From owner-freebsd-security Wed Feb 7 11:29: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id AD74837B401; Wed, 7 Feb 2001 11:28:33 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JSXp03541; Wed, 7 Feb 2001 11:28:33 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:28:33 -0800 (PST) Message-Id: <200102071928.f17JSXp03541@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:10.bind [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:10 Security Advisory FreeBSD, Inc. Topic: bind remote denial of service [REVISED] Category: core, ports Module: bind Announced: 2001-01-23 Revised: 2001-02-07 Credits: Fabio Pietrosanti Affects: FreeBSD 3.x prior to the correction date. Ports collection prior to the correction date. Corrected: 2000-11-27 (FreeBSD 3.5-STABLE) 2001-01-05 (Ports collection) Vendor status: Updated version released FreeBSD only: NO 0. Revision History v1.0 2001-01-23 Initial release v1.1 2001-02-07 Rerelease to note the far more serious problems described in SA-01:18 I. Background bind is an implementation of the Domain Name System (DNS) protocols. II. Problem Description NOTE: It has come to our attention that there are a great deal more users downloading this advisory than the recently released SA-01:18, which also deals with the bind software. The latter advisory details a far more serious vulnerability, which affects all releases of FreeBSD, and it is recommended that all DNS administrators read advisory SA-01:18 immediately. A vulnerability exists with the bind nameserver dealing with compressed zone transfers. Due to a problem with the compressed zone transfer (ZXFR) implementation, if named is configured for zone transfers and recursive resolving, it will crash after a ZXFR for the authoritative zone and a query of a remote hostname. Since named is not configured under a watchdog process which will automatically restart it after a failure, this will lead to the denial of DNS service on the server. All versions of FreeBSD 3.x prior to the correction date including 3.5.1-RELEASE are vulnerable to this problem. In addition, the bind8 port in the ports collection is also vulnerable. FreeBSD 4.x is not affected since it contains versions of BIND 8.2.3. III. Impact Malicious remote users can cause the named daemon to crash, if it is configured to allow zone transfers and recursive queries. IV. Workaround A partial workaround can be implemented by disallowing zone transfers except from trusted hosts. Note that if the trusted hosts are compromised or contain malicious users, name servers with this bug will be vulnerable to the denial of service attack. V. Solution [Base system] Upgrade your vulnerable FreeBSD system to 3.5.1-STABLE after the correction date. [Ports collection] If you have chosen to install BIND from the ports collection and are using it instead of the version in the base system, perform one of the following steps: 1) Upgrade your entire ports collection and rebuild the bind8 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.2p7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.2p7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.2p7.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the bind8 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGhrlUuHi5z0oilAQFgewP+NVsp0tymZ5KZvgy6sqewZzqcxPUDgBxw nBR9KI2BVofLD71wawX/uWmVM5mqeMeCjpVo3Vn6cZyB2JDqCEeK174ULmJJa/Yr OGQhfKMoIKRtRZcpF5U6mT/RpAJuhaAFyAvwZjAMoZv8AORxxydJGpa3MuH2YKFh V6PWzjcfkpk= =G19W -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message