGIN PGP SIGNED MESSAGE-----
Subject: Caldera Security Advisory 1997.05: Vulnerability in bind packages
Caldera Security Advisory SA-1997.05
Original issue date: 6-July-1997
Last revised: 6-July-1997
Topic: Vulnerability in bind
I. Problem Description
This advisory contains descriptions and solutions for two
vulnerabilities present in current BIND distributions. These
vulnerabilities are actively being exploited on the Internet.
I. The usage of predictable IDs in queries and recursed queries allows
for remote cache corruption. This allows malicious users to alter
domain name server caches to change the addresses and hostnames of
hosts on the Internet.
II. A failure to check whether hostname lengths exceed MAXHOSTNAMELEN
in size. This results in potential buffer overflows in programs which
expect the BIND resolver to only return a maximum hostname length of
MAXHOSTNAMELEN.
II. Impact
On systems such as Caldera OpenLinux 1.0 and 1.1, remote root users
can poison BIND and Microsoft Windows NT name server caches by forging
UDP packets. We should note that unlike other well documented attacks,
in this instance it is NOT necessary for the attacker to take over a
DNS server or sniff the target network.
III. Solution
Obtain the new bind-4.9.5p1-3.i386.rpm, bind-devel-4.9.5p1-3.i386.rpm,
bind-doc-4.9.5p1-3.i386.rpm, and bind-utils-4.9.5p1-3.i386.rpm files
and install according to the instructions found in the README file
which is one directory up from the actual rpm files.
These packages are located on Caldera's FTP server (ftp.caldera.com):
/pub/openlinux/updates/1.0/current/RPMS
/pub/openlinux/updates/1.1/current/RPMS (Both are the same)
The MD5 checksum (from the "md5sum" command) for these packages are:
ac954a2fde23ed29a96e576b2ce62bf6 bind-4.9.5p1-3.i386.rpm
3c8705c65c132dfe39c24bc14389a077 bind-devel-4.9.5p1-3.i386.rpm
02bc8da287d6e9cf7a5e551f69e9d3c6 bind-doc-4.9.5p1-3.i386.rpm
faa31a94b1e957c89a43329e33422aa5 bind-utils-4.9.5p1-3.i386.rpm
Please follow the instructions from the README file precisely to
update any older version of bind RPMs that may be on your system:
IV. References - Credits
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
Secure Network Inc. Advisory 12 (http://www.secnet.com).
http://www.raptor.com/lib/9428.ps
Fix from Olaf Kirch at LST/Caldera. Olaf mentions "I've modified the
patch provided in the Advisory to use Linux' /dev/urandom, and fall
back to normal if it can't read it. I also tried using /dev/random
(which puts the caller to sleep if there's not enough `randomness' in
the pool), but it makes the process hang too often, waiting for random
data. Which is not what you want in a name server, IMHO. I believe
/dev/urandom is good enough for anything but crypto stuff."
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBM8AwSen+9R4958LpAQEo6AP+L/KDVbOE+lRt+Rd/Z4URAZo81Vsx+05w
kjIZfySIDc/DsJsHuGuTyjxm1obq4dYQdWjDxsY2CQFqikk4zAvftrUwE487znXr
9sI1Xq35vcCOHgwkJZkIjGGOiBunxkz2r9SQdf/f17ZKQonSgXdU/hV+g58vhzyr
3oU97f4CEDo=
=chXq
-----END PGP SIGNATURE-----