Computer Emergency Response Team (CERT) issued an advisory today regarding Internet Software Consortium (ISC) BIND, which is a popular DNS service used by many network administrators. The advisory warns of four serious problems that affect all versions of BIND in the 4.9.x series prior to 4.9.8, as well as the 8.2.x series prior to 8.2.3. BIND versions in the 9.x series remain unaffected by the latest discoveries.
The first problem is an unchecked buffer that exists in the transaction signature (TSIG) handling code on BIND 8, which could let attackers execute arbitrary code on the OS. The next two problems are unchecked buffers in the nslookupComplain() function of BIND 4, both of which let attackers execute arbitrary code on the OS. The fourth problem is a data leak that lets an intruder access the system's memory stack, possibly exposing program and environmental variables.
CERT has issued 12 documents since 1997 related to vulnerabilities in BIND software; however, many administrators continually fail to upgrade their software. According to CERT, when CERT issued a BIND advisory on November 10, 1999, the organization continued to receive reports of related system compromises 13 months later, well into December 2000. Charts embedded in CERT's latest advisory show that attacks reached their maximum approximately 2 months after CERT released the advisory, indicating that intruders pay more attention to vulnerability information than do network administrators.
BIND runs on many UNIX systems—many of which support critical Internet infrastructure—which accents the severity of the recently exposed problems. However, BIND vulnerabilities might also affect Windows-based networks running versions of BIND ported to Windows systems, such as BIND 8 for Windows NT, which is based on BIND 8.2.2, and BIND 4.9.3, which has also been ported to Windows.