Slashdot Mirror
Potential 0-Day Vulnerability For BIND 9
Morty writes "BIND, the popular DNS server software, has been crashing all over the Internet. The root cause is believed to be a 0-day vulnerability in BIND's resolver. The ISC has issued an alert. Quoting: 'An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.'"
Alert DJB at once!
I had to choose which DNS server I would deploy on my servers. I went for TinyDNS as it had all the same features and security promises. Man am I glad to have considered security over popularity.
Oh for fuck's sake, it's an assertion error. Get over yourself.
It's open source, and has had years to mature...so many eyes on it that this couldn't possibly happen.
We don't even know what is happening yet. Maybe it's just a DOS, maybe it's a potential exploit. What we do know is that no-one has any need to put recursive DNS servers on the internet unless they are running an ISP or a DNS service.
As opposed to the years of paid professionals eyes on Windows?
There are no loopholes. It's either legal or it's not.
Of course it can happen, it's just less likely to have problems than software with only a few sets of eyes on it. In addition, I had patches installed on my linux machines this morning, before I was even aware the problem existed. How's that for turnaround.
BIND is written by Internet Systems Consortium aka ISC, a non-profit that does various public benefit things for the Internet. The summary links to an alert from the Internet Storm Center aka ISC, a project of the SANS Technology Institute. There is no relation between these two ISC's, in this case the first authors the software, and the second tracks vulnerabilities. I'm sure by using a link to SANS many people on /. who are not familiar with these two ISC's will get them confused.
The link in the summary also goes to a preliminary version of the advisory. The correct, full summary is available on Internet Systems Consortium's web site as CVE-2011-4313.
I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something, and that is used by bad-actors before the vendor is aware and able to fix the issue. In this case the bug simply crashes the server; there's no remote root or other exploit, and at this time there is no evidence of bad-actors using this bug at all. Rather it appears something interesting (unusual, perhaps put there intentionally) appeared in the DNS, and it triggered a bug in the software.
Some historical context may help. BIND8, for those who used it, was a pile of poo. It had a huge number of security issues and other problems and was generally a nightmare for sysadmins. Many people stayed on BIND 4.9.x for a very long time because of the issues in BIND8. When ISC launched BIND9, they wanted to change this perception. The action relevant to this bug is that BIND9 was designed to be full of assertions and other checks in the code. The goal was to catch any badness early, and if it was uncorrectable crash in a predictable way. The thought was that crashing with a core dump where you can fix the problem is far better than running off with bad data that could eventually be used in some sort of remote-root exploit.
This issue is sort of the payoff of that philosophy. Rather than taking this bad data and giving a remote hacker access to the machine BIND9 caught it with an assert, logs a useful message and core dumps. This is a big part of why 0-day leaves the wrong impression with me, "denial of service vector" seems to perhaps be a more accurate description. Sure, we could have a lively debate about if crashing is preferred or not, but I think most of the administrators who lived through BIND8 prefer the BIND9 procedures.
Internet Software Consortium also offers support for BIND (and DHCP). I'm amazed how many people run large, production name servers on BIND yet don't have a cheap support contract. If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.
Hurrr, well done guys. Now nobody can download the patches.
Someone want to set up some mirrors?
Finally had enough. Come see us over at https://soylentnews.org/
I can see this is going to be a long thread full of trolls about open source, but the fact of the matter is that an application "crashing" (really ABENDing) due to an assertion failure is actually a sign of software doing what it was designed to do. Assert statements are used to check for "impossible" conditions, and have the program scream and die if one is found. So what we have here is a careful programmer's backstop doing its job.
Open sores software == fail. Once again full of security holes that the "many eyes" failed to spot.
Unlike windows which never has remote crashes or remote execution of arbitary code problems. Tell me does microsoft.com still block ping? Why is that again?
APK's monolithic hosts file is looking pretty good at the moment.
I am confused - which was it designed to do: allow invalid data in the cache, or die when it found said invalid data in the cache? One or the other of those is a bug, not a design choice.
Your understated discretion just takes my breath away.
I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something,
Something like cause a denial of service?
That's an excellent post, Above.
thanks!
Like "truly epic coronal mass ejections", lets save the hyperbole for when we can't use it. We'll know that there's a big problem when we can't read about it on Slashdot.
If you were blocking sigs, you wouldn't have to read this.
yes yes, but thats very limited. Yes, you can deny service.... but it can be started back up. The only loss is availability of the service, the integrity of the service is uncompromised. It isn't allowing someone to make you serve up their data, it isn't allowing anyone to dump data they shouldn't have, it isn't allowing them to change, erase or anything your data.
Essentially... a DDOS means you are hosed until they stop or you can upgrade... the term 0-Day tends to be used to refer to actualy security issues, where the denial of the service is the least of your worries. Patching isn't good enough because, they got a window in, and could have installed a root kit.
"I opened my eyes, and everything went dark again"
Except anyone with a resolver running BIND is potentially affected since all the attacker needs to do is point you at the invalid domain twice, that could be as simple as a webpage with the domain included and a meta refresh longer than the TTL on the domain.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Thanks for the clear explanation.
If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.
Very true. Its funny, that this morning I had applied security patches to a debian stable box and thought "hmm, looks like BIND is getting fixed, wonder what thats about" before this even got posted to slashdot.
Microsoft code would typically leave out the assert, and happily stumble along. At least with the assert, you know what AND WHERE the Bad Thing (TM) happened, and have a clue as to where to look to fix it.
The "assertion"-problem is only tip of the iceberg.
If an assertion fails, this usually means that someone managed to make the code behave in an unintended way. Since the affect occurred simultaneously at several providers all over the world, this indicates a coordinated attack. The chances are real, someone managed to exploit a buffer overflow (or similar) in BIND.
So we have to look seriously into the possibility that people have a way to execute code with the same permissions as BIND has.
When i got the information this morning, this was an alert topic.
Yours, Martin
I am 100% with you up until you say, "I'm amazed how many people run large, production name servers on BIND yet don't have a cheap support contract. If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor."
I have a couple issues with this. The first is simply that it's perfectly reasonable to expect a good UNIX admin to handle BIND without issue for generalist deployments. The other issue I have is that you don't need a support contract to get these alerts. Sign up for the bind-announce mailing list (link: https://lists.isc.org/mailman/listinfo/bind-announce).
Again, I'm totally with you up until the end there.
I am glad I took my lumps and disabled public recursive resolving many years ago on my BIND installations. Only do that for local IP ranges! This eliminates all the resolver issues. Also I found that when the DNS server was open I was getting a constant stream of unusual TXT lookups which were for oddball domains. These contained many K of data. I suspect these requests were fake source IP requests being used as some sort of bandwidth DOS attack.
Unbound, also from NL Netlabs, is a recursive resolver. NSD is an authoritative server.
The problem is with Bind as a recursive resolver, not as an authoritative server.
Yeah, but only the sheer incompetence a multi-billion dollar corporation like Microsoft could produce the level of spectacular FAIL needed to let the following kind of vulnerability go unaddressed for DECADES..
http://www.kb.cert.org/vuls/id/951982
Microsoft Windows UDP packet parsing vulnerability
You have to admit being able to get root by sending malicious packets to a CLOSED port on a machine is just so awesomely FAIL, BIND's little DOS exploit pales in comparison.
That's not how liability works. You are talking about some kind of warranty.
First, this has nothing to do with Microsoft, so there is no need to drag them into it.
Second, I am not questioning the need to test for errors, or that sometimes the correct thing to do when an error is encountered is die. I am challenging your position that overall the software is doing what it was designed to do and this is not a bug. The assertion itself is fine - there are reasons why the cache may have been corrupted and you want to kill the program (hardware error, tampering with files, etc). However, in this case the check should have been done BEFORE the data was put into the cache, when the correct response would have been to simply reject the message. Failure to do that check is a bug.
I'm not sure how to square large production name servers with "generalist deployments". Clearly the small admin can do without a support contract. However I've seen large ISP's, supplying service to millions of customers with no support, and I think that's insane.
If you go back to ISC's Software Support page you'll notice "Advance Security Notifications". Depending on the nature of the issue, ISC's support customers often receive notification before BIND-announce. I believe this particular issue went out in all forums pretty much at the same time due to the severity, but lesser issues may be released in a staged fashion.
Also, note that in this case the assert did NOT tell them 'where the bad thing happened'. If it did, it would not be 'an as-yet unidentified network event'. The assert, in this case, is simply saying 'at some point in the past a bad thing happened, and I just figured that out now'.
By the way, another thing people who are wont to mess with their /etc should keep in mind is etckeeper. It versions your /etc, by default in bazaar, but it's also supposed to work with git, hg, etc. It has triggers set so every time you install something, it does an automatic checkin.
You can also manual commits, too, along with a message.
Good for people who want to know what the config files looked like when they were working a week ago.
Click to install (Debian and friends)
I'm not a lawyer, but I play one on the Internet. Blog
Instead of testing for known and unknown invalid data, it's the right way to test for valid data and puke on invalid data? In your code example, you wouldn't need to run that test because you already tested/trusted it somewhere else. If you know it is a lower case letter, the test isn't necessary. Data should be sanitized before it ever gets to your logic.
No, we don't.
Ahh. Point. I didn't realize that ISC support provided notifications in advance.
that link you posted says it was patched 2 weeks ago. It makes no mention of the date the exploit was found. How do you know this was part of the software for decades?
It pays to be obvious, especially if you have a reputation for being subtle.
To be honest I completely hate ASSERT-style checks, particularly in multi-user systems. One single logic mistake and boom goes the whole server. With exceptions you can at least have a gradual panic. But when you so often resort to pointer-magic and any unterminated string is a recipe for chaos, well... Though it would be nice if exceptions actually worked, which they don't in C++. Try/catching into some third party code and it'll still segfault on you, completely ignoring your attempt to catch any and all exceptions. Sigh.
Live today, because you never know what tomorrow brings
The point you are missing is "0-day" has come to mean vulnerabilities that can be exploited now for things like remote code execution, takeover, etc . In this case, the bug causes crashes but it is not clear that it makes the computer vulnerable to other security matters.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Hilarity ensues :P
I'm joking though... because that's just one tiny piece. The rest of the infrastructure is indeed eating it's own dogfood - either directly, or via "citrix netscaler"
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
How hard is it to write a DNS server without any vulnerabilities? I know it's complex, but still, come on. It's only the backbone of the Internet we're talking about.
when ever I think of BIND8, I think of my .sig:
The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
As a long-time BIND hater, I recently switched from djbdns/tinydns to NSD. I figured if it's good enough for a few root servers it was worth a look. It's very efficient and fast, uses standard zone files, fully ipv4/ipv6 dual-stack transparent, and is DNSSEC aware. Very pleased so far.
I'm an animal lover -- they're delicious!
Different from my understanding. You're thinking of 0-day warez. Here, WP explains it pretty well:
In short, knowledge of the vulnerability exists with attackers before developers. Developers developers developers developers.
Could someone edit that, actually? s/distribute a security fix/address the vulnerability/ If the developer is unaware, they're neither analyzing, patching, notifying users, nor advising workarounds, let alone distributing security fixes.
More to the point, since we have an advisory about it and there's a patch, it can no longer be considered zero day. A true zero day vulnerability is one that only the blackhats know about. Expanding that to include a vulnerability that the vendor doesn't yet understand well enough to patch makes sense. But anyone using the term for a bug that has a patch out to fix it is just being over-dramatic.
I've never known 0-day to mean that. 0-day has to me always meant an exploit in the wild before the author is aware of it vs. an exploit taking advantage of a bug that was fixed a month ago but people haven't applied the patch.
It has an atrocious security history. Seems the rewrite did not accomplish much. Or if you have to use it, lock it into a VM, preferably qemu, so that you get at least some level of isolation.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I use TreeWalk. Since it's an implementation of BIND, do I need to apply this patch to it, and if so how?
Did a little looking into it and, though I'm generally a fan of DJB's wares, unpatched qmail does indeed have the problem of accepting all mail for configured domains, regardless of localpart (box) validity. Which means DSNs will be sent for bad addresses, and since SMTP provides no way of validating senders, backscatter occurs. This is the term for it, by the way.
I've seen plenty of spam using the mechanism. It's a real problem.
Patches are available. But, yeah, DJB's licensing made even patching problematic for the longest time. Thankfully, he's conceded on that point. Which suggests to me he's not dogmatic or unreasonable, just rigidly principled.
I run Postfix, too. Love it. The licensing limbo was part of my decision to go with Postfix, though there were a number of factors. But I still run DJB's tinydns and dnscache.
Repeat after me:
"There are no impossible conditions in input."
"There are no impossible conditions in input."
"There are no impossible conditions in input."
"There are no impossible conditions in input."
. . .
So you're releasing your debug version of the code as a product? Nice.
No it doesn't. It could have easily first appeared in the oldest of the supported OSes, or via a new feature (like IE) that is only supported on the listed OSes.
Gamingmuseum.com: Give your 3D accelerator a rest.
Oh, and the list doesn't include XP, which is supported as long as you are on the last service pack, or Windows Server 2003. So the vulnerability first appeared in some service level of Vista.
Gamingmuseum.com: Give your 3D accelerator a rest.
n/t
Its funny, that this morning I had applied security patches to a debian stable box and thought "hmm, looks like BIND is getting fixed, wonder what thats about" before this even got posted to slashdot.
Same here. Debian rules! :)
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
Submitter here. Comments:
0-day refers to the time when the bug is first exploited relative to when it is patched by the vendor. It has nothing to do with whether or not the exploit yield unauthorized access. It is entirely possible to have a 0-day DoS attack.
There was no evidence on whether or not the bug was triggered deliberately. Hence why the summary referred to it as a "potential" 0-day, and said the problem "is believed to be" a 0-day vulnerability.
At the time crashes were initially occuring, no patch existed. That made it a 0-day, assuming
SANS is a well-known security organization. Hopefully folks who care about this sort of thing are aware that isc.sans.edu is not the same entity as isc.org.
This is a "news for nerds" site. Plenty of folks aren't running BIND 9 directly from isc.org at their workplaces. Perhaps they are using distribution-bundled BIND, or they're running BIND 9 at home, or they're not running BIND 9 at all and are just curious about major vulnerabilities. I know I like to read about flaws in major Internet software even for packages I'm not running.
People who use asserts in fielded code are either (1) lazy or (2) dumb or (3) cheating their employers.
Assuming performance isn't a problem, why wouldn't you leave them in on the off chance that you made a mistake in a corner case somewhere?