Internet security in a BIND

Three new vulnerabilities were uncovered in BIND, the software used by most DNS to map names on the Internet. While patches were posted as soon as the announcement, questions were raised about members-only security announcements.

On January 29, Network Associates, Inc.'s (NAI) Covert Labs announced three new vulnerabilities to BIND (Berkeley Internet Name Daemon), the software used by most domain name servers (DNS) to map names to addresses on the Internet. The advisory includes a buffer overflow when processing a transaction signature record that could result a vulnerable name server either crashing or being broken into remotely.

BIND software is used by all root servers and top level domains, as well as being part of all versions of Unix, both commercial and open source. A vulnerability in BIND that provides an exploitable buffer overflow is akin to a master key that could allow you to break into the most important servers on the Internet.

Is the Internet becoming more exposed? YES

The Internet Software Consortium (ISC) posted an announcement, along with patched versions of the affected software, almost immediately. At about the same time, CERT e-mailed an advisory that included a list of vendors that had responded with their level of vulnerability and patches to the bugs in BIND.

CERT has published five other advisories regarding BIND since 1997, as well as issuing many warnings in quarterly activity summaries. Despite this daunting record of security issues, BIND remains the overwhelming choice for DNS server software. The only well-known replacement for BIND is Daniel Bernstein's djbdns. Written specifically to be secure, djbdns includes a server named tinydns and uses a completely different set of configuration files from those in BIND. While djbdns is an appropriate choice for small sites, you will not see the root name servers moving away from BIND anytime soon because of BIND's maturity and performance.

The newest version of BIND, version 9.1.0, represents a completely new DNS server, and has not yet been the subject of any security advisories. Current users of BIND should get patches from their operating systems vendors, or download the source from ISC and build their own updated version. While many people are staying with the current version levels, some are migrating to 9.1.0, which represents a complete rewrite of the BIND software.

Microsoft announced that none of its products were vulnerable, which is not surprising, as Microsoft is the only major operating system vendor that does not include some version of the BIND software.

As often happens, the vulnerability announcement was closely followed by the publication of exploit code, also on Bugtraq. Two days after the initial announcement, an anonymous poster e-mailed an exploit that purported to convert a running version of BIND on a target Linux or BSD server into a command shell interpreter running as root, the most privileged Unix user. The "exploit" was actually a Trojan in disguise that flooded NAI's DNS server with UDP packets.

The BIND 8 Trojan exploit appeared to contain valid code designed to execute on the target server, but instead started a second copy of itself, opened a network socket, and began an infinite loop that sent garbage to NAI. The Trojan was uncovered quickly, and while some blamed Bugtraq for posting the Trojan, most people agreed that Bugtraq was not to blame -- any security geek knows that you shouldn't trust exploit code. A real example of the BIND 8 exploit was posted to Bugtraq several days later. This version was purposely broken to prevent it from being used by script kiddies without extensive modification.

The NAI Covert Labs announcement managed to blindside many Unix distributors. Announcements of patched versions of the BIND software first for Linux and then for BSD appeared over the next two days. There was also an announcement by ISC's Paul Vixie of a new membership-only, fee-based distribution list called bind-members. Membership is available only to vendors incorporating BIND in their operating systems, and then only after they have received some security training. Subscribers to the bind-members list are to get advance information about vulnerabilities.

Vixie's announcement led to considerable debate--most of the comments posted were negative--on Bugtraq, a full-disclosure forum and mailing list. Drago Ruiu, organizer of the CanSecWest security conference in Vancouver, B.C., denounced the move in a posting on Bugtraq: "This bind cabal idea is just broken as long as none of us have any choice but to run bind if we want to use the Internet." Sentiment against the notion of a members-only security announcement list ran high.

While many in the Open Source community took umbrage at the idea of a members-only security list, the idea actually appears to be sound. CERT already contacts vendors with information about vulnerabilities before they publish their advisories. Vendors, especially the large, commercial UNIX vendors, take some time to test any patches they may add, and the advance notice gives them this opportunity. The bind-members list would work the same way, by sharing advance notice so that patches can be ready when an advisory of vulnerabilities is made, rather than days later. ISC has made provisions for non-profit OS distributors of Linux and BSD to be included at no charge.

In truth, the complaints about the formation of a 'cabal' appear unmerited.

Rik Farrow is an independent Unix and Internet security consultant who has specialized in Unix system administration and security since 1984. He is an instructor for the Computer Security Institute and has led training sessions at many US and European user groups. Farrow is the author of UNIX System Security, and writes columns for Network Magazine, ;login:, and several Web-based magazines.