Potential 0-Day Vulnerability For BIND 9

Morty writes "BIND, the popular DNS server software, has been crashing all over the Internet. The root cause is believed to be a 0-day vulnerability in BIND's resolver. The ISC has issued an alert. Quoting: 'An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.'"

To the Red Phone!

Alert DJB at once!

10 years ago

[ghn]

I had to choose which DNS server I would deploy on my servers. I went for TinyDNS as it had all the same features and security promises. Man am I glad to have considered security over popularity.

Re:10 years ago

[Compaqt]

Another small DNS server is MaraDNS. It's considered a good alternative to BIND.

Being a lot smaller, it's easier to secure.

If you're just running a DNS cache on your desktop, check out dnsmasq. Click to install(Deb/Mint/Ubuntu)

Re:10 years ago

[janeuner]

It's hard to go wrong with DJB*.

Re:10 years ago

[afidel]

Unless you have to actually work with him.

Re:10 years ago

[Above]

This particular vulnerability applies only to BIND9 operating as a recursive resolver. BIND9 operating in authoritative mode, similar to how TinyDNS operates, is unaffected. Had you properly deployed BIND9 for the same purposes you are using TinyDNS you would not had been impacted by this issue.

Re:10 years ago

[gmack]

The major problem with Qmail was it's design simply didn't take into account the possibility of a bad return address. The downside was that it couldn't bounce during reception and so was forced to generate a bounce message instead and not only did spammers plug up the queue with bad messages, it ended up being used for reflector attacks where the attacker set the target's address as the return and sent messages that would bounce to many different servers. The whole problem ended up being so bad that many that many mail admins considered servers running Qmail to be almost as bad as an open relay and there were people who actually maintained blacklists of servers running Qmail and that was right about when I stopped using it but I hear there have been patches to fix the worst of it's flaws since then.

In short: it was secure for only some definitions of secure and for everything else DJB ignored the problem.

Re:10 years ago

[gmack]

and not only did spammers plug up the queue with bad messages, it ended up being used for reflector attacks where the attacker set the target's address as the return and sent messages that would bounce to many different servers.

Theoretically, that is possible. In practice I haven't seen spammers use that mechanism.

I used to run qmail and I have seen it used for that.

The whole problem ended up being so bad that many that many mail admins considered servers running Qmail to be almost as bad as an open relay and there were people who actually maintained blacklists of servers running Qmail and that was right about when I stopped using it but I hear there have been patches to fix the worst of it's flaws since then.

A lot of people are irrationally against djb in any way. He's become like the president, every time something goes wrong people blame him. Those blacklists you speak of are less about addressing an operational problem and much more about irrational dick waving.

It's not irrational if you observe a problem only to be ignored. As I said earlier I used to run Qmail and I did so because of it's security benefits and while Qmail didn't get my box rooted the same way sendmail did, it still had it's problems. I have since moved to postifx and now have a que of 0 to 10 messages instead of the 300 to 1000 I had under Qmail despite the fact that I have 3x the number of domains and 5x the number of messages than I did before.

Re:10 years ago

[powdered+toast+dude]

My understanding was while that he permitted source redistribution, he insisted that it be only distributed unmodified, and never binary distribution. He also generally refused to accept patches, apparently thinking his pristine work ought to be good enough for everyone. (It was good, but needed features as time went on.) This meant that any "improvements" could only be distributed as patches. As a result, only source-based distros had an easy time packaging it, since sources + patches + build instructions is how they do business anyway. Having no friends with the binary distros, it got little distribution. It also languished on the vine since no one could push improvements upstream. Apparently he subsequently released both qmail and djbdns into full public domain, which means in theory they could be packaged and distributed normally now. Unfortunately, it seems too late for it to matter.

Re:10 years ago

[MaraDNS]

Let's not forget Unbound, which may be faster than MaraDNS's 2.0 recursive resolver. Then again, I just got some funding from a sponsor to work on speeding things up. Also, Unbound has DNSSEC -- something MaraDNS doesn't have.

And, of course, there is Power DNS, another excellent DNS server.

Then again, there's something to be said for being able to set things up using only a three-line configuration file and a 64k binary works nice for embedded places like OpenWRT where Unbound and PowerDNS won't fit.

- Sam

Re:10 years ago

[MaraDNS]

Don't get me wrong, djbdns is an excellent DNS server. Unfortunately, it hasn't been updated for over 10 years and, since then, three different security holes have been discovered the djbdns package, the root server list has been updated, errno has been changed to make Linux more thread safe (requiring a patch to compile it), and so on.

djbdns can work -- but it requires patching by hand or using an unofficial fork like Zinq (which appears to still be supported -- the last release was done this year).

(I can also murmur darkly about the fact that djbdns uses a circular queue instead of a LRU for its cache, its lack of a Windows port, its need to use external helper programs to configure the server, etc., but, then again, its core recursive binary is even smaller than MaraDNS 2.0's tiny recursive binary. And three security bugs in the last decade is better than the 13 security issues in MaraDNS I have had to patch against.)

Re:10 years ago

[MaraDNS]

Please stop spreading FUD. There have been 0 remote security holes discovered in djbdns.

Please lay off the crack, wake up, and smell the coffee. This kind of denial is flat-out dangerous.

I have a blog entry detailing the three security holes in djbdns and DJB paid the $500 security hole prize for djbdns years ago.

The most dangerous hole in an unpatched djbdns 1.05 install is the TCP "packet of death" that forces dnscache to restart (since SIGPIPE isn't caught by dnscache). I really should file a CVE for that security problem.

There is also CVE-2008-4392 as well as CVE-2009-0858; more information is in Debian's security page on djbdns.

Re:10 years ago

[MaraDNS]

Your information is out of date; I completely, from scratch, rewrote the recursive code of MaraDNS starting four years ago with far cleaner code.

That code was declared stable over a year ago and looking at its source code won't make you blind.

- Sam

Re:Impossible!

[NoNonAlphaCharsHere]

Oh for fuck's sake, it's an assertion error. Get over yourself.

Re:Impossible!

[1s44c]

It's open source, and has had years to mature...so many eyes on it that this couldn't possibly happen.

We don't even know what is happening yet. Maybe it's just a DOS, maybe it's a potential exploit. What we do know is that no-one has any need to put recursive DNS servers on the internet unless they are running an ISP or a DNS service.

Re:Impossible!

[Nerdfest]

Of course it can happen, it's just less likely to have problems than software with only a few sets of eyes on it. In addition, I had patches installed on my linux machines this morning, before I was even aware the problem existed. How's that for turnaround.

A confusing summary on /., let me try to do better

[Above]

BIND is written by Internet Systems Consortium aka ISC, a non-profit that does various public benefit things for the Internet. The summary links to an alert from the Internet Storm Center aka ISC, a project of the SANS Technology Institute. There is no relation between these two ISC's, in this case the first authors the software, and the second tracks vulnerabilities. I'm sure by using a link to SANS many people on /. who are not familiar with these two ISC's will get them confused.

The link in the summary also goes to a preliminary version of the advisory. The correct, full summary is available on Internet Systems Consortium's web site as CVE-2011-4313.

I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something, and that is used by bad-actors before the vendor is aware and able to fix the issue. In this case the bug simply crashes the server; there's no remote root or other exploit, and at this time there is no evidence of bad-actors using this bug at all. Rather it appears something interesting (unusual, perhaps put there intentionally) appeared in the DNS, and it triggered a bug in the software.

Some historical context may help. BIND8, for those who used it, was a pile of poo. It had a huge number of security issues and other problems and was generally a nightmare for sysadmins. Many people stayed on BIND 4.9.x for a very long time because of the issues in BIND8. When ISC launched BIND9, they wanted to change this perception. The action relevant to this bug is that BIND9 was designed to be full of assertions and other checks in the code. The goal was to catch any badness early, and if it was uncorrectable crash in a predictable way. The thought was that crashing with a core dump where you can fix the problem is far better than running off with bad data that could eventually be used in some sort of remote-root exploit.

This issue is sort of the payoff of that philosophy. Rather than taking this bad data and giving a remote hacker access to the machine BIND9 caught it with an assert, logs a useful message and core dumps. This is a big part of why 0-day leaves the wrong impression with me, "denial of service vector" seems to perhaps be a more accurate description. Sure, we could have a lively debate about if crashing is preferred or not, but I think most of the administrators who lived through BIND8 prefer the BIND9 procedures.

Internet Software Consortium also offers support for BIND (and DHCP). I'm amazed how many people run large, production name servers on BIND yet don't have a cheap support contract. If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

Re:Open sores == fail

[NoNonAlphaCharsHere]

I can see this is going to be a long thread full of trolls about open source, but the fact of the matter is that an application "crashing" (really ABENDing) due to an assertion failure is actually a sign of software doing what it was designed to do. Assert statements are used to check for "impossible" conditions, and have the program scream and die if one is found. So what we have here is a careful programmer's backstop doing its job.

Re:Open sores == fail

[1s44c]

Open sores software == fail. Once again full of security holes that the "many eyes" failed to spot.

Unlike windows which never has remote crashes or remote execution of arbitary code problems. Tell me does microsoft.com still block ping? Why is that again?

APK's monolithic hosts file

[Culture20]

APK's monolithic hosts file is looking pretty good at the moment.

Re:A confusing summary on /., let me try to do bet

[NoNonAlphaCharsHere]

BIND8, for those who used it, was a pile of poo.

Your understated discretion just takes my breath away.

Re:A confusing summary on /., let me try to do bet

[Culture20]

I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something,

Something like cause a denial of service?

Re:A confusing summary on /., let me try to do bet

[TheCarp]

yes yes, but thats very limited. Yes, you can deny service.... but it can be started back up. The only loss is availability of the service, the integrity of the service is uncompromised. It isn't allowing someone to make you serve up their data, it isn't allowing anyone to dump data they shouldn't have, it isn't allowing them to change, erase or anything your data.

Essentially... a DDOS means you are hosed until they stop or you can upgrade... the term 0-Day tends to be used to refer to actualy security issues, where the denial of the service is the least of your worries. Patching isn't good enough because, they got a window in, and could have installed a root kit.

Re:A confusing summary on /., let me try to do bet

[surgen]

Thanks for the clear explanation.

If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

Very true. Its funny, that this morning I had applied security patches to a debian stable box and thought "hmm, looks like BIND is getting fixed, wonder what thats about" before this even got posted to slashdot.

Re:Open sores == fail

[NoNonAlphaCharsHere]

I guess it's really a question of design philosophy. Microsoft has always been from the "never test for an error condition you don't know how to handle" school, leading to lots and lots of buffer overrun type problems or just plain application crashes. The other side is to have tests you "really don't need". Say for example you have a switch statement where you "just know" (have verified elsewhere/input comes from a trusted source, etc.) that you have a lower-case letter that you want to process, so the code ends up looking something like:

switch (c)
{
case 'a': whatever('a'); break;
case 'b': whatever('b'); break;
...
case 'z': whatever('z'); break;

default: // AND THIS IS THE IMPORTANT BIT
assert("c is not a letter!!");
}

Microsoft code would typically leave out the assert, and happily stumble along. At least with the assert, you know what AND WHERE the Bad Thing (TM) happened, and have a clue as to where to look to fix it.

Tip of the iceberg

[mseeger]

The "assertion"-problem is only tip of the iceberg.

If an assertion fails, this usually means that someone managed to make the code behave in an unintended way. Since the affect occurred simultaneously at several providers all over the world, this indicates a coordinated attack. The chances are real, someone managed to exploit a buffer overflow (or similar) in BIND.

So we have to look seriously into the possibility that people have a way to execute code with the same permissions as BIND has.

When i got the information this morning, this was an alert topic.

Yours, Martin

Re:Tip of the iceberg

[kqs]

The "assertion"-problem is only tip of the iceberg.

If an assertion fails, this usually means that someone managed to make the code behave in an unintended way.

Except that the assertion isn't the problem. The problem is that BIND allows bad data into its cache. The assertion detects this and crashes BIND before the bad data becomes an exploit.

Now, there still may be a way to execute code using this method, but the assertion has alerted everyone to this problem so I expect this particular problem to be solved quickly. And thanks to the assertion-crashes, people will be forced to upgrade rather than running a vulnerable version for the next 5 years.

I'd prefer software without bugs, but since that's impossible, I'll happily take BIND.

Re:Tip of the iceberg

[blair1q]

>exceptions you haven't prepared for

there's your problem right there.

when you go through your code and you see an assert, or something that does the same thing, you're not done coding.

Open resolvers

[bjb_admin]

I am glad I took my lumps and disabled public recursive resolving many years ago on my BIND installations. Only do that for local IP ranges! This eliminates all the resolver issues. Also I found that when the DNS server was open I was getting a constant stream of unusual TXT lookups which were for oddball domains. These contained many K of data. I suspect these requests were fake source IP requests being used as some sort of bandwidth DOS attack.

Re:Open resolvers

[Short+Circuit]

More likely, the unusual TXT lookups were someone streaming IP over DNS.

Unbound, not NSD

[bigogre]

Unbound, also from NL Netlabs, is a recursive resolver. NSD is an authoritative server.

The problem is with Bind as a recursive resolver, not as an authoritative server.

Re:Impossible!

[swalve]

That's not how liability works. You are talking about some kind of warranty.

Re:Open sores == fail

[bws111]

First, this has nothing to do with Microsoft, so there is no need to drag them into it.

Second, I am not questioning the need to test for errors, or that sometimes the correct thing to do when an error is encountered is die. I am challenging your position that overall the software is doing what it was designed to do and this is not a bug. The assertion itself is fine - there are reasons why the cache may have been corrupted and you want to kill the program (hardware error, tampering with files, etc). However, in this case the check should have been done BEFORE the data was put into the cache, when the correct response would have been to simply reject the message. Failure to do that check is a bug.

Re:A confusing summary on /., let me try to do bet

[Above]

I'm not sure how to square large production name servers with "generalist deployments". Clearly the small admin can do without a support contract. However I've seen large ISP's, supplying service to millions of customers with no support, and I think that's insane.

If you go back to ISC's Software Support page you'll notice "Advance Security Notifications". Depending on the nature of the issue, ISC's support customers often receive notification before BIND-announce. I believe this particular issue went out in all forums pretty much at the same time due to the severity, but lesser issues may be released in a staged fashion.

etckeeper

[Compaqt]

By the way, another thing people who are wont to mess with their /etc should keep in mind is etckeeper. It versions your /etc, by default in bazaar, but it's also supposed to work with git, hg, etc. It has triggers set so every time you install something, it does an automatic checkin.

You can also manual commits, too, along with a message.

Good for people who want to know what the config files looked like when they were working a week ago.

Click to install (Debian and friends)

Re:etckeeper

[X0563511]

Awesome!!

I've been known to keep subdirectories of /etc as SVN repository checkouts, but that grabs the whole thing!

The only thing I'd be worried about is accidentally uploading sensitive data (hashes and such).

Re:isc.org Slashdotted. Good job!

[L4t3r4lu5]

So this is a patch to deliberately break the carefully constructed "graceful death" preventing a potential exploit?

Sounds like a GRAND idea...

NSD

[powdered+toast+dude]

As a long-time BIND hater, I recently switched from djbdns/tinydns to NSD. I figured if it's good enough for a few root servers it was worth a look. It's very efficient and fast, uses standard zone files, fully ipv4/ipv6 dual-stack transparent, and is DNSSEC aware. Very pleased so far.

Re:A confusing summary on /., let me try to do bet

[PoopMonkey]

I've never known 0-day to mean that. 0-day has to me always meant an exploit in the wild before the author is aware of it vs. an exploit taking advantage of a bug that was fixed a month ago but people haven't applied the patch.

TreeWalk

[macraig]

I use TreeWalk. Since it's an implementation of BIND, do I need to apply this patch to it, and if so how?

qmail backscatter

[Onymous+Coward]

Did a little looking into it and, though I'm generally a fan of DJB's wares, unpatched qmail does indeed have the problem of accepting all mail for configured domains, regardless of localpart (box) validity. Which means DSNs will be sent for bad addresses, and since SMTP provides no way of validating senders, backscatter occurs. This is the term for it, by the way.

I've seen plenty of spam using the mechanism. It's a real problem.

Patches are available. But, yeah, DJB's licensing made even patching problematic for the longest time. Thankfully, he's conceded on that point. Which suggests to me he's not dogmatic or unreasonable, just rigidly principled.

I run Postfix, too. Love it. The licensing limbo was part of my decision to go with Postfix, though there were a number of factors. But I still run DJB's tinydns and dnscache.

Re:Security tip of the day: Do not use BIND

[Above]

There has not been a single remote-root exploit in BIND9 since it was offered up to the world circa 2001. It was a complete rewrite with new goals, so taking BIND 4.x or BIND 8.x as examples isn't really relevant.

ISC is also completely open about security issues, listing them all on the web site and registering them with the CVE Registry.

As I stated in another post, the goal of BIND9 was use use various constructs (like assertions) to check data integrity, where possible on the fly and where not practical in a way that causes a core dump. That to fail safe was the best option, and crashing in a way the bug could be fixed was a positive. If you view the advisories against BIND9 you'll see that strategy has worked very well. Of course there's no reason not to lock any application in a VM, jail, chroot or whatever to get additional security, but I think the track record of BIND9 compared to most other major open source software is decent.

BIND is also "full featured". Many of the folks here reference alternatives like NSD, tinyDNS, or Unbound which provide limited functionality compared to BIND. Obviously if you're willing to limit the functionality you limit the bug exposure, but that's true both if you use software that doesn't include the functionality but also if you disable that functionality in BIND. For instance the bug in question affects recursive resolvers only, if your BIND9 instance is an authority only configuration there is no exposure.

I'm afraid most of BIND's bad reputation comes from BIND 4.x and BIND 8.x, both of which were quite bad (for different reasons). BIND9 was a departure, and now ISC is working on BIND 10, which should be yet another large leap forward.