-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory 1997.05: Vulnerability in bind packages Caldera Security Advisory SA-1997.05 Original issue date: 6-July-1997 Last revised: 6-July-1997 Topic: Vulnerability in bind I. Problem Description This advisory contains descriptions and solutions for two vulnerabilities present in current BIND distributions. These vulnerabilities are actively being exploited on the Internet. I. The usage of predictable IDs in queries and recursed queries allows for remote cache corruption. This allows malicious users to alter domain name server caches to change the addresses and hostnames of hosts on the Internet. II. A failure to check whether hostname lengths exceed MAXHOSTNAMELEN in size. This results in potential buffer overflows in programs which expect the BIND resolver to only return a maximum hostname length of MAXHOSTNAMELEN. II. Impact On systems such as Caldera OpenLinux 1.0 and 1.1, remote root users can poison BIND and Microsoft Windows NT name server caches by forging UDP packets. We should note that unlike other well documented attacks, in this instance it is NOT necessary for the attacker to take over a DNS server or sniff the target network. III. Solution Obtain the new bind-4.9.5p1-3.i386.rpm, bind-devel-4.9.5p1-3.i386.rpm, bind-doc-4.9.5p1-3.i386.rpm, and bind-utils-4.9.5p1-3.i386.rpm files and install according to the instructions found in the README file which is one directory up from the actual rpm files. These packages are located on Caldera's FTP server (ftp.caldera.com): /pub/openlinux/updates/1.0/current/RPMS /pub/openlinux/updates/1.1/current/RPMS (Both are the same) The MD5 checksum (from the "md5sum" command) for these packages are: ac954a2fde23ed29a96e576b2ce62bf6 bind-4.9.5p1-3.i386.rpm 3c8705c65c132dfe39c24bc14389a077 bind-devel-4.9.5p1-3.i386.rpm 02bc8da287d6e9cf7a5e551f69e9d3c6 bind-doc-4.9.5p1-3.i386.rpm faa31a94b1e957c89a43329e33422aa5 bind-utils-4.9.5p1-3.i386.rpm Please follow the instructions from the README file precisely to update any older version of bind RPMs that may be on your system: IV. References - Credits This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ Secure Network Inc. Advisory 12 (http://www.secnet.com). http://www.raptor.com/lib/9428.ps Fix from Olaf Kirch at LST/Caldera. Olaf mentions "I've modified the patch provided in the Advisory to use Linux' /dev/urandom, and fall back to normal if it can't read it. I also tried using /dev/random (which puts the caller to sleep if there's not enough `randomness' in the pool), but it makes the process hang too often, waiting for random data. Which is not what you want in a name server, IMHO. I believe /dev/urandom is good enough for anything but crypto stuff." -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBM8AwSen+9R4958LpAQEo6AP+L/KDVbOE+lRt+Rd/Z4URAZo81Vsx+05w kjIZfySIDc/DsJsHuGuTyjxm1obq4dYQdWjDxsY2CQFqikk4zAvftrUwE487znXr 9sI1Xq35vcCOHgwkJZkIjGGOiBunxkz2r9SQdf/f17ZKQonSgXdU/hV+g58vhzyr 3oU97f4CEDo= =chXq -----END PGP SIGNATURE-----