High Severity BIND Vulnerability Advisory Issued 144
wiredmikey writes "The Internet Systems Consortium (ISC) and US-CERT have issued a high severity vulnerability warning, discovered by Neustar, which affects BIND, the most widely used DNS software on the Internet. Successful exploitation could enable attacker to cause Bind servers to stop processing all requests. According to the disclosure, 'When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.'"
latest BIND not affected (Score:5, Informative)
"There have been no active exploits known, and versions 9.7.1-9.7.2-P3 versions of BIND are affected. US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3 "
Re: (Score:2)
Just upgrade to tinydns/dnscache and forget about security bugs...
Yeah, this surprised me just about as much as an exploit for Sendmail.
In other unrelated news, users of Windows, IIS, and IE have more malware problems than users of OpenBSD.
Re: (Score:1)
Just upgrade to tinydns/dnscache and forget about security bugs...
Or to MaraDNS or powerDNS, with the same result, but no legacy DJB BS...
Re:latest BIND not affected (Score:4, Informative)
That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?
CERT was notified at the end of January.
"Date Notified: 2011-01-24" [ http://www.kb.cert.org/vuls/id/559980 [cert.org] ]
The CVE was reserved in the middle of January.
"Assigned (20110111)" [ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0414 [mitre.org] ]
Yet the release notes for 9.7.3 don't mention any fixes which would coincide with this vulnerability:
http://ftp.isc.org/isc/bind9/9.7.3/RELEASE-NOTES-BIND-9.7.3.html [isc.org]
Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that. That's awesome security procedure there.
Re:latest BIND not affected (Score:5, Informative)
That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released.
That's not correct. The locking bug had already been fixed in 9.7.3b1, a month before it was found to be exploitable as a DoS. When we did find that out, we consulted with vendors and decided to continue with the releases in progress.
Re: (Score:1)
I see, it was originally just a locking bug. That makes it easier to find a likely candidate in the Release Notes:
"Corrected a defect where a combination of dynamic updates and zone transfers incorrectly locked the in-memory zone database, causing named to freeze. [RT #22614]"
Even if I do believe you, why did you wait so long to notify the community of the DoS vulnerability?
Re: (Score:3, Informative)
We notified our forum members as soon as we understood the full scope of the issue, key operators/vendors the next day, and the general community one week later, as per our Security Disclosure Policy: http://www.isc.org/security-vulnerability-disclosure-policy.
Re: (Score:1)
Re: (Score:2, Insightful)
So, BaconBits - are you going to publicly retract your statements impugning BIND's process?
You made some very harsh judgement, evidently without any research into backup said accusations - IMO, you owe an apology. [I'm posting AC since I don't want to be attacked publicly either, but I have NO association with BIND or any Linux development at all. I'm simply one who uses BIND and Linux servers. Really, I'm just a sysadmin.]
Re: (Score:2)
Re: (Score:2)
Re:latest BIND not affected (Score:5, Insightful)
Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that
You know, I'm really tired of people who obviously don't write code saying crap like this. Fixing a subtle deadlock could quite realistically take a month. First, you need to figure out really why it happens. Then you need to figure out the CORRECT way to fix it, then you need to implement the fix, then you need to TEST the thing to make sure you didn't introduce anything ELSE that could cause a problem. If the bug was in an easy area of code, chances are it would have been found and fixed a long time ago. BIND has been around a long, long time. Anything left in there now is, by definition, hard to find and hard to fix.
Look folks, security bugs happen BECAUSE people whip out code without thinking and without testing. Now you ask for them to do exactly that? You need to get a grip on reality.
Re: (Score:1)
You know, I'm really tired of people who obviously don't write code saying crap like this. Fixing a subtle deadlock could quite realistically take a month. First, you need to figure out really why it happens. Then you need to figure out the CORRECT way to fix it, then you need to implement the fix, then you need to TEST the thing to make sure you didn't introduce anything ELSE that could cause a problem. If the bug was in an easy area of code, chances are it would have been found and fixed a long time ago. BIND has been around a long, long time. Anything left in there now is, by definition, hard to find and hard to fix. Look folks, security bugs happen BECAUSE people whip out code without thinking and without testing. Now you ask for them to do exactly that? You need to get a grip on reality.
Just as you need to get a grip on your CAPS LOCK key.
Re: (Score:2)
But...but...
Reality she's a harsh mistress. I don't like harsh...
Re: (Score:2)
As a sysadmin I don't care about the timeliness of the fix as much as the timeliness of the disclosure. I care that nobody said anything about it so I couldn't mitigate the risk or be aware of the problem. They knew about it for six weeks and said nothing. Why? They released a new version that fixed the issue, and *still* didn't say anything for two weeks. ISC itself rated the vulnerability severity as "High". Is this how you should handle a high severity vulnerability?
It's not "OMG where is the fix."
Re:latest BIND not affected (Score:4, Insightful)
Keep in mind that ISC runs a lot of very large name servers all over the world that are under constant DDOS attacks and they didn't see this in the wild. At this point, its a theoretical attack and there is a theatrical work around. Releasing the info too soon could have resulted in a real attack against a theatrical work around. I think they did the right thing considering if you had a DDOS problem, you can ask in a number of places and they would have told to you to try the work around.
Re: (Score:1)
its a theoretical attack and there is a theatrical work around
Presumably (hopefully?) involving Natalie Portman and hot grits..?
Re: (Score:2)
Yes, when my systems are experiencing problems the first thing I think of doing is asking the developers if they have any workarounds for undisclosed vulnerabilities that would address my issue.
Re: (Score:1)
> That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?
Except they posted it on a publically accessable list ...
FreeBSD? (Score:2)
I wonder how long it'll be until FreeBSD rolls a security update out for this.
Re: (Score:1)
It's OK, most FreeBSD users are not vulnerable, the current production release (8.1) uses bind 9.6.2, which is from before the vulnerability was introduced in the 9.7 series.
Only users who have independently installed the 9.7 package will have an issue.
Earlier versions? (Score:3)
What about versions before 9.7.1? Looks like this vulnerability affects only Bind servers within the specific range: 9.7.1-9.7.2-P3
Let Me Ask a Question (Score:2)
Let me ask a question, when alerts come out like this that explain a vulnerability, do they always state the problem the way it happens?
Like, if someone understood how to exploit this vulnerability, are they really going to shut down DNS services or could it be that there is a worse vulnerability underneath? For instance, could this actually be a call to patch something that allows for DNS spoof, where someone does not want the issue to have wide awareness?
Re: (Score:3)
Let me ask a question, when alerts come out like this that explain a vulnerability, do they always state the problem the way it happens?
Thankfully, yes, err, well, as far as they know at that time. I don't do IXFR on my authoritative or resolving bind servers so I simply don't care. Kind of hard to cause a deadlock during a tiny slice of a time in a process I don't run...
Like, if someone understood how to exploit this vulnerability, are they really going to shut down DNS services or could it be that there is a worse vulnerability underneath? For instance, could this actually be a call to patch something that allows for DNS spoof, where someone does not want the issue to have wide awareness?
Uh, no. At least not directly. According to
http://www.isc.org/software/bind/advisories/cve-2011-0414 [isc.org]
the server simply stops responding. Usually deadlocks in any software freeze it up quite well rather than false data. Old data, maybe, at worst...
What happens to the re
not "high severity" (Score:5, Informative)
This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.
This is just one more in a long list of well-known ways anyone could knock a server offline.
Re:not "high severity" (Score:5, Insightful)
This sounds like a denial-of-service flaw. Such flaws are considered "low severity" in all but the rarest cases. A high-severity flaw would be one which either gives a hacker control of a service or access to sensitive information.
It depends entirely upon the requirements for availability. I agree that generally the A in the CIA triad is the least important, but not by any means always.
Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast. Wouldn't you agree that it's probably a greater impact than, say, a single unimportant desktop somewhere in marketing being compromised by the Flash Of The Day vulnerability?
Thus is the black magic of IT risk management. :)
That said, my first thought when reading this headline was the same as yours.
Re: (Score:2)
Imagine if this could be easily leveraged to shut down all DNS resolvers for, say, all of Comcast.
Why would your resolvers every do an IXFR? That takes quite an imagination. Now your secondary authoritative servers might be knocked out if they allow IXFRs in addition to the "traditional" AXFR zone transfers.
Re: (Score:2)
"Imagine if". I was using a hypothetical to demonstrate a completely different point.
Re: (Score:2)
"High" and "Low" are relative. A high severity DNS flaw would be one that allows attackers to redirect all banking websites to a site they control, as an example. A low severity DNS flaw would be one that makes things not work for a little bit. Any botnet operator could take a DNS server offline anyway, with or without a flow. Low severity.
Re: (Score:2)
"High" and "Low" are relative. A high severity DNS flaw would be...
With due respect to your tenure at Slashdot, I believe you're oversimplifying it, or at least not applying common risk management methodology.
Generally, when assessing the impact of a vulnerability, you're going to assess its impact to each of the three components of the security triad.
We admin/security types do generally consider impact to availability as being less of an issue, but my point is that it is situation dependent. The fact is, though, that this particular vulnerability (I believe, I haven't RT
Re: (Score:1)
[Facepalm] Clearly, you're just a troll with a silly statement like that. Of course, this should be obvious to anyone reading by now, but your responses are really just pedantic, pointless puffery. Broadly speaking, DoS flaws are low severity. And since this is a broad forum, "broadly speaking" is all we can reasonably hope for. We in the security world know that individual circumstances vary. That is so obvious that it goes without saying. So don't expect to get a
Re: (Score:3)
Clearly, you're just a troll with a silly statement like that.
No sir, my intention was to be disengaging by acknowledging that I was aware that I was talking to a person who probably would generally understand the principles about which I was speaking. I *do* recognize usernames on slashdot, and try my best to acknowledge people who have been around for a long time and generally contribute positively toward the discussion.
your responses are really just pedantic, pointless puffery. Broadly speaking, DoS flaws are low severity.
Then please, by all means, refute it with something other than assertions. Show me how a network-based, low access complexity, non-authenticated v
Re: (Score:3)
http://www.kb.cert.org/vuls/id/559980 [cert.org]
Severity metric: 4.50 (on a scale from 0 to 180)
Sounds like not very high to me either, lol.
That said, it's a kinda serious vulnerability given that the Internet relies a lot on DNS and many servers are running BIND.
Then again, we should be running at least DNSSEC by now, and not provided by BIND, right? right?!
Re: (Score:2)
The ISC and US-CERT have it ranked as "High Severity"
Re: (Score:1)
When you put the vulnerability into a CVSS calculator you get a score of 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) which is in the high range.
Yes, CVSS isn't perfect but that is what is being used. About the only wiggle room is on access complexity even that may be deemed low.
This is a race until you win attack.
not high severity (Score:3)
High severity threats are those that either disclose sensitive information or allow unauthorized control of a service or system. Denial of service vulnerabilities are almost universally considered low severity. This is just one more in a long list of known ways to DoS a system.
Re: (Score:2)
Re: (Score:2)
That's true, but the CERT advisory only lists the severity metric as 4.5. That's not out of 10. It's out of 180.
http://www.kb.cert.org/vuls/id/559980 [cert.org]
ISC very well may use a different ranking scheme for vulnerabilities. DNS is required to have high availability, and this would severely impact that. ISC may rate it highly simply because the common usage scenarios for BIND make this more concerning.
Re: (Score:2)
Assantisz, the article does link to the ISC advisory. Are you are correct, they do list it as high severity.
Re: (Score:2)
http://tech.slashdot.org/comments.pl?sid=2008894&cid=35290818
DONT DO DAT
Re: (Score:2)
Yes, I posted twice. But only because slashdot had an outage during which comments were not showing up. Apparently slashdot was queuing up posts but not displaying them until later for a while earlier today. Don't blame me for slashdot's bug.
Wow. (Score:2)
Who could have foreseen such a problem in such modern and well-crafted software.
Re: (Score:2)
Riiight... so you're saying we're better off using younger software than more mature software because, let me see if I got this right, your theory is that the new software has fewer bugs than the mature software?
Now, if you find PowerDNS has more features, easier to set up, what have you, that's fine - that's the purpose of new software attempting to displace old and not the topic here. It's not often that new software has fewer bugs (including security holes) than more mature software.
Neverbind the summary (Score:1)
This was bound to happen...
djbdns (Score:2)
djbdns [cr.yp.to] - if you want a secure one.
Re: (Score:2)
If you think it's worth a lol, then do you think you can make a grand in prize money [cr.yp.to]?
Re: (Score:1)
Security is more than just preventing privileged escalation and taking control of dns systems. There is risk of spoofing and cache poisoning, (which djbdns has a good record with) which DNSSEC aims to correct, DOS (both as described in this article and DDOS) as we
Re: (Score:1)
If one was just wanting to secure the authoritative to recursive server connection DNSCurve will work for that. DNSSEC on the other hand secures the entire path right into the application. Authoritative server -> [caching server] -> caching server -> stub resolver -> application.
Now when you can start up your laptop on a foreign network and are able to trust that the answers from the caching DNS server handed out by DHCP are good with DNSCurve come back. In the meantime DNSSEC does allow you
Re: (Score:3)
if you want a secure one.
If you want it to be really secure, you'd just turn the server off. If you want secure and functional, isn't even an option.
I'll say it: djbdns is the least secure popular DNS daemon. Its fatal flaw is that it only implements the easiest parts of DNS. Maybe it's exceedingly secure at handling that stuff. Who knows? Who cares? It leaves all the hard part of DNS administration to be re-implemented at every single site. For example, to the best of my knowledge, djbdns still doesn't implement IXFRs. The securit
Re: (Score:2)
Hey, you need interesting? You got it. It's this story.
My server is not interesting. It's boring like a fuck.
Re: (Score:1)
What a load of bullshit.
I don't know about you, I just want to sleep at night not worrying about any exploit du jour, and that definitely includes BIND.
Let me tell you how to update djbdns fast:
1. ssh to your slave.
2. scp your 'data' file.
3. run 'make'
You're seriously going to be a BIND apologist because you can't take 30 seconds to ssh/scp a file?
If you find yourself making DNS changes so often that this is a problem, take the time to automate it and focus on what you're doing, not going down some shit-ha
Re: (Score:2)
If you find yourself making DNS changes so often that this is a problem, take the time to automate it and focus on what you're doing, not going down some shit-happy path towards Kerberos enlightenment. Or figure out why you have to keep changing DNS records so often and come up with a better method.
Perhaps you've heard of IPv6 (DJB hasn't, but maybe you're quicker on the uptake)? Suppose you run a company with 10,000 desktops and servers, all neatly categorized and named in your IPv4 DNS zones. Now you've decided to roll out IPv6 on that same network, and want each host's name to resolve with an A record and an AAAA record. The easiest way to do that is to let each machine update DNS with its own hostname and IP - subject to the proper restrictions. Move a machine to a different subnet? No problem: it
Re: (Score:1)
Perhaps you've heard of IPv6 [snip]
Perhaps you've heard of turd polishing?
Find something that supports IPv6 that isn't a security nightmare. They exist. Isn't that your job as a netadmin, anyway? It's because of lazy-assed admins that keep following turds like BIND -- religiously -- that it remains #1 in market share when it should have been kicked to the curb long ago for being the bloated, slow dog that it is.
And I think I've already made my point about the relative easy[sic] [snip]
Security isn't always easy. You've made your deal with devil. Tell me all about it when he calls the tune and your BIND box get
Re: (Score:2)
The most interesting bit with the whole 'X is more secure and the old dinosaur programs" is that most of the new rewrites have the same deadlock or race conditions but they never get fixed. Sendmail and bind have plenty of OS work arounds in their code because they are needed to keep the whole system secure.
Re: (Score:1)
The most interesting bit with the whole 'X is more secure and the old dinosaur programs" is that most of the new rewrites have the same deadlock or race conditions but they never get fixed. Sendmail and bind have plenty of OS work arounds in their code because they are needed to keep the whole system secure.
Joel Spolsky (the "Joel on Software" guy) advocates never throwing out the code and starting from scratch. Perhaps that's true in most cases, but not with BIND and any BIND derivatives.
IIRC the ISC tried that with BIND 9. Supposedly a rewrite, but I've read opinions that they imported a lot of the old code anyway. It doesn't really matter.
Sometimes you have to lose the old mindset and start with fresh eyes and a new attitude. Go back to basics and follow the KISS rule. DJB, whether you like him or not,
Re: (Score:2)
Why are you so mad at DJB or djbdns?
djbdns comes with AXFR tools, maybe you hadn't heard? And really, using rsync and SSH aren't that hard?
Anyway, I think a lot of people are happy with "uninteresting" DNS. It's functional enough, it seems: http://mydns.bboy.net./survey/ [mydns.bboy.net]
BIND code used in other software? (Score:2)
Does anyone know which DNS servers are either derived from or just repackaged BIND? I haven't been able to find this information anywhere.
Re: (Score:1)
Hopefully you'd use that information for what software to *avoid*.
Clarifications to cve-2011-0414 .... (Score:1)
* As Larissa pointed out, this security advisory used ISC's phased disclosure process (see http://www.isc.org/security-vulnerability-disclosure-policy [isc.org]). The US CERT advisory stated they notified ISC on 2011-01-24. This is reversed. US CERT and all other National CSIRT Teams were notified at the same time (Feb 15th). We just recently added the step in our disclosure process to notify all National CSIRT Teams listed on first.org.
* US-
Re: (Score:2)
I'd hardly call hosts files obscure...
Also, restricting name resolution to host file only does not "defacto limit the webservers that employees may visit" as this file is never consulted if the user decides to access a webserver via its IP address.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'd hardly call hosts files obscure...
Also, restricting name resolution to host file only does not "defacto limit the webservers that employees may visit" as this file is never consulted if the webserver is accessed via its IP address.
Re: (Score:2)
I'm pretty sure that's well known...
Re: (Score:2, Insightful)
This is not well known, but every computer connected to the Internet is capable of being its own nameserver.
This is in fact fairly well known among the people who need to know these things. Also the hosts file is no substitute for DNS. It cannot, for example, give you MX records, cannot perform round-robin load balancing, and even if the sync of the hosts file is very quick, is not a suitable way to deal with the fact that name to ip mappings change frequently. Anyone who set things up as described above
Re: (Score:3)
I am not one of the ACs in this thread. That being said, I have some background and experience in network administration in environments from SOHO to global enterprises.
Now, please detail how you'd set up an automatic and redundant P2P distribution network for a HOSTS file including your mechanism for securely updating said HOSTS file from a location of your choosing, and explain how your solution is more efficient than your company's infrastructure's DNS systems. If you allow updates from anywhere other th
Re: (Score:3)
I addressed my post incorrectly. I was replying to the thread as a whole, which was not correctly conveyed.
Logon scripts that copy from where?
Still, it wouldn't kill you to be civil.
Re: (Score:2)
Ugh, there are some bored forum trolls and they are out in force today. It looks like they did a drive-by on our conversation. Either that, or someone involved in that forum happened across this. If you're trying to say it was me trying to discredit you... how do I know it wasn't you setting up that accusation? I don't know. Whatever the case, I don't especially care for it.
I followed those links and guess what I see there... if that's you, you tend to know what you're talking about, although you get more i
Re: (Score:1)
Re:Many companies avoid using networked nameserver (Score:4, Insightful)
Seriously? What companies avoid nameservers?
Why would you believe your P2P software is less prone to vulnerabilities than BIND?
Perhaps, If your company employs people who cannot type in an IP address. Nonetheless, I can think of many much better ways to limit employee internet access.
All software has vulnerabilities. If your nameserver has an issue, you upgrade BIND and you're done. If your P2P software on every desktop has a vulnerability, you now have to update software on every desktop. Assuming, that is, that the vulnerability is ever publicly disclosed.
Re: (Score:1)
Also severely limits who you can send email to. And is excessively cumbersome. Easier to just run your own BIND and not allow connections from outside.
Re: (Score:2)
Hosts is old. It predates DNS, and is one of the reasons for DNS. DNS (and WINS, technically) were developed because maintenance of the hosts file across a network of computers is too complex. Updates would be slow, insecure, inconsistent and unreliable, particularly if you use DHCP on your network instead of static addressing (which everybody with a brain does on a non-trivial network). Cache poisoning would be a constant problem. Nevermind that all the hosts file does is translate names to IP address
Re: (Score:2)
Most of what I see hosts files used for now is to "null route" (direct to 0.0.0.0) known bad hosts.
I do the same on my computers, but instead of "known bad" hosts I block various ad servers
Re: (Score:2)
Yeah, a lot of anti-malware software does this. Spybot Search & Destroy adds about 15,000 entires to hosts that point to 127.0.0.1, which might fail safer than a null route. It amounts to the same thing.
Re: (Score:3)
Now I really wonder... are you someone totally incompetent trying to post as a windows admin or just an elaborate troll
Because I really don't see the point to try to push the usage of host files in this community (or any community, for that matter - especially as an alternative to DNS).
Re: (Score:2)
I don't know how many readers Slashdot has these days, but I bet many of them have one elbow on their desk and the palm of their hand on their forehead reading this. I really don't get your agenda either (assuming you are not the AC or in league with the AC that opened this particular topic...). You are simply stating the obvious, but also something utterly impractical in incompatible with the architecture of the Internet. And I'm not even getting started on the basic flaw of your suggested "alternative", w
Re: (Score:2)
I don't think it's worth the energy to debate... your mind is clearly set. But I will at least answer your question. By "alternative", I meant "alternative to the use of DNS" (understand, local host override). By "initial generation" I mean the generation of the host file (regardless if it's done by you or, worse, by someone else). You can't deny that domain name poisoning is really critical at this stage. You only need to have someone malicious having access to your host housekeeping scripts or to one of y
Re: (Score:1)