CERT Coordinating Center warns of DNS software vulnerabilities

CERT Coordinating Center warns of DNS software vulnerabilities

By William Jackson

GCN Staff

JAN. 29—The CERT Coordinating Center at the Software Engineering Institute at Pittsburgh's Carnegie Mellon University announced what it called serious vulnerabilities in Domain Name Server software that could affect every service on the Internet.

CERT manager Jeffery Carpenter said the organization took the unusual step of publicizing the vulnerabilities to ensure that network managers install safe versions of the Berkeley Internet Name Domain Server software.

'We are not aware of any active exploits of the vulnerabilities,' Carpenter said, but he added it is only a matter of time before tools to exploit the BIND vulnerabilities are developed.

In the past, exploitation of BIND vulnerabilities was reported long after patches were made available. For instance, exploitation of a problem reported in November 1999 was seen through last December.

BIND is software from the Internet Software Consortium that translates uniform resource locators into IP addresses. Nearly all Internet traffic relies on this translation, and BIND is the most common translation software running on Domain Name Servers. Two of the recently announced vulnerabilities are buffer overflow problems in BIND versions 4 and 8. The other vulnerabilities are an input validation error in Version 4 and an information leak in both versions.

Three of the current vulnerabilities were identified by the Computer Vulnerability Emergency Response Team Lab of PGP Security, a unit of Network Associates Inc. of Santa Clara, Calif. Jim Magdych, manager of PGP's COVERT Lab, said the vulnerabilities were discovered over the last several months in an audit of BIND software. ISC moved quickly to prepare patches, he said.

BIND Version 9 is not affected by the vulnerabilities. Patches for the vulnerabilities have been included in versions 8.2.3 and 4.9.8.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.