AUSCERT External Security Bulletin Redistribution

             ESB-2001.074 -- NetBSD Security Advisory 2001-001
                       Multiple BIND vulnerabilities
                             19 February 2001


        AusCERT Security Bulletin Summary

Product:                BIND
Vendor:                 ISC
Operating System:       NetBSD
Impact:                 Denial of Service
                        Execute Arbitrary Code/Commands
                        User Access
Access Required:        Remote

Ref:                    AA-2001.01

- --------------------------BEGIN INCLUDED TEXT--------------------


                 NetBSD Security Advisory 2001-001

Topic:          Multiple BIND vulnerabilities
Version:        All release versions of NetBSD, and NetBSD-current
Severity:       Remote root execution of commands is possible
Fixed:          NetBSD-current:    January 27, 2001
                NetBSD 1.5 branch: January 28, 2001
                NetBSD 1.4 branch: January 28, 2001


Several security problems were recently found in the ISC BIND
software, used in NetBSD (and many other systems) to provide Domain
Name System (DNS) services.

At least one of these vulnerabilities included the possibility of a
remote root exploit through execution of arbitrary code in an
overflowed buffer.

All systems running DNS servers should remove the vulnerabilities by
updating to a current version of ISC bind by following one of several
recommended procedures.

Technical Details

Technical details of the vulnerabilities are publicised in CERT
Advisory CA-2001-02, and by the ISC at:


This information is not duplicated here.  The purpose of this
advisory is to clarify the vulnerability and appropriate remedial
action for users of affected versions of NetBSD.

CERT identified four separate vulnerabilities present in various
versions of BIND.  The version of BIND included with different NetBSD
releases varies, therefore the vulnerability of those NetBSD releases
also varies, as summarised here:

  CERT#   Descr.                      BIND  NetBSD versions vulnerable
  196945  Trans. Sig. buffer o/f         8  1.4.x, 1.5, current
  572183  nslookupComplain buff. o/f   4    <1.4 only
  868916  nslookupComplain input val.  4    <1.4 only
  325431  Env. variable disclosure     4,8  <1.4, 1.4.x, 1.5, current

Note that although not all vulnerabilities apply to all systems, the
most serious vulnerability (196945) applies to all recent releases and
NetBSD-current, and all versions have some vulnerability.

Users of versions prior to NetBSD 1.4 should see the special note, below.

Solutions and Workarounds

All systems with BIND in use should be fixed; this is all systems
offering DNS services through named(8).

Systems are vulnerable if the version reported by "/usr/sbin/named -v"
is less than 8.2.3, and named is running.

There are several ways that systems administrators may update their
versions of BIND. Each of these mechanisms is described in more detail
in the following subsections.

  * System upgrade via source
  * Replace the system BIND with one from the NetBSD Packages collection.

 Updating via source:

    Users may update their system source, from the appropriate release
    branch or NetBSD-current, and rebuild BIND (as well as other parts
    of the system).

    This method is recommended for users of NetBSD-current and
    technically literate users of the most recent releases on each
    branch (1.4.3 or 1.5).

    Note that the NetBSD release branches contain accumulated changes
    and bugfixes since the most recent release; these changes are
    intended to improve the system, but have not yet been through the
    complete release engineering cycle. Users who wish to remain at a
    formal release should use the pkgsrc method instead.

    System sources can be updated via anonymous CVS, SUP, or via
    download of source tarfiles from the appropriate branch,
    collection or directory:

    Release  CVS branch  SUP collection  FTP directory
    1.4      netbsd-1-4  release-1-4     /pub/NetBSD/NetBSD-release-1-4
    1.5      netbsd-1-5  release-1-5     /pub/NetBSD/NetBSD-release-1-4
    current  HEAD        current         /pub/NetBSD/NetBSD-current

    Systems running NetBSD-current dated from before 2001-01-28 should
    be upgraded to NetBSD-current dated 2001-01-28 or later.  For
    NetBSD-current, see /usr/src/UPDATING for additional instructions,
    as additional dependencies may need to be rebuilt before BIND.

    Systems running either NetBSD-release* branch dated from before
    2001-01-29 should be upgraded to 2001-01-29 or later.

    It is recommended that users tracking inter-release sources do a
    full system update.  Once sources and dependencies have been taken
    care of, the following will rebuild *just* BIND:

      # cd /usr/src/usr.sbin/bin
      # make depend
      # make 
      # make install

 Updating via pkgsrc:

    For many users looking for a quick and specific update, the NetBSD
    packages collection provides a simple mechanism to install a
    current version of BIND directly from the ISC distribution, to
    replace the system version.  

    This technique is applicable to ALL systems, and is recommended
    for urgent fixes. It may be used as a temporary measure even by
    those intending to follow up with a full system upgrade.

    1) First, make sure you have an up-to-date pkgsrc collection (at
       least as recent as 2001-01-28).  This can be obtained via
       anonymous CVS, SUP or FTP from the project servers or mirrors.

    2) Change to the appropriate subdirectory:
       # cd /usr/pkgsrc/net/bind8

    3) Ensure that the pkgsrc version is 8.2.3 or newer:

       # grep PKGNAME Makefile
       PKGNAME=        bind-8.2.3

    4) Build and install the package. This will download the sources
       automatically.  (If prompted to update the pkg tools first, do
       so according to the instructions presented, then return to the
       bind8 directory and resume here).

       # make install

    5) Now you have an up-to-date version of BIND installed in
       /usr/pkg/.  Next, it is necessary to disable the system named,
       and replace it with a link to the new one:

       # cd /usr/sbin
       # mv named named.OFF
       # ln -s /usr/pkg/sbin/named .
       # mv ndc ndc.OFF
       # ln -s /usr/pkg/sbin/ndc .
    6) Next, place a link to the name server configuration file into
       /usr/pkg/etc/named.conf, where the pkgsrc named(8) expects to
       find it:

       # cd /usr/pkg/etc
       # ln -sf /etc/namedb/named.conf .

       (If you keep your named.conf file somewhere other than
       /etc/namedb, adjust the command above accordingly.)

    7) Then kill the running named, and restart from the new one:

       # kill <pid>
       # /usr/pkg/sbin/ndc start

    Pre-compiled binary packages of net/bind8 have been prepared for
    some architectures and NetBSD versions. These can be found under


    You may wish to use one of these instead of having the pkgsrc
    system compile for you. Download the appropriate file for your
    system if available, and use:

       # pkg_add bind-8.2.3.tgz
    to install the pre-built package. Then follow the steps from 5
    above to disable the system named and enable the new one.


    Systems running releases older than NetBSD 1.4 should be upgraded
    to a supported NetBSD version.  

    These releases shipped a version of BIND based on BIND4. Systems
    administrators need to be aware of several configuration mechanism
    changes between BIND4 and BIND8, details can be found at the ISC
    website. BIND8 ships with a script called named-bootconf which
    will assist part of the process.

    The pkgsrc method is expected to work for these systems. It has
    been done successfully in a number of instances, but it has not
    been tested in all cases. It may very well necessitate updating of
    the pkgtools/pkg_install package prior to updating bind, if these
    systems have not had active pkgsrc installations recently.

    The use of BIND4 is no longer encouraged by NetBSD or the ISC;
    nevertheless the current ISC version of BIND4 is available in
    pkgsrc/net/bind4, to provide system adminstrators the option of
    patching the vulnerability quickly and then planning an upgrade to

Thanks To

Thanks go to Jun-Ichiro Hagino for prompt attention to incorporating
the BIND upgrade, and to Havard Eidnes for providing the pull-ups to
the release branches.

Revision History

        2001/02/10 - Initial Release

More Information

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-001.txt,v 1.5 2001/02/10 22:28:27 dan Exp $

Version: 2.6.3ia
Charset: noconv


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key