ISS reports more BIND flaws

New vulnerabilities have been discovered in the Berkeley Internet Name Domain (BIND) Domain Name System (DNS) software that could allow hackers to carry out denial-of-service attacks against servers using BIND, according to an advisory issued today by Internet Security Systems Inc. (ISS).

The advisory from Atlanta-based ISS details three separate vulnerabilities. All three make BIND susceptible to denial-of-service attacks from Internet users or rogue DNS administrators. One of the three vulnerabilities also involves a buffer-overflow condition in the BIND code that could enable malicious code to be placed and executed on the machine running the name-server software.

The newly discovered vulnerabilities all allow hackers to use what are referred to as "malformed requests" to attack BIND. Such attacks rely on passing invalid or improperly formatted information to the BIND DNS, targeting specific weaknesses in the way the BIND code processes requests to cause the DNS server to fail, according to Dan Ingevaldson, team leader of ISS's X-Force security research group.

Although two of the newly discovered vulnerabilities require attackers to have access to their own authoritative DNS name servers in order to pass invalid requests to the targeted BIND DNS servers, ISS's Ingevaldson said such attacks aren't uncommon.

"It's not a difficult requirement," he said. "We've seen all types of distributed exploits that require an authoritative name server."

An authoritative name server is registered as the official DNS server for a particular Internet domain.

The vulnerabilities affect earlier versions of BIND, including BIND 4 and the more recent BIND 8 distributions, up to and including 8.3.3, according to ISS.

ISS contacted the Internet Software Consortium (ISC), which maintains BIND, in late October regarding the vulnerabilities, according to Ingevaldson.

BIND 4 generally isn't supported by ISC, though the consortium continues to issue security patches for it. But BIND 8 is still commonly used, according to Ingevaldson and the ISC's Web site. BIND 9 isn't affected by any of the vulnerabilities in ISS's advisory, according to Ingevaldson.

The ISC Web site recommends that DNS administrators upgrade to BIND 9 in order to remove exposure to many of the reported BIND vulnerabilities.The Web site also contains a statement that "New BIND 4 & 8 releases are coming soon," and provides an e-mail address for software vendors to speak to the ISC about patches.

The ISC couldn't be reached for comment, and it isn't clear whether patches for the newly discovered vulnerabilities are available.

DNS is a core Internet protocol that matches easy-to-remember domain names such as www.computerworld.com with numeric Internet Protocol addresses recognized by machines.

BIND is the most commonly used type of DNS server software on the Internet, but it has come under increasing scrutiny for security holes. The FBI's list of the Top 20 security vulnerabilities, released in October, listed BIND and DNS as top concerns (see story).

Despite generally quick responses from the BIND development community to reported vulnerabilities, the FBI report cited the ubiquity of BIND and "the inordinate number of outdated or misconfigured servers" as two reasons why it's often targeted by malicious hackers.

Ingevaldson said that the BIND software isn't any more or less secure than other software -- just more common. And the fact that DNS traffic is generally allowed through firewalls makes organizations more vulnerable to attacks that target DNS servers, according to Ingevaldson.

Related:

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon