Internet vulnerabilities caught in BIND

ZDNet ^ | March 5, 2003, 7:24 AM PT | Patrick Gray

[Bush2000]

Internet vulnerabilities caught in BIND

By Patrick Gray
ZDNet Australia
March 5, 2003, 7:24 AM PT

Confusion is rife about potential vulnerabilities in BIND, the most commonly used domain name server on the Internet, and experts are calling on the makers of the software to clarify the issue. Domain name servers are used to match domain names to numerical IP addresses, with the vast majority of these running BIND; the software essentially runs the Internet.

The Internet Software Consortium (ISC), the group responsible for maintaining the software, released a new version of BIND on Monday, with their Web site billing it as a maintenance release. "BIND 9.2.2 is the latest release of BIND 9. It is a maintenance release, containing fixes for a number of bugs in 9.2.0 but no new features," it said. However, on Wednesday the site had been updated, saying that ISC had been made aware of vulnerabilities in BIND, and saying that upgrading was "strongly recommended".

BIND 9.2.1, the previous version, is vulnerable to a remote buffer overflow bug when installed with the "libbind" non-default option. Previous versions may also be vulnerable to problems associated with the commonly used OpenSSL library, but again this is a non-default installation option and has more to do with the SSL library than BIND itself.

Johannes Ulrich, chief technology officer of the SANS Institute's Internet Storm Center, believes that ISC has not given the issue the attention it deserves. Ulrich said that the software consortium should "basically do a better PR job by notifying people to the urgency of the release."

"We still don't know enough about it," he added.

Melbourne based security consultant Adam Pointon agrees, and says that ISC should release a detailed advisory on the issue simply to clarify the situation.

"I think they should because the vendors are going to be confused as well as the normal users... no normal users will know about this problem yet," he said.

Ulrich said that the libbind vulnerability may have in fact been indirectly known about for a while now. Confusion about which code was used in which version has lead to uncertainty in regard to which vulnerability effects which version of BIND. "In hindsight it was known since the beginning. That libbind thing is the last of the shared code between [versions] 8 and 9," he said.

Version 9 was more or less a complete rewrite of version 8, and is generally regarded as being a lot more secure.

[Bush2000]

Open Source: Quality is Job #1,000,000,000,000 ...

[BullDog108]

KNEEPAD bump...

[Poohbah]

First Axiom of Software Engineering: Any program of N lines of source code may be successfully recompiled and run with N-1 lines of source code.

Second Axiom of Software Engineering: Any program will always have one more bug.

Corollary to the First and Second Axia of Software Engineering: Any program may be recoded until it consists of only one line of source code, which will have a bug.

[sigSEGV]

Open Source = choice. As in if you don't like BIND (I don't) use something else like DJBDNS.

[sigSEGV]

Also, NSD is better than BIND.

[Bush2000]

Open Source = choice. As in if you don't like BIND (I don't) use something else like DJBDNS.

Non-sequitor. You have choice with closed source, too. Use something else. Sheez...

[Bush2000]

Also, NSD is better than BIND.

Now imagine if someone had used a worm to infect these BIND servers a la Slammer. What do you suppose the consequences would have been?

[sigSEGV]

Slammer hit 6 months after the patch was released. Your typical UNIX/Linux admin has a clue about what is running on their system and gets things like this fixed.

[Poohbah]

You're blaming Microsoft for admins being idiots?

[sigSEGV]

And actually, the effects would be minimal. The diversity of operating systems, architectures, etc. that BIND runs on would make a worm almost impossible.

[sigSEGV]

Where did I mention Microsoft? Its just very hard to tell what MS boxes are doing behind the scenes.

[Poohbah]

If you think it's truly that hard to see what an MS box is doing...maybe you shouldn't sysad anything more complicated than an abacus.

[sigSEGV]

OK. At a glance, tell me (with a default install of an MS operating system), what is listening on UDP port X and how do you shut it off. What patchlevel is your blah blah library at. If I install rollup patch Y, will it overwrite that last patch?... Try stepping into a large company and see for yourself how painful it is.

[Question_Assumptions]

You're blaming Microsoft for admins being idiots?

When some of those sysadmins are apparently inside of Microsoft, itself, you've got one of two choices. Either Microsoft hires idiots (from what I know of their hiring practices, I doubt this) or this is even a problem for admins who are smarter than idiots.

Of course the important lesson here is to not have the Internet rely on any single piece of software, be it proprietary or open source. The Internet benefits from having a mix of software that communicates through standard and open protocols. My main complaint about Microsoft is that it tries to close standards via it's "embrace and extend" policy so that it can exclusively control them. No thanks.

[Abcdefg]

If the domain name servers do go down, can't we still get to our favorite WEB sites by using the actual IP addresses?
Assuming that we stay on top of what those are.
I ping www.freerepublic.com and get back 209.157.64.200.

[Bush2000]

If the domain name servers do go down, can't we still get to our favorite WEB sites by using the actual IP addresses? Assuming that we stay on top of what those are. I ping www.freerepublic.com and get back 209.157.64.200.

Assuming you knew the IP address. What do you think that ping uses to resolve freerepublic.com? DNS servers. If they're down, you can't resolve (although it would take a pretty big attack since there is a lot of redundancy in DNS servers).

[Bush2000]

OK. At a glance, tell me (with a default install of an MS operating system), what is listening on UDP port X and how do you shut it off.

No problem. Network Settings|TCP IP|Advanced|IP Filtering.

What patchlevel is your blah blah library at. If I install rollup patch Y, will it overwrite that last patch?... Try stepping into a large company and see for yourself how painful it is.

That isn't easy for any system. The typical way around it is for the component to be subscribed to an AutoUpdate event. But, of course, admins don't like having their servers patched without going through some kind of testing.

[Bush2000]

this is even a problem for admins who are smarter than idiots.

This is a problem for all admins. It doesn't matter what system you're administering. Patching is complex and time-consuming.

[Bush2000]

And actually, the effects would be minimal. The diversity of operating systems, architectures, etc. that BIND runs on would make a worm almost impossible.

I disagree. Assuming you picked a one or more common platforms (BSD, Linux, etc), the worm would still propagate rapidly and possibly take down a lot of critical infrastructure.

[Bush2000]

The proof of this fact is provided by Slammer. Obviously, the entire Internet isn't running NT/Win2K+SQL Server -- but it still managed to do tremendous damage.