AUSCERT External Security Bulletin Redistribution
                   ESB-2000.343 -- CERT Advisory CA-2000-20
               Multiple Denial-of-Service Problems in ISC BIND
                              14 November 2000


	AusCERT Security Bulletin Summary

Product:                BIND
Vendor:                 Internet Software Consortium (ISC)
Operating System:       Linux
Impact:                 Denial of Service
Access Required:        Remote

Ref:                    ESB-2000.340

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2000-20 Mulitple Denial-of-Service Problems in ISC BIND

   Original release date: November 13, 2000
   Source: CERT/CC
   A complete revision history is at the end of this file.
Systems Affected

     * Systems running Internet Software Consortium (ISC) BIND version
       8.2 through 8.2.2-P6
     * Systems running name servers derived from BIND version 8.2 through

   The CERT Coordination Center has recently learned of two serious
   denial-of-service vulnerabilities in the Internet Software
   Consortium's (ISC) BIND software.
   The first vulnerability is referred to by the ISC as the "zxfr bug"
   and affects ISC BIND version 8.2.2, patch levels 1 through 6. The
   second vulnerability, the "srv bug", affects ISC BIND versions 8.2
   through 8.2.2-P6. Derivatives of the above code sets should also be
   presumed vulnerable unless proven otherwise.
I. Description

   The Internet Software Consortium, the maintainer of BIND, the software
   used to provide domain name resolution services, has recently posted
   information about several denial-of-service vulnerabilities. If
   exploited, any of these vulnerabilities could allow remote intruders
   to cause site DNS services to be stopped.
   For more information about these vulnerabilities and others, please
   Two vulnerabilities in particular have been categorized by both the
   ISC and the CERT/CC as being serious.
The "zxfr bug"

   Using this vulnerability, attackers on sites which are permitted to
   request zone transfers can force the named daemon running on
   vulnerable DNS servers to crash, disrupting name resolution service
   until the named daemon is restarted. The only preconditions for this
   attack to succeed is that a compressed zone transfer (ZXFR) request be
   made from a site allowed to make any zone transfer request (not just
   ZXFR), and that a subsequent name service query of an authoritative
   and non-cached record be made. The time between the attack and the
   crash of named may vary from system to system.
   This vulnerability has been discussed in public forums. The ISC has
   confirmed that all platforms running version 8.2.2 of the BIND
   software prior to patch level 7 are vulnerable to this attack.
The "srv bug"

   This vulnerability can cause affected DNS servers running named to go
   into an infinite loop, thus preventing further name requests to be
   handled. This can happen if an SRV record (defined in RFC2782) is sent
   to the vulnerable server.
   Microsoft's Windows 2000 Active Directory service makes extensive use
   of SRV records and is reportedly capable of triggering this bug in the
   course of normal operations. This is not, however, a vulnerability in
   Microsoft Active Directory. Any network client capable of sending SRV
   records to vulnerable name server systems can exercise this
   The CERT/CC has not received any direct reports of either of these
   vulnerabilities being exploited to date.
   Both vulnerabilities can be used by malicious users to break the DNS
   services being offered at all exposed sites on the Internet. System
   administrators are strongly recommended to upgrade their DNS software
   with either ISC's current distribution or their vendor-supplied
   software. See the Solution and Vendor Information sections of this
   document for more details.
II. Impact

   Domain name resolution services (DNS) can be disabled on affected
   servers from arbitrary remote hosts.
III. Solution

Apply a patch from your vendor

   The CERT/CC recommends that all users of ISC BIND upgrade to the
   recently-released BIND 8.2.2-P7, which patches both of the
   vulnerabilities discussed in this document. Sites running
   vendor-specific distributions of domain name resolution software
   should check the Vendor Information section below for more specific
   information on how to upgrade to non-vulnerable software.
Restrict zone transfers to trusted hosts

   If it is not possible to immediately upgrade systems affected by the
   "zxfr bug", the ISC suggests not allowing zone transfers from
   untrusted hosts. This action, however, will not mitigate against the
   effects of an attack using the "srv bug".
   Although it has been reported that not allowing recursive queries may
   help mitigate against the "zxfr" vulnerability, ISC has indicated that
   this is not the case.
Appendix A. Vendor Information

The Internet Software Consortium

   For the latest information regarding these vulnerabilities, please
   consult the ISC web site at:

   Our advisory will be available [at]:
   Updated packages will be available from
   OpenLinux Desktop 2.3
   9d8429f25c5fb3bebe2d66b1f9321e61 RPMS/bind-8.2.2p7-1.i386.rpm
   0e958eb01f40826f000d779dbe6b8cb3 RPMS/bind-doc-8.2.2p7-1.i386.rpm
   866ff74c77e9c04a6abcddcc11dbe17b RPMS/bind-utils-8.2.2p7-1.i386.rpm
   6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm
   OpenLinux eServer 2.3
   379c4328604b4491a8f3d0de44e42347 RPMS/bind-8.2.2p7-1.i386.rpm
   b428b824c8b67f2d8d4bf53738a3e7e0 RPMS/bind-doc-8.2.2p7-1.i386.rpm
   28311d630281976a870d38abe91f07fb RPMS/bind-utils-8.2.2p7-1.i386.rpm
   6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm
   OpenLinux eDesktop 2.4
   c37b6673cc9539e592013ac114846940 RPMS/bind-8.2.2p7-1.i386.rpm
   bbe0d7e317fde0d47cba1384f6d4b635 RPMS/bind-doc-8.2.2p7-1.i386.rpm
   5c28dd5641a4550c03e9859d945a806e RPMS/bind-utils-8.2.2p7-1.i386.rpm
   6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm
Compaq Computer Corporation

   SOURCE: Compaq Computer Corporation
   Compaq Services
   Software Security Response Team USA
   Compaq Tru64/UNIX Operating Systems Software are not vulnerable to
   these reported problems.

   Please see Conectiva Linux Security Announcement CLSA-2000:339 at:
   Note: Conectiva Linux Security Announcement CLSA-2000:338, also
   regarding this issue, had a packaging error in it. Users who
   downloaded updates based on CLSA-2000:338 should see CLSA-2000:339 for
   further information.

   Please see Debian Security notice 20001112, bind at:

   All versions of FreeBSD after 4.0-RELEASE (namely 4.1-RELEASE,
   4.1.1-RELEASE and the forthcoming 4.2-RELEASE) are not vulnerable to
   this bug since they include versions of BIND 8.2.3. FreeBSD
   4.0-RELEASE and earlier are vulnerable to the reported problems since
   they include an older version of BIND, and an update to a
   non-vulnerable version is scheduled to be committed to FreeBSD
   3.5.1-STABLE in the next few days.

   HP is vulnerable to these problems and is working to correct them.

   Please see "MDKSA-2000:067: bind" at:
Microsoft Corporation

   Microsoft is currently investigating these issues.

   NetBSD is believed to be vulnerable to these problems; in response,
   NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7 will be
   present in the forthcoming NetBSD 1.5 release.

   Please see "RHSA-2000:107-01: Updated bind packages fixing DoS
   attack", soon to be available at:

   Updated Slackware distributions for bind may be found at:


   The CERT Coordination Center thanks Mark Andrews, David Conrad, and
   Paul Vixie of the ISC for developing a solution and assisting in the
   preparation of this advisory. We would also recognize the contribution
   of Olaf Kirch in helping us understand the exact nature of the "zxfr
   bug" vulnerability.

   Author: This document was written by Jeffrey S. Havrilla and Jeffrey
   P. Lanza. Feedback on this advisory is appreciated.
   This document is available from:
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   If you prefer to use DES, please call the CERT hotline for more
Getting security information

   CERT publications and other security information are available from
   our web site
   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   subscribe cert-advisory
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   Conditions for use, disclaimers, and sponsorship information
   Copyright 2000 Carnegie Mellon University.
   Revision History
   November 13, 2000:  Initial release

Version: PGP for Personal Privacy 5.0
Charset: noconv


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key