DoS Hole Has Some DNS Servers In a BIND

CERT says Domain Name System servers running ISC BIND 9 prior to 9.2.1 are at risk. The weakness could affect some HP, Caldera, Red Hat, and SuSE servers.

by Michael Singer of internetnews.com [June 6, 2002]

A weakness discovered Tuesday in Domain Name System (DNS) servers running ISC BIND [defintion] 9 prior to 9.2.1 forced officials to issue an advisory to potential denial-of-service attacks.

The memo sent out by the Computer Emergency Response Team Coordination Center (CERT) [definition] said the threat could be widespread considering that the BIND DNS Server is used on the vast majority of name serving machines on the Internet.

The problem could even impact non-BIND servers since the normal operation of most services on the Internet, "depends on the proper operation of DNS servers," CERT said.

In its advisory, CERT said, "a vulnerability exists in version 9 of BIND that allows remote attackers to shut down BIND servers. An attacker can cause the shutdown by sending a specific DNS packet designed to trigger an internal consistency check. However, this vulnerability will not allow an attacker to execute arbitrary code or write data to arbitrary locations in memory."

The researchers said the weakness does not seem to affect ISC (Internet Software Consortium) BIND versions 8 and 4 or any other non-BIND server software like IRIX.

According to the advisory, the internal consistency check that triggers the shutdown occurs when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL as expected. The condition causes the code to assert an error message and call abort to shut down the BIND server. CERT said it is also possible to accidentally trigger this vulnerability using common queries found in routine operation, especially queries originating from SMTP servers.

The vulnerability was found through routine bug analysis. ISC said it strongly recommends that all BIND 9 users upgrade immediately to 9.2.1.

A quick check of server manufacturers and software makers found that servers from Caldera, Open Unix, Hewlett-Packard, SuSE, Inc. Linux. MandrakeSoft, Linux 8.x, and Red Hat Linux versions 7.1, 7.2, and 7.3.

Each of the vendors said they were aware of the problem and were either currently working on producing errata packages or had them available for download.

At press time, Nortel Networks said it is reviewing its portfolio to determine if any products are affected by the vulnerability noted in CERT Advisory.

The Berkeley Internet Name Domain package was originally written at University of California at Berkeley as a graduate student project under a grant from the US Defense Advanced Research Projects Administration (DARPA). Versions of BIND through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. The package maps URLs to IP addresses.

The protocol server software controls major components of the Domain Name System including: a Domain Name System server (named); a Domain Name System resolver library; and tools for verifying the proper operation of the DNS server.

The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service.

This is not the first time CERT has had to issue a warning about vulnerabilities in BIND's architecture. CERT released an advisory detailing four security holes in older versions of the BIND in January 2001, which urged all users of BIND software to upgrade to BIND 4.9.8, BIND 8.2.3 or BIND 9.1. Since 1997, CERT has published 12 documents detailing vulnerabilities in the software, lending itself to the reputation of sometimes being called the Buggy Internet Name Daemon.

CERT has posted a copy of the advisory describing the current problem here.

Meanwhile, the debate about whether or not Linux is safe flared up again. On the pro Linux side, a trio of high tech CEOs joined forces in a move to unseat IBM as the Linux vendor of choice.

Oracle CEO Larry Ellison, Dell Computer CEO Michael Dell, and Red Hat CEO Matthew Szulik said they are fully committing themselves to Linux for the enterprise.

"We have woven a relationship that has culminated into a unique industry partnership encompassing business collaboration, technical leadership, and a focus on customer service at its core," said Dell.

The partnership will be based on Dell PowerEdge Servers and Dell EMC and PowerVault storage systems, Release 2 of Oracle9i Database with Real Application Clusters, and the Red Hat Linux Advanced Server operating system.

For the first time in Oracle's history, Oracle said it would also offer operating system frontline support for Red Hat Advanced Server. The two companies said they have been pooling resources on the technical enhancements.

"There are two ways you make Linux more reliable: one is you provide much better support, which we're doing, and the second is with a cluster to provide fault tolerance," said Ellison. "If we do our job well, there's no need to build a bigger, faster machine, which will be just too expensive and too unreliable comparatively. Rather than buying a big IBM server, you buy a rack of RAC."

RAC, or Real Application Clusters, is what Oracle has been toting as the "Unbreakable" part of its software. The idea is to divide a large task into subtasks and distribute the subtasks among multiple nodes. That way you can complete the task faster than if only one node did the work.

The partnership has already tallied its first major contract. The Federal Aviation Air Traffic Control System Command Center in Herndon, Virginia is currently installing a system to support 2,000 concurrent users on an Oracle9i RAC system using Dell servers on Red Hat Linux. The system, known as the National Log, will act as a central clearinghouse database for users in air traffic centers across the country.

Despite all the hoopla, IBM was the first to ship a database for Linux back in 1999. The Armonk, NY-based juggernaut was also the first to ship a database offering to support Linux clusters.

Oracle still maintains a second-place finish to IBM's DB2 database offering and Dell would certainly like to steal away market share from Big Blue's server lineup.

Between the three companies, Red Hat has the most to win since it does serious business with all of the players.

"Today's announcement validates the performance of Red Hat Linux Advanced Server and the technical strength of our team," said Szulik. "Together, we have created the tools and capabilities customers need to rapidly migrate applications to an enterprise-class Linux environment."

Release 2 of Oracle9i Database, Application Server and Oracle9i Developer Suite on Linux is currently available as a free downloaded from Oracle's Technology Network. A RedHat Package Manager (RPM) format of Oracle9i JDeveloper on Linux is expected to be available for developers using RedHat.

The anti-Linux camp was quick to strike back. The Alexis de Toqueville Institution, a conservative U.S. think tank, plans to release a white paper Friday which will go so far as to suggest that terrorists may find it easier to hack U.S. networks run on open source infrastructure.

"Computer systems are the backbone to U.S. national security," said Gregory Fossedal, chairman of ADTI. "Before the Pentagon and other federal agencies make uniformed decisions to alter the very foundation of computer security, they should study the potential consequences carefully."

But the Pentagon has conducted its own study, one that has led the traditionally close-mouthed Defense Department ally itself with the open source movement, and not with vendors of proprietary systems such as Microsoft, as ADTI advocates.

"Banning open source would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to protect themselves against cyberattacks," concluded a May 10 report prepared by Mitre Corp., a non-profit which operates federally funded research and development centers for the DoD, FAA, and IRS.

The Mitre Corp. report further suggests that open source software is often more secure and less expensive than proprietary software.

The even more secretive National Security Agency (NSA), which specializes in cryptography, is also working with Linux, though it has not taken sides on the open source vs. proprietary debate and is only working with the platform in a research capacity.

The agency's Information Assurance Research Group has been heading up a project to create Security-Enhanced Linux, a modified version of the Linux kernel with "strong, flexible mandatory access control architecture incorporated into the major subsystems of the kernel." The agency said its system provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements. "This allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications."

The agency said it selected Linux for the platform because "its growing success and open development environment provided an opportunity to demonstrate that this functionality can be successful in a mainstream operating system and, at the same time, contribute to the security of a widely used system. Additionally, the integration of these security research results into Linux may encourage additional operating system security research that may lead to additional improvement in system security."

U.S. agencies are not the only ones turning to Linux. On Monday, the German Ministry of the Interior forged a deal with IBM to standardize the German government on Linux and open source IT. Military and intelligence agencies in North America, Europe, and Asia—including the U.S., Canada, Germany, France, England, Spain, China, and Singapore—have invested in Linux systems. China's post office runs on the platform; so too do France's culture, defense and education ministries.

But Ken Brown, author of ADTI's forthcoming Opening the Open Source Debate white paper, argued the U.S. needs to slow down and hold a national debate on the suitability of open source systems in vital areas that touch on national security.

"We're recommending further study," Brown said. "We're not saying that one type of software, proprietary, is better than open source."

Brown, who characterized himself as pro-open source, noted that ADTI is not composed of open source experts or cryptographers, though it interviewed many experts to create its report. He also noted that when it comes to security, ADTI is more concerned with the terms of the GNU [definition] General Public License (GPL), which requires that any changes to open source code licensed under the GPL which is then distributed must be made part of the GPL and be made freely available to all.

"There isn't a software that cannot be cracked," he said. "Our position is that if a platform is proprietary it is vulnerable because not enough people can see it. We feel that a platform everyone can see may be even more vulnerable."

Brown explained that while ADTI believes pooled talent is highly beneficial in software development, it is naive to allow "bad guys" as well as "good guys" into that talent pool. "This volunteer community of people is as good as a group of people that's been screened for security? Screened for credibility? Screened for reliability?" he asked.

He also raised the specter of back doors and viruses woven into critical software patches.

"I don't see any reason why we shouldn't have a national debate, with in-depth discussion and rigorous testing on this topic," he said.

Brown neither confirmed nor denied that ADTI receives funding from Microsoft or firms representing the company, which has been at pains to denounce open source software as insecure.

"We don't discuss funding," Brown said.

— End