-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory 1997.05: Vulnerability in bind packages

Caldera Security Advisory SA-1997.05
Original issue date:    6-July-1997
Last revised:           6-July-1997

Topic: Vulnerability in bind

I. Problem Description

  This advisory contains descriptions and solutions for two
  vulnerabilities present in current BIND distributions.  These
  vulnerabilities are actively being exploited on the Internet.

  I.  The usage of predictable IDs in queries and recursed queries allows
  for remote cache corruption.  This allows malicious users to alter
  domain name server caches to change the addresses and hostnames of
  hosts on the Internet.

  II. A failure to check whether hostname lengths exceed MAXHOSTNAMELEN
  in size.  This results in potential buffer overflows in programs which
  expect the BIND resolver to only return a maximum hostname length of
  MAXHOSTNAMELEN.

II. Impact

  On systems such as Caldera OpenLinux 1.0 and 1.1, remote root users
  can poison BIND and Microsoft Windows NT name server caches by forging
  UDP packets.  We should note that unlike other well documented attacks,
  in this instance it is NOT necessary for the attacker to take over a
  DNS server or sniff the target network.

III. Solution

  Obtain the new bind-4.9.5p1-3.i386.rpm, bind-devel-4.9.5p1-3.i386.rpm,
  bind-doc-4.9.5p1-3.i386.rpm, and bind-utils-4.9.5p1-3.i386.rpm files
  and install according to the instructions found in the README file
  which is one directory up from the actual rpm files.

  These packages are located on Caldera's FTP server (ftp.caldera.com):

  /pub/openlinux/updates/1.0/current/RPMS
  /pub/openlinux/updates/1.1/current/RPMS (Both are the same)

  The MD5 checksum (from the "md5sum" command) for these packages are:
  ac954a2fde23ed29a96e576b2ce62bf6  bind-4.9.5p1-3.i386.rpm
  3c8705c65c132dfe39c24bc14389a077  bind-devel-4.9.5p1-3.i386.rpm
  02bc8da287d6e9cf7a5e551f69e9d3c6  bind-doc-4.9.5p1-3.i386.rpm
  faa31a94b1e957c89a43329e33422aa5  bind-utils-4.9.5p1-3.i386.rpm
        
  Please follow the instructions from the README file precisely to
  update any older version of bind RPMs that may be on your system:


IV. References - Credits

  This and other Caldera security resources are located at:

    http://www.caldera.com/tech-ref/security/

  Secure Network Inc. Advisory 12 (http://www.secnet.com).

  http://www.raptor.com/lib/9428.ps

  Fix from Olaf Kirch at LST/Caldera.  Olaf mentions "I've modified the
  patch provided in the Advisory to use Linux' /dev/urandom, and fall
  back to normal if it can't read it. I also tried using /dev/random
  (which puts the caller to sleep if there's not enough `randomness' in
  the pool), but it makes the process hang too often, waiting for random
  data. Which is not what you want in a name server, IMHO. I believe
  /dev/urandom is good enough for anything but crypto stuff."

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBM8AwSen+9R4958LpAQEo6AP+L/KDVbOE+lRt+Rd/Z4URAZo81Vsx+05w
kjIZfySIDc/DsJsHuGuTyjxm1obq4dYQdWjDxsY2CQFqikk4zAvftrUwE487znXr
9sI1Xq35vcCOHgwkJZkIjGGOiBunxkz2r9SQdf/f17ZKQonSgXdU/hV+g58vhzyr
3oU97f4CEDo=
=chXq
-----END PGP SIGNATURE-----