-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-006 ================================= Topic: buffer overrun in libc DNS resolver Version: NetBSD-current: source prior to June 26, 2002 NetBSD-1.6 beta:source prior to June 26, 2002 NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected All prior NetBSD releases. pkgsrc: net/bind4, bind-4.9.8 and before affected net/bind[89] may be vulnerable emulators/compat1[234] (there could be more) Severity: remote buffer overrun on any application that uses DNS, possible remote root exploit (not confirmed) Fixed: NetBSD-current: June 26, 2002 NetBSD-1.6 branch: June 26, 2002 (1.6 will include the fix) NetBSD-1.5 branch: June 26, 2002 (1.5.3 will include the fix) NetBSD-1.4 branch: June 26, 2002 (1.4.4 will include the fix) pkgsrc: net/bind4, bind-4.9.8nb1 Abstract ======== There was a buffer-length computation bug in BIND-based DNS resolver code. A malicious DNS response packet may be able to overwrite data outside the buffer, and it could lead to attacks as serious as a remote root exploit, though there are no public exploits in circulation at this time. NetBSD uses BIND4-based DNS resolver code in libc, and is found to be vulnerable. As there is no version number identification in the pine.nl advisory, it is uncertain if BIND8/9 resolver code (used in named related tools like /usr/bin/dig) is totally safe either. Technical Details ================= In lib/libc/net/gethnamaddr.c:getanswer() and lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage packet buffer parsing - a pointer to the byte we are looking at, and the remaining length on the buffer. The remaining length was not updated consistently, and malicious DNS responses are able to write outside the buffer. This may present an attacker with the opportunity to insert arbitrary code for execution as the user running the resolver query, potentially root. No exploit script to take advantage of this vulnerability is known at time of writing. It is important to understand that this issue can be triggered in a manner unlike the more common buffer overflows in network daemons. Any outgoing DNS query made to a hostile server would expose the vulnerability. The exploit path includes email sent to Netscape users which automatically display HTML, and hostile web pages which carry embedded objects located on servers in domains with a hostile DNS server. Since client systems in many network environments are permitted to make DNS queries directly to root servers, through routed IPs, or NATs, realize that these systems are vulnerable even if behind a firewall, since they are initiating the outgoing query. As a workaround, it is highly worthwhile considering pointing your client systems at a patched nameserver that does recusive resolution, and blocking all direct query/responses at a gateway or firewall system. This will allow central control over your network environment, and protection while updates are being made to individual clients. This issue was brought to the attention of the NetBSD security-officer very recently. Unfortunately, coordination to deliver a full set of updated binary releases was not possible, and given the severity of this issue, this Advisory is being released immediately. Updates will be made to this advisory providing additional pointers to upgrade resources as available. See also: http://www.pine.nl/advisories/pine-cert-20020601.html Solutions and Workarounds ========================= Releases of NetBSD 1.5.3 and NetBSD 1.6 are imminent. This is a reminder to consider upgrading when they are available, if you are running anything older than NetBSD 1.5.3. Many security-related improvements have been made. Note that any statically-linked binary that makes any DNS query is vulnerable, and cannot be fixed by replacing a shared library. Therefore, updating the entire system is suggested. Note also that shared libraries from other operating systems installed for binary compatibility under /emul may also be vulnerable. Please consult the vendor of those libraries for further details. NetBSD systems ship with BIND8-based nameserver and utilities, and they use separate resolver library codebase in dist/bind (not lib/libc/net). Since we are still not certain if BIND8 is safe, you will need to update the following directories as well before the build if BIND8 is found to be vulnerable: usr.sbin/bind dist/bind * NetBSD-current: Systems running NetBSD-current dated from before 2002-06-25 should be upgraded to NetBSD-current dated 2002-06-26 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libc/net To update from CVS, re-build, and re-install libc and statically linked binaries: # cd src # cvs update -d -P lib/libc/net # cd lib/libc # make cleandir dependall # make install # cd ../.. # make dependall # make install * NetBSD 1.6 betas: Systems running NetBSD 1.6 betas dated from before 2002-06-25 should be upgraded to NetBSD 1.6 tree dated 2002-06-26 or later. The following directories need to be updated from the netbsd-1-6 CVS branch: lib/libc/net To update from CVS, re-build, and re-install libc and statically linked binaries: # cd src # cvs update -d -P -r netbsd-1-6 lib/libc/net # cd lib/libc # make cleandir dependall # make install # cd ../.. # make dependall # make install * NetBSD 1.5.x: Systems running NetBSD 1.5.x dated from before 2002-06-25 should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: lib/libc/net To update from CVS, re-build, and re-install libc and statically linked binaries: # cd src # cvs update -d -P -r netbsd-1-5 lib/libc/net # cd lib/libc # make cleandir dependall # make install # cd ../.. # make dependall # make install * NetBSD 1.4.x: Systems running NetBSD 1.4.x dated from before 2002-06-25 should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later. The following directories need to be updated from the netbsd-1-4 CVS branch: lib/libc/net To update from CVS, re-build, and re-install libc and statically linked binaries: # cd src # cvs update -d -P -r netbsd-1-5 lib/libc/net # cd lib/libc # make cleandir dependall # make install # cd ../.. # make dependall # make install * pkgsrc: bind-4.9.8 (pkgsrc/net/bind4) is vulnerable. Upgrade to bind-4.9.8nb1 is recommended. Note that BIND4 nameserver is considered obsolete by the vendor (ISC), and it is recommended to use BIND9, or BIND8. It is still unclear if bind-[89] is vulnerable or not, therefore, keep yourself informed. Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234]) are vulnerable. There is no fix supplied at this moment. Shared libraries for binary compatibility are available through pkgsrc for some operating systems, and may be vulnerable as noted above if installed. Thanks To ========= Jun-ichiro itojun Hagino for patches, and initial advisory text. Revision History ================ 2002-06-26 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-006.txt,v 1.19 2002/06/27 14:30:30 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPRrmJj5Ru2/4N2IFAQHAJQP/VP7uoErXvLTjHnChbw0ucCtKaWen/Gw2 DjejlLgIwhUw8GFgGEjfaqXxtr4CVCgH6vQSd0CrXUJ9gkRbZSiocuGFlXWyGmD6 NinhLq3EdkidyPTs8IEdkOIn04LqAWdIBxbMCU9ZBDtPtO9tudMDS7rNT/r/j6mA Ec/pxiuZlzU= =pXfG -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 15:31:39 PDT