From advisory@US.IBM.COM Sat Feb 3 12:07:33 2001 From: IBM MSS Advisory Service To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 1 Feb 2001 15:37:33 -0500 Subject: [BUGTRAQ] IBM-ERS Security Vulnerability Alert: IBM AIX: 4 Vulnerabilities in BIND4 and BIND8 IBM Global Services Managed Security Services Security Vulnerability Alert 1 FEB 2001 20:29 GMT ERS-SVA-E01-2001:002.1 =========================================================================== -----BEGIN PGP SIGNED MESSAGE----- =========================================================================== VULNERABILITY SUMMARY VULNERABILITY: 4 Vulnerabilities in BIND4 and BIND8 PLATFORMS: IBM 4.3.x SOLUTION: Apply the fixes listed below. THREAT: DNS can be completely disrupted on affected servers. CERT Advisory: CA-2001-02 =========================================================================== DETAILED INFORMATION I. Description See for additional details (www.cert.org): CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code During the processing of a transaction signature (TSIG), BIND 8 checks for the presence of TSIGs that fail to include a valid key. If such a TSIG is found, BIND skips normal processing of the request and jumps directly to code designed to send an error response. Because the error-handling code initializes variables differently than in normal processing, it invalidates the assumptions that later function calls make about the size of the request buffer. Once these assumptions are invalidated, the code that adds a new (valid) signature to the responses may overflow the request buffer and overwrite adjacent memory on the stack or the heap. When combined with other buffer overflow exploitation techniques, an attacker can gain unauthorized privileged access to the system, allowing the execution of arbitrary code. VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain() The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND 4 servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in either denial of service or the execution of arbitrary code. VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() The vulnerable buffer is a locally defined character array used to build an error message intended for syslog. Attackers attempting to exploit this vulnerability could do so by sending a specially formatted DNS query to affected BIND 4 servers. If properly constructed, this query could be used to disrupt the normal operation of the DNS server process, resulting in the execution of arbitrary code. This vulnerability was patched by the ISC in an earlier version of BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence to suggest that some third party vendors who redistribute BIND 4 have not included these changes in their BIND packages. Therefore, the CERT/CC recommends that all users of BIND 4 or its derivatives base their distributions on BIND 4.9.8. VU#325431 - Queries to ISC BIND servers may disclose environment variables This vulnerability is an information leak in the query processing code of both BIND 4 and BIND 8 that allows a remote attacker to access the program stack, possibly exposing program and/or environment variables. This vulnerability is triggered by sending a specially formatted query to vulnerable BIND servers. II. Impact VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code This vulnerability may allow an attacker to execute code with the same privileges as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges. VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain() This vulnerability can disrupt the proper operation of the BIND server and may allow an attacker to execute code with the privileges of the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges. VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() This vulnerability may allow an attacker to execute code with the privileges of the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges. VU#325431 - Queries to ISC BIND servers may disclose environment variables This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables. In addition, the information obtained by exploiting this vulnerability may aid in the development of exploits for VU#572183 and VU#868916. III. Solutions A. Official fix IBM is working on the following fix which will be available soon: AIX 4.3.3: IY16182 NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3. B. How to minimize the vulnerability A temporary fix for AIX 4.3.3 systems is available. The temporary fix can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/multiple_bind_vulns_efix.tar.Z This temporary fix has not been fully regression tested. Do the following steps (as root) to install the temporary fix: IMPORTANT: create a mksysb backup of the system and verify it is both bootable, and readable before proceeding. Verify you have retrieved this efix intact: ------------------------------------------- There are 4 executables in this tarfile. For named4: named4-IY16182: replacement for /usr/sbin/named4 named4-xfer-IY16182: replacement for /usr/sbin/named4-xfer For named8: named8-IY16182: replacement for /usr/sbin/named8 named8-xfer-IY16182: replacement for /usr/sbin/named8-xfer After you untar this tar file , then check the checksums on these files using the sum command: # sum named* 56903 190 named4 21309 33 named4-xfer 07515 558 named8-IY16182 29816 164 named8-xfer-IY16182 Efix Installation Instructions: ------------------------------- You need to be at Maintenance Level 6 for AIX 4.3.3 AND you need APAR IY14512 installed. To see if you are at ML06: # instfix -i | grep AIX_ML on one of the lines you should see: "All filesets for 4330-06_AIX_ML were found." After you are at least at ML06, then you must install APAR IY14512 which will include: bos.64bit.4.3.3.27 <---you might not have this fileset depending on your machine type. bos.adt.include.4.3.3.27 bos.adt.prof.4.3.3.28 bos.net.tcp.server.4.3.3.27 bos.rte.libc.4.3.3.27 bos.rte.libpthreads.4.3.3.27 bos.rte.net.4.3.3.2 You can obtain IY14512 from : http://techsupport.services.ibm.com/support/rs6000.support/downloads -->click on "General Software Fixes" --> click on "Aix Fix Distribution Service" Enter in the LOWER entry box: IY14512 and click the "Find Fix" button... The next screen should show "Found 1 match containing IY14512 " and display it's finding in a window. -Select the line in the window with the mouse (click once on it, it will invert colors when selected). In the lower left corner there will be a drop-down listbox entitled: "What is your AIX Level?" select 4.3.3.0-06 (provided you are at ML06-see instfix -i command output above) You should be then able to download these files: bos.64bit.4.3.3.27 <---you might not have this fileset depending on your machine type. bos.adt.include.4.3.3.27 bos.adt.prof.4.3.3.28 bos.net.tcp.server.4.3.3.27 bos.rte.libc.4.3.3.27 bos.rte.libpthreads.4.3.3.27 bos.rte.net.4.3.3.2 Once all of the above are installed, and you have rebooted, then: # cd /usr/sbin # stopsrc -s named # cp named8 named8-original # cp named8-xfer named8-xfer-original # cp named8-IY16182 named8 # cp named8-xfer-IY16182 named8-xfer (if you are dealing with named4 instead, repeat the above 4 lines, except the names will have a "4" in place of the "8".) And finally: # startsrc -s named --verify proper operation. IV. Obtaining Fixes IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/rs6k/fixes.html or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send email to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. V. Acknowledgements Many thanks to COVERT Labs and Claudio Musmarra for discovering these vulnerabilities and to the CERT/CC for notifying us of these security holes. VI. Contact Information Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to security-alert@austin.ibm.com with a subject of "get key". If you would like to subscribe to the AIX security newsletter, send a note to aixserv@austin.ibm.com with a subject of "subscribe Security". To cancel your subscription, use a subject of "unsubscribe Security". To see a list of other available subscriptions, use a subject of "help". IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQCVAwUBOnnHgfWDLGpfj4rlAQF5ggQAkIt0Bzc5vfi8BpR02uPG2asnIzV+X/rG IERK65u/WrMnITzsRsL9nLsnhX1oJVcPf/ESPhnqq38A5zrUZC/nCDiDFMyvfmDZ 4wi8kyhGDnE3uzlE6OP+8BrdqEq2SKntW4EEeG8MY+8v8NcOEwrj9Mi2WUlBXT4r 1itWCTTI9MY= =+TSn -----END PGP SIGNATURE----- =========================================================================== IBM's Managed Security Services (IBM MSS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. IBM's Managed Security Services advisory service is a subscription-based service that provides assistance with virus risk and emergency management. By acting as an extension of your own internal security staff, IBM MSS's team of security experts helps you quickly detect and respond to attacks and exposures to your I/T infrastructre. As a part of IBM's Business Continuity Recovery Services organization, IBM Managed Security Services is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about IBM Managed Security Services, send an electronic mail message to ers-sales@ers.ibm.com, or call 1-800-426-7378. IBM MSS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM MSS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM MSS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 2000 International Business Machines Corporation. The information in this document is provided as a service to customers of IBM Managed Security Services. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM MSS. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. ===========================================================================