Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Running BIND 4 or 8? Upgrade!

jamie posted more than 13 years ago | from the someone-was-bound-to-find-these dept.

Upgrades 237

The Dev was the first of several zillion to point out that security holes were found in BIND. The detailed table of known vulnerabilities will help clarify (and it has tarball links too), but the short version is, if you're running BIND 4 or BIND 8, set aside some time today to upgrade to 4.9.8 or 8.2.3 (not beta, betas of 8.2.3 are vulnerable). And now's a good time to reconsider version 9, too. SecurityFocus warns that the last time a BIND hole of this magnitude was found, it was followed by a "cyber-crime wave." Exploits for these holes were successfully created by COVERT Labs, but nobody seems to know whether they're in the wild yet. Obviously, they soon will be. Post your questions and answers about upgrading below.

Sorry! There are no comments related to the filter you selected.

Re:How about ... (1)

Anonymous Coward | more than 13 years ago | (#471176)

Yes, it works. I moved all of the sites I maintain to djbdns during the the last round of BIND vunerabilities. IMHO, use djbdns and junk BIND, and while you're at it, use Qmail and junk Sendmail

Re:OpenBSD Immune (1)

Anonymous Coward | more than 13 years ago | (#471177)

So how come there's a patch on the OpenBSD
website? And it's a big patch. And no
comment on the website.

Applying it to my heavily loaded production
2.6 is promising to be a bitch, because the
patches given are for later versions.

what is bind? (1)

Anonymous Coward | more than 13 years ago | (#471178)

so what is bind, and what's it used for?

please don't dismiss this cos i'm an AC. thanks

Build your own 8.2.3 RPMs - here's how (1)

Anonymous Coward | more than 13 years ago | (#471179)

If you can't get the 8.2.3 binary RPMs, here's how can you build your own: Get the 8.2.2_P7 src rpm and the bind-src.tar.gz, bind-doc.tar.gz and bind-contrib.tar.gz. Install the source RPM, then copy the .tar.gz files to /usr/src/redhat/SOURCES (overwriting the old versions). Edit /usr/src/redhat/SPECS/bind.spec: Set the version to 8.2.3 and comment out the following lines with a "#":

#%patch3 -p1 -b .glibc21
#%patch4 -p1 -b .host
#%patch5 -p1 -b .mx
#%patch6 -p1 -b .ttl
#%patch7 -p1 -b .restart

Then, build the thing with "rpm -bb bind.spec". After that went through, you will find the binary RPM in /usr/src/redhat/RPMS. Install them and don't forget to shutdown and restart the named process ("service named restart")...

Re:djbdns is the way to go! (1)

Dom2 (838) | more than 13 years ago | (#471180)

Say, what license was that again? Are you *sure* you're allowed to use it?

-Dom

Re:attn slashdot editors: (1)

kashani (2011) | more than 13 years ago | (#471181)

Except that most of us who take running a network fairly seriously knew about it on 1/26 and upgraded immediately. 16 total servers. If we can manage that, most of the guys with 1 and 2 servers can patch theirs.

Re:attn slashdot editors: (1)

Chris Burke (6130) | more than 13 years ago | (#471185)

What, you don't think black hats read bugtraq? Maybe you think they make you show your white hat membership card before you can join the mailing list. Heh.

/. is actually very late in reporting this, and I'm a bit dissapointed. The Reg had it hours ago, and of course that came hours after it was on Bugtraq. Still, I'd think that someone must have noticed and submitted to /. earlier than this appeared, which leaves the editors as the bottleneck.

What you seem to not get is that everyone for whom this kind of thing is important already read about it on bugtraq/securityfocus and upgraded. All the kiddies are already spreading whatever software someone wrote for them. Now it's time for the rest of us to learn about this and upgrade, and a /. posting is a good way to get the awareness out.

Good /., but next time a little quicker, eh?

Re:Who needs BIND? (1)

Chris Burke (6130) | more than 13 years ago | (#471186)

If djbdns was used on every server instead of BIND, there'd probably be problems found with it too.

No doubt. There are always problems with software, and it takes effort to find them. But the poster would have us believe that no bugtraq listings == no bugs. Riiight. Sorry, but my drivers license doesn't list my date of birth as yesterday.

BIND (1)

tsikora (6430) | more than 13 years ago | (#471187)

Perfect time for ... Slack! Dump those inferior and untrusted distro's.

RedHat.com...still no updates (1)

wenzi (6465) | more than 13 years ago | (#471188)

As I am waiting, redhat.com still has not posted updated RPM's for 6.2. It seems they were done Sat, but are still waiting QA. I guess they were watching the Super Bowl. You can get the 'unofficial' one from here http://www.linux-easy.com/rh-updates/ [linux-easy.com]

Re:djbdns is the way to go! (1)

Dionysus (12737) | more than 13 years ago | (#471195)

What, you think only software under the GPL can be legally used?

Let see this page [cr.yp.to] sets the limit for distribution, and this page [cr.yp.to] has a discussion on Bernstein's thoughts on licenses.

Or if you are to lazy to go to the link of the last one, let me quote:
What does all this mean for the free software world? Once you've legally downloaded a program, you can compile it. You can run it. You can modify it. You can distribute your patches for other people to use. If you think you need a license from the copyright holder, you've been bamboozled by Microsoft. As long as you're not distributing the software, you have nothing to worry about.

Wanna try again?

Re:Who needs BIND? (1)

Dionysus (12737) | more than 13 years ago | (#471196)

Following the same analogy, if Linux was run on all the servers that WindowsNT does, it would have problems too?

Does it mean that because OpenBSD is used less than Linux/Windows/whathaveyou, that is probably as bad as the more used?

djbdns was designed with security in mind, BIND was not, and neither is the new version (by the authors own admission). djbdns uses the KISS principle. BIND does not.

The author of djbdns has a reward out for his software. He is *that* confident in his work. Would you bet money on BIND?

Re:Who needs BIND? (1)

Dionysus (12737) | more than 13 years ago | (#471197)

All software has bugs. OK. BIND has a trackrecord of having security related bugs.

Maybe we should be more forgiving to Microsoft security issues then?

Re:what is bind? (1)

Panaflex (13191) | more than 13 years ago | (#471199)

Bind is what takes http://slashdot.org and translates it to 64.28.67.48. The URL means nothing to your TCP stack, the router behind it, and all the networks behind that. Only the IP number matters.

Pan

Re:yeah... (1)

Panaflex (13191) | more than 13 years ago | (#471201)

I guarantee you that Akamai will patch far faster than microsoft did their own DNS servers.

Re:yeah... (1)

Panaflex (13191) | more than 13 years ago | (#471202)

Like Windows? Even microsoft is now using Linux based DNS servers (Akamai).

Enjoy
Panaflex

Re:yeah... (1)

Panaflex (13191) | more than 13 years ago | (#471203)

Sorry to be in bad form.. Here's some anti-troll for you.

>nslookup www.microsoft.com
Server: trusty
Address: 172.16.20.16

Non-authoritative answer:
Name: www.microsoft.akadns.net
Addresses: 207.46.230.219, 207.46.230.229, 207.46.230.218
Aliases: www.microsoft.com

Re:RedHat.com...still no updates (1)

dr_labrat (15478) | more than 13 years ago | (#471209)

try using this one:

http://rpmfind.net/linux/RPM/redhat/6.2/updates/ i3 86////bind-8.2.3-0.6.x.i386.html

Re:I am amazed... (1)

jilles (20976) | more than 13 years ago | (#471212)

Most security leaks are a direct consequence of using languages like C. People claim it is possible to program safely in C, however, incidents like this prove them wrong.

Re:OpenBSD Immune (1)

artg (24127) | more than 13 years ago | (#471213)

If OpenBSD maintainers found it that long ago, did they report it to the Bind authors ?
If they did, why wasn't it fixed before ?
And why did Bugtraq only just hear of it ?

Re:BIND upgrade (1)

ShadowDragon (40886) | more than 13 years ago | (#471223)

8.2.2 conf files even. Of course I did not get much sleep because of said late night work.

BIND upgrade (1)

ShadowDragon (40886) | more than 13 years ago | (#471224)

Well I spent 3.5 hours last night upgrading all of our servers to 8.2.3

To ease anyone's fears, 8.2.3 works just fine with existing 8.2.3 conf files, so all you need to do is make the tarball and stop/start named.

Follow the link. (1)

ASCIIMan (47627) | more than 13 years ago | (#471225)

They haven't used that icon since June 2000.

Now it would be cool to have super human vision, but I definitly would not say the same about this story.
BIND vulnerabilities are *NOT* cool.

Re:Time to dump C (1)

ASCIIMan (47627) | more than 13 years ago | (#471226)

Except "real languages" suck when it comes to speed.

Re:I am amazed... (1)

tfb (49770) | more than 13 years ago | (#471230)

If you implement security critical software in a language which has no bounds checking, I think you get what you deserve.

Seriously: there must be so much evidence by now that it is just too hard for human beings to do all the bounds checking by hand that I'm fairly surprised that security critical code is still written in C.

I've never looked at any of the securified versions of things like BIND, but I suspect they do it by inventing a bounds-checked framework in which they then write the code...

Re:yeah... (1)

Amoeba (55277) | more than 13 years ago | (#471232)

The fact is that all code of sufficient size and complexity will have bugs in it. I leave it to the reader to decide whether they want the buggy programs they depend upon to be open or closed.

It doesn't matter how large or complex the code is nor how elegant and securely it's written if the underlying architecture & methodology principles suck.

Bugs can be fixed and holes patched but if the very process the code uses to do its thing is flawed then there will always be ways to exploit that process in some capacity.

One poster asked how it was possible to still be finding holes in BIND after all these years when so many eyes have gone through the source code... maybe we should take a pointer from the *BSD camp; they fix how the code functions and then they evaluate why the code does something in that manner so design flaws can be addressed.

BIND 9.x is on the right track. They've completely rewritten nearly all aspects of the underlying architecture to address the design problems inherent in BIND 4 & 8.

How about ... (1)

Lev_Arris (60782) | more than 13 years ago | (#471234)

... using djbdns which apparently is much more lightweight and can handle a lot more load?

http://cr.yp.to/djbdns.html

Just a suggestion/question. Does anybody have experience with this one?

Re:I fucking hate it! (1)

bogomipe (78283) | more than 13 years ago | (#471239)

Why not?

SSHd is available for W2K. See http://www.ssh.com/ [ssh.com] .

Re:Chroot jail with bind 9? (1)

ivarch (92123) | more than 13 years ago | (#471249)

Look at the docs and you'll see why - BIND 9 uses threading, and there's a problem with using setuid() with threads (only the first thread changes UID) in 2.2.x kernels.

If you want to run named as another user, recompile with the --disable-threads option to disable threading.

Re:djbdns is the way to go! (1)

Legion303 (97901) | more than 13 years ago | (#471250)

Oh, look, a pissing contest.

Sorry to hear about your security holes, but I'd rather use something that works best for me. If that means I use a non-GPL license, that's fine. If it means I use a closed-source (gasp! Horror!) program, that's fine, too.

-Legion

Uh oh. (1)

Ravagin (100668) | more than 13 years ago | (#471252)

Hm, I'm in my first year of a real C++ course in high school, attempting to get a formal education in the language. I guess there must be a shortage of teachers, because the new guy they hired this year is almost totally incompetent. For one thing, what he seems to know is C, not C++, to the extent that when I pointed out we could just use a bool for one program which worked with (surprise) booleans, he was surprised that that was a valid type. Right now, we're learning from a book, with no instruction of any sort on secure code like that. That worries me.

Good thing I'm not really considering a career as a programmer...

-J

Re:A quote seems appropriate... (1)

ericdano (113424) | more than 13 years ago | (#471258)

Damn good!
--

Re:Avoiding This Altogether (1)

mr3038 (121693) | more than 13 years ago | (#471261)

They ought to teach the difference between printf(str) and printf("%s", str), at least

Unfortunately that isn't enough. Consider following for example:

#define BUFLEN 128
char buf[BUFLEN];
sprintf(buf, "input=%s\n", input_from_user);
vs.
snprintf(buf, BUFLEN, "input=s\n", input_from_user);

Guess which one cannot overwrite memory followed by buf array. However, snprintf was not supported by standard until ISO C99. See man snprintf for more information. That printf case should be trivial by the way.
_________________________

Re:A quote seems appropriate... (1)

msergeant (126834) | more than 13 years ago | (#471263)

Funny thing is I picked this book up and started to read it again for the 12th time. Can't beat LOTR for a good read

Re:yeah... (1)

enneff (135842) | more than 13 years ago | (#471265)

"The interesting this is that their marketing machine managed to hush this up so well: if it had been Cisco, they would have been toast."

Well, Microsoft (despite what it's trying to become) is hardly a mission critical systems retailer, nor a networking hardware vendor. Cisco is widely known to be the manufacturer of some of the best communications gear around.

If Cisco's network were to go down, that would say a lot more about their products than if the same thing happened to MS.

Lets start a poll... (1)

kaoticus (138373) | more than 13 years ago | (#471269)

How man months will it take b4 the all the system administrators upgrade their BIND. One month, 2 months. I bet we see this being exploited for a LONG time..

I am amazed... (1)

sedawkgrep (142682) | more than 13 years ago | (#471270)

...that buffer overflows still exist in this code. Honestly, BIND has to be the most used piece of software on the net, and it is completely open-source to boot.

How, despite the thousands of eyes that look at it ever day, did these problems not reveal themselves earlier?

sedawkgrep

Re:attn slashdot editors: (1)

pjl5602 (150416) | more than 13 years ago | (#471271)

You can at least wait until responsible people fix the problem before throwing it to the peanut gallery to discuss. This is like posting American security failures on slashdot. Everybody keep your secrets, posting them here is pearls before swine.

I'm hoping that you forgot the smiley to demonstrate that you were joking.&nbsp Security through obscurity doesn't work -- never has and it never will.&nbsp Not to mention there are already tons of other sites that have either notes the problems or announced new packages for BIND.

Secure BIND replacement (1)

CarrotLord (161788) | more than 13 years ago | (#471273)

Surely there is some move underway to replace BIND with something more inherently secure? It seems surprising to me that such a fundamental piece of software suffers from so many holes. Perhaps it doesn't need to run as root -- maybe it should run as nobody and sit behind a simple dummy process that binds to the relevant port number and passes requests on -- sort of port masquerading... I don't know, but it's a mess as it is... anyone got any better ideas?

rr

Re:I am amazed... (1)

fatphil (181876) | more than 13 years ago | (#471274)

Remember the old maxims:
"Memory allocation/deallocation is too important an issue to let the machine take control"
and
"Memory allocation/deallocation is too important an issue to let the programmer take control"

We've got exactly the same issue here.

The people who wrote
sprintf(buf, "..%s..", user_supplied_string); or whatever should be whipped to within inches of their lives. Is there a maximum string length? If so, use %80s or whatever. If not, use strlen and malloc.
If that's what you mean by "inventing a bounds-checked framework in which they then write the code" then I hardly think that's much of an overhead.

It's not hard to do things safely by hand. These vulnerabilities show that the code hasn't been code reviewed. (For solo projects, I code-review my own stuff, and I always make sure I know where the critical cutoffs for values/sizes are, and I always try to break them.)

FatPhil
-- Real Men Don't Use Porn. -- Morality In Media Billboards

In the wild (1)

aTMsA (188604) | more than 13 years ago | (#471280)

Exploits for these holes were successfully created by COVERT Labs, but nobody seems to know whether they're in the wild yet
Well they're on /. , i don't think they can be "in the wild" much more than they are now.

Re:Avoiding This Altogether (1)

fantom_winter (194762) | more than 13 years ago | (#471283)

Its partially the language C that causes these problems because C has no bound checking on its arrays which can lead to bad situations with buffer overruns and such.

Yes, its the programmer's responsibility in the end to write secure code, but despite its speed and portability, C is sortof a poor choice as far as security goes, and C++ is only marginally better, because it depends so much on how a person decides to write their C++ code.

Just my two cents.

Re:djbdns is the way to go! (1)

kyz (225372) | more than 13 years ago | (#471284)

What, you think only software under the GPL can be legally used?

No, but only the GPL (and other Free licenses like *BSD, etc) allow true freedom [gnu.org] . One of those freedoms is the freedom to distribute binaries, but Bernstein's license won't allow me to do that if my system isn't up to his standards.

Re:Avoiding This Altogether (1)

sales_worldwide (244279) | more than 13 years ago | (#471290)

Adam Shostack summed up all the current "frequently asked and answered" questions in his paper at http://www.homeport.org/~adam/review.html.

It is worth reading if you are trying to write secure software.

Also, check out qmail for an example of well written secure software.

(Beware of Adam's other material - he is pro-linux and anti-MS, and believes that only open source software can be safe etc. etc.)

Re:Chroot jail with bind 9? (1)

mian (253649) | more than 13 years ago | (#471293)

one thing i'd like to know is why you need to upgrade your kernel just to run as a non-root user with bind9

root@machine [~]: named -u daemon
named: -u not supported on Linux kernels older than 2.3.99-pre3

Re:I am amazed... (1)

The Blackrat (255469) | more than 13 years ago | (#471297)

AMEN. Every kid with redhat on their shiny new dell's crys 'Open the source! GPL or death', but the vast majority do NOTHING with it once they get it. Not that I look at source, but you'll never catch me crying for source anyways.

Re:yeah... (1)

pandora-br (267135) | more than 13 years ago | (#471303)

You said you prefferred "well designed" closed source software. How can you tell if it is well designed?
How many other security issues were resolved just because bind is opensource? Lots.
You also mention security problems "every two weeks". Opensoftware is open. The good parts are open, and the bad parts too. Nothing is hidden.

Re:The Microsoft connection... (1)

adadun (267785) | more than 13 years ago | (#471304)

BIND apparently has a BSD-style licence so Microsoft may very well have used BIND code in their "own" software.

They have done similar things with the BSD TCP/IP stack.

Re:yeah... (1)

Sylvain Tremblay (306896) | more than 13 years ago | (#471305)

Even microsoft is now using Linux based DNS servers

With the concommitant security risk...

yeah... (1)

Sylvain Tremblay (306896) | more than 13 years ago | (#471306)

sure, we've all heard by know all about "full disclosure", the evils of "security by obscurity", why open source software is more secure because it takes seriously the idea of "security as a process", etc...

the question is: why is all this open source software like bind, sendmail, ftpd and such so full of bugs to begin with?

I'd rather go for a well designed closed source server than these crappy free programs that have a security problem every two weeks...

OpenBSD Immune (2)

SoupIsGood Food (1179) | more than 13 years ago | (#471311)

According to the mailing lists, OpenBSD's implementation of BIND4 is immune, the sprintf()s rersponsible for the overflows were changed to snprintf()s by the development team in 1997.

SoupIsGood Food

Re:yeah... (2)

Chris Burke (6130) | more than 13 years ago | (#471317)

the question is: why is all this open source software like bind, sendmail, ftpd and such so full of bugs to begin with?

Because all software is buggy crap to begin with.

Programmers of open source software are no different than programmers of closed sourc -- both code to their level of skill and pride. The only difference is pay, and money does nothing to make someone write better code. It's not like a programmer gets paid more for writing more elegant, secure code. Nope, it only has to work not too long after their scheduled release date.

The fact is that all code of sufficient size and complexity will have bugs in it. I leave it to the reader to decide whether they want the buggy programs they depend upon to be open or closed.

Re:yeah... (2)

Chris Burke (6130) | more than 13 years ago | (#471318)

It doesn't matter how large or complex the code is nor how elegant and securely it's written if the underlying architecture & methodology principles suck.

A very good point. There are fundamental protocol flaws that can render code vulnerable even if there are no buffer overflows or other standard bugs.

However, looking at the list of vulnerabilities for BIND, they appear to almost exclusively be of the buffer overflow and 'improper handling' vein, which falls into the category of buggy code, not bad underlying design.

Then again, your idea would apply if the code was written without concern for preventing things like buffer exploits.

maybe we should take a pointer from the *BSD camp; they fix how the code functions and then they evaluate why the code does something in that manner so design flaws can be addressed.

Who's "we"? BSD uses bind just like Linux does.

But I agree, if you mean specifically OpenBSD and their thorough audit process. It reminds me of the processor industry, when years are spent validating a design.

Then again, processors ship with bugs in them as well. You can never be assured that you are 100% bug free in any sufficiently complex (ie not provably correct) design. It's worse with software than with hardware, because in software there are more uncontrollable variables.

BIND 9.x is on the right track. They've completely rewritten nearly all aspects of the underlying architecture to address the design problems inherent in BIND 4 & 8.

Which CERT advisories refer to underlying architectural flaws?

Not to say a re-write is bad... I think developers are too afraid of starting over. Especially in the open source world, where release schedules are not a concern, but code quality is.

In the wild (2)

zyklone (8959) | more than 13 years ago | (#471321)

One INCIDENTS post suggests that there is a exploit in the wild.

So upgrade.

this was on MSNBC, ZDNN (2)

Barbarian (9467) | more than 13 years ago | (#471322)

This was already on MSNBC and ZDNN, so all the black-hats already know.

Re:Who needs BIND? (2)

Dionysus (12737) | more than 13 years ago | (#471324)

You presume that people here considers security to be important. What is the saying that someone keeps quoting? "Those who would exchange freedom for a little security deserves neither".

Let look at the track record of BIND.
1) explot every few months (followed by apologies like, "well, BIND has been out so long, it has to be secure NOW".
2) New BIND, where the authors seem to indicate that security was not part of the design critieria.

But you see, djbdns has the wrong license. It's not GPL. And people will rather be rooted than run a non-GPL software. Especially if running it would mean that one had to admit that there is actually a non-GPL software that is (Oh nooo) *better* than the GPL alternative.

If you want to see the same additude for another piece of "software", check out any discussion on Sendmail (same arguments, same security holes).

Re:How about ... (2)

Dionysus (12737) | more than 13 years ago | (#471325)

I've been using djbdns for almost a year now (while it was still called dnscache).

Note that djbdns is a suite of dns utilities that together gives the same functionality of BIND.

dnscache *only* do caching (great if you are on a dialup. Because, do you really need a fullblown dnsserver if you only what to do caching?).

tinydns *only* only server dns request (no caching).

If you want a dnsserver, you only need those two. They run in with their own userid, in chroot'ed into their own directories owned by them.

AND, it's a snap to set up (took my half a day to figure out everything).

Re:I fucking hate it! (2)

Zico (14255) | more than 13 years ago | (#471327)

So why don't you just turn on the telnet service or download the free SSHD for NT/2000 [criadvantage.com] ? It's really not that difficult...

I still can't understand how in this day and age someone can waste their time complaining and not be able to figure this stuff out.


Cheers,

mirrors of bind 8.2.3 in australia (2)

jason andrade (17150) | more than 13 years ago | (#471331)


bind is mirrored in australia at:

PlanetMirror:

ftp://ftp.planetmirror.com/pub/bind/src/8.2.3/

AARNet:

ftp://mirror.aarnet.edu.au/pub/bind/src/8.2.3/

please try to use one of them before hitting
the ISC server.

-jason

The Microsoft connection... (2)

PenguinX (18932) | more than 13 years ago | (#471332)

Anyone notice how this CERT advisory comes out only a few days after Microsoft had it's DNS borked? Coincidence? I think not ;-)

Re:I am amazed... (2)

jilles (20976) | more than 13 years ago | (#471335)

Cut the crap, one of the most important tools on the internet broke down because of a memory leak.

Of course it is possible to create good programs if you don't make any errors, duh. The problem is that humans do make errors. And since C provides little or no protection against these errors it is unsafe.

As long as we will use C for implementing these kind of things, there will be memory leaks. Of course C is a very performance efficient language, however, things like this make it unsuitable for security critical apps because you can never be 100% sure it doesn't have memory leaks.

Debian users (2)

gregbaker (22648) | more than 13 years ago | (#471337)

Debian users running the stable (Potato) distribution can find a safe version in Debian's security archive. If it's not there already, the following line should be in /etc/apt/sources.list:
deb http://security.debian.org/ stable/updates main contrib non-free

Re:attn slashdot editors: (2)

BlueLines (24753) | more than 13 years ago | (#471338)

Umm, the responsible people already read bugtraq this morning and patched their servers.

Re:yeah... (2)

mpe (36238) | more than 13 years ago | (#471341)

Microsofts mistake was to put all their servers on one subnet, and allow a change to be performed on a mission-critical router without proper approval, as far as I can work out.

Though the router was only "mission-critical" because of the DNS servers being misconfigured.
Microsoft is hardly unique in not complying with rfc 2182 though...

eye opener (2)

macpeep (36699) | more than 13 years ago | (#471345)

The vulnerabilities / exploit list is long! And while 9.1.0 doesn't have any known explots according to this list, I think this should be an eye-opener to people when it comes to security. Like Microsoft likes pointing out, you are unsafe with *ANY* OS if you don't stay up to date with the patches. I'm not "pro MS" or anything, but there's a lot of rhetoric on Slashdot about how Microsoft OS's are safe. The idea a lot of people get is that Linux is automatically completely safe. This is, of course, not the case. Unless you know what's going on and what has been hacked, you're leaving your system wide open.

For those who feel safe and comfortable with their home box, especially those hooked up to DSL or cabel, I strongly recommend checking out that list. It's scary and it's only bind! To keep the balance, the fix list for Win2K SP1 is even longer... and scarier..

I run a box at home that is connected to the net 24/7 on a dynamic IP without an easy-to-guess hostname and I get about 10 probes a day.. FTP, ping, SSH, telnet, http.. you name it.. I assume most boxes get the same amount.. If you have an open door, it WILL be exploited!

Re:Who needs BIND? (2)

Xenna (37238) | more than 13 years ago | (#471348)

I doubt djbdns has received the attention that BIND has. If djbdns was used on every server instead of BIND, there'd probably be problems found with it too.

DJB is willing to bet [cr.yp.to] that there won't be and even though djbdns is not in wide use, his other project, Qmail, which carries a similar guarantee is widespread even in high-profile high-risk locations like Hotmail. No security related bug has ever been found AFAIK.

Regards,
Xenna (who bets his servers on it)

Re:yeah... (2)

Simon Brooke (45012) | more than 13 years ago | (#471349)

Except that Microsoft's [microsoft.com] DNS is now being provided by Akamai [akamai.com] on (apparently) Linux 2.1 servers. See this story [theregister.co.uk] in The Register.

Re:The Microsoft connection... (2)

ASCIIMan (47627) | more than 13 years ago | (#471350)

Coincidence... I think so.

M$ uses their own DNS software. Hopefully because of their recent DNS borking on their own software/systems they won't try to convince people their DNS software is superior because /their/ DNS isn't vulnerable to the BIND holes.

But they probably will anyways... Oh well.

Re:I am amazed... (2)

tfb (49770) | more than 13 years ago | (#471351)

It is obviously hard enough to do things safely by hand that people do not do it: that's really all that matters. Obviously it is *possible* to write safe code in a non-bounds-checked language, but it is hard enough that people generally don't, so we have buffer-overflow vulnerabilities in critical code every few months.

I'm not really interested in an argument that it's possible to write bounds checking code by hand -- obviously it is (and I'm sure you do!) -- but equally obviously, many, possibly most, people do not.

I can see two fixes to this problem:

  • Educate people to write better code. So far there hasn't been much progress here: possibly there has been negative progress.
  • Start writing critical software in languages which check array bounds both at compile time where possible -- which can eliminate runtime overhead -- and at runtime where needed, and handle out-of-bounds accesses gracefully.

These vulnerabilities cost huge amounts every time they happen, not just in terms of security breaches but in all the hidden cost of time spent upgrading systems. How many DNS servers are there running vulnerable versions of BIND right now? How long will it take to fix them, assuming they get fixed? This is really a lot of money...

I kind of wish education could solve this problem, but I'm cynical, so I place more faith in systems which prevent it happening.

What about SDNS? (2)

jcr (53032) | more than 13 years ago | (#471352)

Is the Secure DNS server that's part of the FreeS/WAN project ready to go? If so, does it have any of these vulnerablities? -jcr

And So It Begins... (2)

Simon Tatham (66941) | more than 13 years ago | (#471355)

"And so it begins."
"There is a hole in your BIND."
"What do you want?"

Re:I am amazed... (2)

horza (87255) | more than 13 years ago | (#471359)

Most security leaks are a direct consequence of using languages like C. People claim it is possible to program safely in C, however, incidents like this prove them wrong.

What a strange statement. It is perfectly safe to program in C as long as you are paying attention. In my experience, the security leaks occur by a) oversight of the programmer (probably about 3am) b) code contributed by an amateur who lack formal training thus wouldn't know the basics we do or c) rush jobs that were only meant for test purposes but then got incorporated into final code.

The first can be checked for by code review, which is where Open Source is supposed to excel. The second tends to occur where people have never studied CompSci, yet have dabbled in Javascript hence consider themselves a programmer (ok, slight exageration). The only solution to this is use software where the team has a good reputation. The last is poor software engineering. Harangue the author(s) to go back and do a proper job.

Personally I think C is an excellent language for writing core OS apps in. Fast, flexible and efficient. Java is a good server-side language for application server development but I wouldn't write my core server apps in it (not fast or lean enough). What alternative language would you suggest?

Phillip.

bind - Bug Infested Network Daemon (2)

chongo (113839) | more than 13 years ago | (#471364)

Bind: Bug Infested Network Daemon

The folks who wrote and/or maintain bind had the best of intentions. Bind code filled the need when Arpanet/Internet sites were copying around large host files. I don't wish to denigrate / attack those who helped create and maintain bind, but one cannot ignore the fact that bind is one of the larger infrastructure vulnerabilities we face today. The track record of bind v8 and previous version cast doubt on the wisdom trust bind v9.

Bind's track record clearly shows it for what it is: a bug infested and many flawed chunk of code that has lasted way past its prime. Bind is to name service as sendmail is to EMail.

Bind has and very likely continues to suffer from:

  • Buffer overruns
  • %n bugs
  • Denial-of-service attacks
  • Cache poisoning
  • Man-in-the-middle attacks
  • root exploits
  • protocol exploits
  • etc., etc., etc.

But all is not lost in the name service front. A few alternatives to bind exist now. Several more efforts are in the works as well. Time and experience will show which efforts will succeed.

For those cannot become a bind-free site now or in the near term future, there are some things you can do to minimize the damage bind code can cause. Consider the following ideas. These idea are not for everyone. This list is by no means exhaustive. You might want to:

  • run named on separate hosts (do not put other services on your named server machines)
  • run named in a chrooted environment
  • dedicate a separate file system for named
  • if your OS allows it, mount that separate file system with nosetuid, nodev, etc...
  • run named with ``-u dns'' or better yet ...
  • never run named as root: use a small well designed prog to listen on port 53 and forward connections to named -or- change your kernel to allow the dns user to use port 53 (on Linux this is a simple change to inet_bind() function in net/ipv4/af_inet.c)
  • where possible in applications, avoid doing name service lookups; for example log IP addresses instead of hostnames
  • do not run named on your firewall(s)
  • put a firewall(s) between your named host(s) and machines you care about
  • use different named servers for different needs - consider running separate services for:
    • your external authoritative name server (configure to ONLY answer queries for your external domains, no glue, no recursion)
    • your internal / intranet name service needs
    • your production services (accessible by only your production servers, not the Internet or your Intranet)

If you treat bind with caution, you will be more likely to survive intact until a bind-free solution with a good track record presents itself.

Re:OpenBSD Immune (2)

\\ (118555) | more than 13 years ago | (#471367)

because the obsd team just goes through the code and kills anything that looks like it could possibly be an overflow. they change lots of code that MIGHT be a security risk, they cant report 12 thousand maybes.

Re:I am amazed... (2)

ebbe11 (121118) | more than 13 years ago | (#471368)

How, despite the thousands of eyes that look at it ever day, did these problems not reveal themselves earlier?

Because only very few of those eyes are looking at the code. Most of them are just looking at a list of programs running on their system with BIND in it. They never bother (nor have time) to look at the actual code.

DNS Stories ... Re:Ok (2)

StandardDeviant (122674) | more than 13 years ago | (#471369)

... are bound to happen.

(Sorry, bad pun, couldn't resist :-) )


--
Fuck Censorship.

Re:yeah... (2)

pjrc (134994) | more than 13 years ago | (#471370)

Actually, bind, sendmail and wu-ftpd have had a really bad history of aweful bugs. The subject of this message, "WuFTPD: Providing *remote* root since at least 1994 [securityfocus.com] " really sums it up pretty well. As mentioned on the Cert page, BIND has had TWELVE Cert Advisories [cert.org] and this makes 13. The even named the 11th one "Continuing Compromises of DNS servers", though I suppose it's just the infamous NXT bug.

What's it take to go from BIND 8.2.x to 9.1 ?? (2)

pjrc (134994) | more than 13 years ago | (#471371)

The upgrade from BIND 4.x to 8.x was very painful, they changed nearly everything about the config file format.

Does anyone here know about what (if any) compatibility issues there are going from 8.2.x (installed on most machines today) to 9.1 ?? Did they change stuff in the config file format, again?

Chroot jail with bind 9? (2)

SealBeater (143912) | more than 13 years ago | (#471373)

Ok, just to jump into the fray, (sorry if someone else has asked this question, but its late where I am), does anyone know how to chroot bind 9? I looked at the docs, looked on the web and have asked on the mailing list. No one seems to know. I currently run bind chrooted (I know its possible to break out, but every little bit helps) and would like to do the same with bind 9. If anyone on the bind development team reads this, or anyone who develops internet service based software (ftp, http, whatever), including documentation that details how end users can at least add an additional layer of protection when, not if, bugs and exploits are discovered, would be GREATLY appriciated. Don't get me wrong, I applaud your efforts, but sometimes finding information, even when you think you know what your doing can be kinda fustrating. 8*). Also, anyone have problems upgrading to v9? I am especially interested in anyone who is doing dynamic dns with it. Last one to upgrade is a rotten egg! 8*)

SealBeater

Come on (2)

slashdoter (151641) | more than 13 years ago | (#471374)

The CERT/CC has recently learned of four vulnerabilities spanning multiple versions of the Internet Software.......

You just have to wonder what recently means, 90 days? Time to cancel the LAN party and have an Update party


________

Re:yeah... (2)

doctor_oktagon (157579) | more than 13 years ago | (#471375)

I guarantee you that Akamai will patch far faster than microsoft did their own DNS servers.

Except that Microsoft were running their own Microsoft-based DNS servers, and were thus not affected by these latest announcements.

Microsofts mistake was to put all their servers on one subnet, and allow a change to be performed on a mission-critical router without proper approval, as far as I can work out.

The interesting this is that their marketing machine managed to hush this up so well: if it had been Cisco, they would have been toast.

Re:djbdns is the way to go! (2)

kyz (225372) | more than 13 years ago | (#471387)

Sorry to hear about your security holes, but I'd rather use something that works best for me. If that means I use a non-GPL license, that's fine. If it means I use a closed-source (gasp! Horror!) program, that's fine, too.

Fine by me too. Just don't cry like a girl when Bernstein comes round to your house to bitchslap you for daring to fix djbdns security holes without his permission!!

Re:Come on (2)

cicadia (231571) | more than 13 years ago | (#471388)

You just have to wonder what recently means, 90 days?

Generally this means 45 days with CERT. They have been criticised on a few occassions for this response time, and for the fact that they refuse to go "full disclosure". Their policy is to inform the software vendor first of any discovered vulnerabilities, and allow the vendor that time to release patches before making it widely known.

That's why you can get a version of BIND from the ISC on the same day that the vulnerability was made public.

I'd like to know earlier as well, but at the same time, I'm glad this hasn't been public for 45 days while I sit and wait for a patch.

Check out their policy on this at http://www.cert.org/faq/vuldisclosurepolicy.html [cert.org] (hope that makes it throught the /. filters OK :)

- cicadia

Avoiding This Altogether (2)

grammar fascist (239789) | more than 13 years ago | (#471389)

It seems like this is something that needs to be taught in schools. I don't recall ANY of my professors ever talking about how to write secure code. They ought to teach the difference between printf(str) and printf("%s", str), at least.

Strangely enough, that's the extent of my knowledge on writing unbreakable code. Does anybody out there have links to some good reference material on this?

Re:Who needs BIND? (3)

Chris Burke (6130) | more than 13 years ago | (#471391)

All software has bugs. OK. BIND has a trackrecord of having security related bugs.

Or rather, track record of having known security related bugs, because it is so widely used and hence so widely scrutinized. Whatever it is that you think has less bugs because of less known security issues, ask yourself if it is as widely deployed and as widely scrutinized as bind.

Maybe we should be more forgiving to Microsoft security issues then?

As long as the patch is released in a timely fashion (which means a day or two tops), and they don't attempt to cover up the "issue", then yes we should be. Unfortunately, neither of these things describes Microsoft behavior in most cases.

Debian update instructions (3)

Carl (12719) | more than 13 years ago | (#471392)

Add the following line to your /etc/apt/sources.list file:

deb http://security.debian.org/ potato/updates main

Then do a:
apt-get update
followed by a:
apt-get upgrade

DONE.

Who needs BIND? (3)

msaavedra (29918) | more than 13 years ago | (#471393)

I don't mean this as a troll, but it seems that BIND has more security vulnerabilities than any other piece of software. I know someone brings this up on every DNS related post, but I think more people should try djbdns [cr.yp.to] , with which I have been very impressed since I started using it about six months ago. I have heard that BIND 9 is supposed to be an improvement, but with BIND's history of security problems I'm not sure if I would trust even this new improved version. I think it is better to go with software that has already demonstrated its good security, like djbdns has.
---------------------------
"The people. Could you patent the sun?"

Ok (3)

dimator (71399) | more than 13 years ago | (#471395)

How many of you think this story got posted just to use that cool icon [slashdot.org] ?


--

Re:aka "named" (3)

biglig2 (89374) | more than 13 years ago | (#471396)

If you can't remember if you're running BIND or not you probably shouldn't ;-)

aka "named" (3)

marvinglenn (195135) | more than 13 years ago | (#471399)

As a partially informed/ignorant Linux user, I went to see if I was running "bind"...

It's probably worth mentioning that the program "named" (as seen in the service control activity panel of LinuxConf) is "bind".

djbdns is the way to go! (4)

Tracy Reed (3563) | more than 13 years ago | (#471400)

I switched to djbdns a few months ago because I just KNEW something like this would happen. Now I am glad I did! Bind is such a clusterf*ck. :(

http://cr.yp.to/djbdns.html [cr.yp.to]

Red Hat Releases updated RPMs (4)

bluehell (20672) | more than 13 years ago | (#471402)

Get the not yet announced RPMs of bind-8.2.3 at Red Hat's FTP-Server's Update-Section [redhat.com] or the Mirrors [redhat.com] . Goes back even to Red Hat Linux 5.2.

Re:In the wild (4)

doctor_oktagon (157579) | more than 13 years ago | (#471405)

Well they're on /. , i don't think they can be "in the wild" much more than they are now.

Because this announcement is on slashdot does NOT imply there are exploits available in the wild for these security holes.

An exploit "in the wild" implies it is generally available to any script k1d that wants to download it, and as yet there are no "known" attack exploits available on the popular crack download sites.

This does not mean there are no exploits available. A very skilled cracker (or hacker doing it on a theoretical basis) may already have worked out what code he can get by the BIND signiture parser buffer overflow, and thus what he can get the CPU to run.

I hasten to add though that because of the way BIND parses it's input to this buffer, the attacker cannot actually run arbitrary code, but only use code containing characters which can get through the parsing routine.

Excellent description at The Register [theregister.co.uk] .

Re:In the wild (5)

h2odragon (6908) | more than 13 years ago | (#471406)

I can report scans of port 53 with "interesting" payloads seen as early as 2am GMT.

The BIND 4 hole(s) is/are going to be a BITCH to exploit, certainly not impossible; but hard enough that it won't be suprising if such never sees wide distribution. Quoth the original advisory [pgp.com] :

"In order to trigger this overflow, an attacker needs to get BIND to cache an NS record with a very large length. Furthermore, the attacker needs to cache a record for the resolution of the NS record that contains one of the problem conditions for the logging. This is achievable by sending a query to a recursive name server, asking it to resolve a large name that is under the authority of a malicious name server. The malicious name server then needs to refer the request to another name server also with a large name, and provide an additional record giving an invalid address for that name server.

The limitations placed upon the character set allowed in domain names makes the construction of a viable return address difficult. However, there is a potential for an attacker to make the name server return into memory that the attacker has forced the name server to allocate. In this case, vulnerability is contingent upon the location of the heap and the amount of memory available, as well as whether or not the operating system has a policy of lazy swap page allocation as opposed to an eager reservation policy. COVERT has verified that it is possible to exploit named running under Linux by growing the heap to sizes that far exceed that amount of memory and swap available. This was performed by utilizing specific patterns of memory allocation that maximize untouched memory."


Re:Who needs BIND? (5)

Barbarian (9467) | more than 13 years ago | (#471407)

I doubt djbdns has received the attention that BIND has. If djbdns was used on every server instead of BIND, there'd probably be problems found with it too.

Re:Debian update instructions (5)

nchip (28683) | more than 13 years ago | (#471408)

Assuming that your dns server hasn't been compromised!

When making security updates, verify first the debs really are the ones announced on:

http://lists.debian.org/debian-security-announce -0 1/

A mailing list you should be subscribed to, if you run public services with debian. Relying on /. for security news/instrucions is probably the stupidest thing one can do!

Re:Avoiding This Altogether (5)

Simon Brooke (45012) | more than 13 years ago | (#471409)

Most security holes come down to two things. One is allowing unvalidated input from untrusted users to be passed to any sort of general purpose command interpreter. This was a prime source of holes in early CGI scripts; for example, if you ask a user for an email address and then use the mail utility to send mail to it, and the user types me@mydomain.com; cat 'hax0r::0:0:lee7 hax0rs ownz you sux0rs:/:/bin/sh' >> /etc/passwd then you've just lost your machine.

The other is accepting unchecked amounts of input from untrusted users. Remember that C (unlike, for example, Pascal, Java or LISP) does no bounds checking, so you have to implement bounds checking yourself.

If you do the equivalent of:

char buffer[ BUFFLEN];
int i = 0;

while( ! feof( stdin))
{
buffer[ i++] = getchar();
}
buffer[ i] = '\0';

That's going to lead to a buffer overrun which someone can exploit. If you do the equivalent of:

char buffer[ BUFFLEN];
int i = 0;
int maxinput = BUFFLEN - 1;

while( ! feof( stdin) && i < maxinput)
{
buffer[ i++] = getchar();
}
buffer[ i] = '\0';

Then you're reasonably safe. But to be safer still, don't use C to write daemons which take input from untrusted third parties, and don't run daemons as root - give each it's own separate role account.

A quote seems appropriate... (5)

ASCIIMan (47627) | more than 13 years ago | (#471410)

One Ring to rule them all,
One Ring to find them,
One Ring to bring them all
and in the darkness BIND them.

Hmmm... Interesting.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?