Operating System:

Published:

27 May 2005

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2005.0397 -- UNIRAS ALERT - 16/05
                 NISCC Vulnerability Advisory DNS - 589088
                                27 May 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Publisher:         UNIRAS
Impact:            Denial of Service
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-0038 CAN-2005-0037 CAN-2005-0036

Comment: Further information regarding vulnerable implementations of DNS is
         available from the following site:
         
         http://www.niscc.gov.uk/niscc/vulnAdv-en.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------------------
      UNIRAS (UK Govt CERT) ALERT - 16/05 dated 24.05.05  Time: 13:00  
 UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- - ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------

Title
=====
NISCC Vulnerability Advisory DNS - 589088

Detail
====== 

NISCC Vulnerability Advisory 589088/NISCC/DNS

Vulnerability Issue in Implementations of the DNS Protocol

Version Information
- - -------------------
Advisory Reference  589088/NISCC/DNS
Release Date	    24 May 2005
Last Revision	    24 May 2005
Version Number	    1.0

Acknowledgement
- - ---------------
This issue was identified by Dr. Steve Beaty from the Department of Mathematical and 
Computer Sciences at the Metropolitan State College of Denver.

What is affected?
- - -----------------
The vulnerability described in this advisory affect the Domain Name System (DNS) 
protocol. Many vendors include support for this protocol in their products and may be 
impacted to varying degrees, if at all.  

Please note that the information contained within this advisory is subject to 
changes. All subscribers are therefore advised to regularly check the NISCC website 
for updates to this notice.

Impact
- - ------
If exploited, this vulnerability could allow an attacker to create a Denial-of-Service 
condition.

Severity 
- - --------
The severity of this vulnerability varies by vendor; please see the 'Vendor Information' 
section below for further information. Alternatively contact your vendor for product 
specific information. 

Summary
- - -------
A vulnerability affecting the Domain Name System (DNS) protocol was identified by Dr. Steve
Beaty from the Department of Mathematical and Computer Science of Metropolitan State
College of Denver.

The Domain Name System (DNS) protocol is an Internet service that translates domain 
names into Internet Protocol (IP) addresses. Because domain names are alphabetic, 
they're easier to remember, however the Internet is really based on IP addresses; 
hence every time a domain name is requested, a DNS service must translate the name 
into the corresponding IP address.

The vulnerability concerns the recursion process used by some DNS implementations to 
decompress compressed DNS messages. Under certain circumstances, it is possible to cause the 
DNS server to terminate abnormally.

All users of applications that support DNS are recommended to take note of this 
advisory and carry out any remedial actions suggested by their vendor(s).

[Please note that revisions to this advisory will not be notified by email. All 
subscribers are advised to regularly check the NISCC website 
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.]

Details
- - -------
Under certain circumstances, it is possible to cause both DNS servers and DNS clients to 
terminate abnormally by sending it malformed messages.

The text portions of DNS messages are specified by first giving the character count, 
followed by the characters themselves. For example to specify 'test.test.com', the message 
would look like '0x04test0x04test0x03com0x00' using 16-bit numbers. From RFC1035, Section 
4.1.4 "Message Compression" specifies a way to create smaller messages so that they can 
easily fit into a DNS UDP packet. Hence if the top two bits of the label length byte are 1, 
the remaining 14 bits specify an offset from the beginning of the text on where the 
remaining characters can be found. This way, redundant information can be removed and hence 
create a smaller message.

Given this type of DNS message, the most obvious method to decode it is by using recursion. 
However consider a message that contains a code that instructs the DNS process to go to an
illegal address once the end of the string is reached; if recursion is used to decode such a 
message, some DNS implementation may enter into a loop and eventually exhaust the stack. If 
this happens, then it would be possible for the DNS service to terminate and hence cause a 
denial-of-service condition.

The following CVE IDs have been allocated for this vulnerability:

.	CAN-2005-0036
.	CAN-2005-0037
.	CAN-2005-0038

Please refer to the 'Vendor Information' section for further details on how the CVE IDs are assigned.

Mitigation
- - ----------
Patch all affected implementations.

Solution
- - --------
Please refer to the 'Vendor Information' section of this advisory for platform specific 
remediation.

Vendor Information
- - ------------------
A list of vendors affected by this vulnerability is not currently available. Please 
visit the web site at http://www.niscc.gov.uk/niscc/vulnAdv-en.html in order to 
check for updates.

Credits
- - -------
The NISCC Vulnerability Team would like to thank Dr. Steve Beaty, who identified this 
vulnerability and reported it to NISCC, and who assisted NISCC in producing the test tools 
for this issue. 

The NISCC Vulnerability Team would also like to thank the vendors for their co-operation 
in handling this vulnerability and to JPCERT/CC for co-ordinating this issue in Japan.

Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:

Email	   vulteam@niscc.gov.uk 
           Please quote the advisory reference in the subject line

Telephone  +44 (0)870 487 0748 Ext 4511
           Monday - Friday 08:30 - 17:00

Fax	   +44 (0)870 487 0749

Post	   Vulnerability Management Team
           NISCC
           PO Box 832
           London
           SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP key. This is 
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.

Please note that UK government protectively marked material should not be sent to the email 
address above. 

If you wish to be added to our email distribution list please email your request to 
uniras@niscc.gov.uk.
 
What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure Security Co-ordination 
Centre, please visit http://www.niscc.gov.uk.
 
Reference to any specific commercial product, process, or service by trade name, trademark 
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or 
favouring by NISCC. The views and opinions of authors expressed within this notice shall not 
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained within 
this advisory. In particular, they shall not be liable for any loss or damage whatsoever, 
arising from or in connection with the usage of information contained within this notice.

C 2005 Crown Copyright 
<End of NISCC Vulnerability Advisory>

- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of the NISCC Vulnerability Team for 
the information contained in this Briefing. 
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQpMXCIpao72zK539AQHpawP/cvIgSk4CZwbZij4rjvr3VDnpVSnRcEya
mUdEMKE6zR5UgFyqIzbQ7RR+GihJW/QcuOxFrV2TlwQB+W7SJDUMPhmZoWs61vil
EWp9lDlBwXn2ZfSL4ktU0Xh7teag1i3cTds+Nv8wOSwrVJPrjOG337HUbqL8sBIa
OK0R77VvmMI=
=6ras
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQpaL+yh9+71yA2DNAQJZagP/ehvl1CaDJTRoO3jSnnmeKHtIzd7NNWWw
uCaYTKcYh5GF84mriJf6T3Zt6PcQVDBBNVZhuhQK8cjpQnKUMXrwv3tMb4DhNmX/
8No2fDpZpPGnoiO9XUKUF+80S6jAcE+tW3z3I7uZLLzVyorLjp/9nzJQQydFkhaa
2BoYeEigIao=
=a1Ma
-----END PGP SIGNATURE-----