Vulnerabilities > CVE-2002-1220 - Denial of Service vulnerability in ISC BIND OPT Record Large UDP

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
isc
freebsd
openbsd
nessus
exploit available

Summary

BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.

Exploit-Db

descriptionISC BIND 8.3.x OPT Record Large UDP Denial of Service Vulnerability. CVE-2002-1220. Dos exploit for linux platform
idEDB-ID:22011
last seen2016-02-02
modified2002-11-12
published2002-11-12
reporterspybreak
sourcehttps://www.exploit-db.com/download/22011/
titleISC BIND 8.3.x OPT Record Large UDP Denial of Service Vulnerability

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-196.NASL
    description[Bind version 9, the bind9 package, is not affected by these problems.] ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). BIND is the most common implementation of the DNS (Domain Name Service) protocol, which is used on the vast majority of DNS servers on the Internet. DNS is a vital Internet protocol that maintains a database of easy-to-remember domain names (host names) and their corresponding numerical IP addresses. Circumstantial evidence suggests that the Internet Software Consortium (ISC), maintainers of BIND, was made aware of these issues in mid-October. Distributors of Open Source operating systems, including Debian, were notified of these vulnerabilities via CERT about 12 hours before the release of the advisories on November 12th. This notification did not include any details that allowed us to identify the vulnerable code, much less prepare timely fixes. Unfortunately ISS and the ISC released their security advisories with only descriptions of the vulnerabilities, without any patches. Even though there were no signs that these exploits are known to the black-hat community, and there were no reports of active attacks, such attacks could have been developed in the meantime - with no fixes available. We can all express our regret at the inability of the ironically named Internet Software Consortium to work with the Internet community in handling this problem. Hopefully this will not become a model for dealing with security issues in the future. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities : - CAN-2002-1219: A buffer overflow in BIND 8 versions 8.3.3 and earlier allows a remote attacker to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). This buffer overflow can be exploited to obtain access to the victim host under the account the named process is running with, usually root. - CAN-2002-1220: BIND 8 versions 8.3.x through 8.3.3 allows a remote attacker to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. - CAN-2002-1221: BIND 8 versions 8.x through 8.3.3 allows a remote attacker to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. These problems have been fixed in version 8.3.3-2.0woody1 for the current stable distribution (woody), in version 8.2.3-0.potato.3 for the previous stable distribution (potato) and in version 8.3.3-3 for the unstable distribution (sid). The fixed packages for unstable will enter the archive today.
    last seen2020-06-01
    modified2020-06-02
    plugin id15033
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15033
    titleDebian DSA-196-1 : bind - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-196. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15033);
      script_version("1.29");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-0029", "CVE-2002-1219", "CVE-2002-1220", "CVE-2002-1221");
      script_bugtraq_id(6159, 6160, 6161);
      script_xref(name:"CERT", value:"229595");
      script_xref(name:"CERT", value:"542971");
      script_xref(name:"CERT", value:"581682");
      script_xref(name:"CERT", value:"844360");
      script_xref(name:"CERT", value:"852283");
      script_xref(name:"DSA", value:"196");
    
      script_name(english:"Debian DSA-196-1 : bind - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "[Bind version 9, the bind9 package, is not affected by these
    problems.]
    
    ISS X-Force has discovered several serious vulnerabilities in the
    Berkeley Internet Name Domain Server (BIND). BIND is the most common
    implementation of the DNS (Domain Name Service) protocol, which is
    used on the vast majority of DNS servers on the Internet. DNS is a
    vital Internet protocol that maintains a database of easy-to-remember
    domain names (host names) and their corresponding numerical IP
    addresses.
    
    Circumstantial evidence suggests that the Internet Software Consortium
    (ISC), maintainers of BIND, was made aware of these issues in
    mid-October. Distributors of Open Source operating systems, including
    Debian, were notified of these vulnerabilities via CERT about 12 hours
    before the release of the advisories on November 12th. This
    notification did not include any details that allowed us to identify
    the vulnerable code, much less prepare timely fixes.
    
    Unfortunately ISS and the ISC released their security advisories with
    only descriptions of the vulnerabilities, without any patches. Even
    though there were no signs that these exploits are known to the
    black-hat community, and there were no reports of active attacks, such
    attacks could have been developed in the meantime - with no fixes
    available.
    
    We can all express our regret at the inability of the ironically named
    Internet Software Consortium to work with the Internet community in
    handling this problem. Hopefully this will not become a model for
    dealing with security issues in the future.
    
    The Common Vulnerabilities and Exposures (CVE) project identified the
    following vulnerabilities :
    
      - CAN-2002-1219: A buffer overflow in BIND 8 versions
        8.3.3 and earlier allows a remote attacker to execute
        arbitrary code via a certain DNS server response
        containing SIG resource records (RR). This buffer
        overflow can be exploited to obtain access to the victim
        host under the account the named process is running
        with, usually root.
      - CAN-2002-1220: BIND 8 versions 8.3.x through 8.3.3
        allows a remote attacker to cause a denial of service
        (termination due to assertion failure) via a request for
        a subdomain that does not exist, with an OPT resource
        record with a large UDP payload size.
    
      - CAN-2002-1221: BIND 8 versions 8.x through 8.3.3 allows
        a remote attacker to cause a denial of service (crash)
        via SIG RR elements with invalid expiry times, which are
        removed from the internal BIND database and later cause
        a null dereference.
    
    These problems have been fixed in version 8.3.3-2.0woody1 for the
    current stable distribution (woody), in version 8.2.3-0.potato.3 for
    the previous stable distribution (potato) and in version 8.3.3-3 for
    the unstable distribution (sid). The fixed packages for unstable will
    enter the archive today."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-196"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the bind package immediately, update to bind9, or switch to
    another DNS server implementation."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/11/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"bind", reference:"8.2.3-0.potato.3")) flag++;
    if (deb_check(release:"2.2", prefix:"bind-dev", reference:"8.2.3-0.potato.3")) flag++;
    if (deb_check(release:"2.2", prefix:"bind-doc", reference:"8.2.3-0.potato.3")) flag++;
    if (deb_check(release:"2.2", prefix:"dnsutils", reference:"8.2.3-0.potato.3")) flag++;
    if (deb_check(release:"2.2", prefix:"task-dns-server", reference:"8.2.3-0.potato.3")) flag++;
    if (deb_check(release:"3.0", prefix:"bind", reference:"8.3.3-2.0woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"bind-dev", reference:"8.3.3-2.0woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"bind-doc", reference:"8.3.3-2.0woody1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDNS
    NASL idBIND_DNSSTORM.NASL
    descriptionThe remote name server, according to its version number, is affected by the following vulnerabilities : - When running the recursive DNS functionality, this server is vulnerable to a buffer overflow attack that may let an attacker execute arbitrary code on the remote host. - It is vulnerable to a denial of service attack (crash) via SIG RR elements with invalid expiry times. - It is vulnerable to a denial of service attack when a DNS lookup is requested on a nonexistent sub-domain of a valid domain and an OPT resource record with a large UDP payload is attached, the server may fail.
    last seen2020-06-01
    modified2020-06-02
    plugin id10886
    published2002-03-08
    reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/10886
    titleISC BIND < 8.3.4 Multiple Remote Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Script audit and contributions from Carmichael Security 
    #      Ian Koenig <[email protected]> (nb: this domain no longer exists)
    #      Added BugtraqID and CVE
    #      Updated to handle two specific types of attacks instead of just a general
    #        statement of "vulnerable to DNS storm attacks".
    #      
    
    
    include("compat.inc");
    
    if (description)
    {
     script_id(10886);
     script_version("1.31");
     script_cvs_date("Date: 2018/06/27 18:42:25");
    
     script_cve_id("CVE-2002-1219", "CVE-2002-1220", "CVE-2002-1221");
     script_bugtraq_id(6159, 6160, 6161);
     script_xref(name:"SuSE", value:"SUSE-SA:2002:044");
     
     script_name(english:"ISC BIND < 8.3.4 Multiple Remote Vulnerabilities");
     script_summary(english:"Checks the remote BIND version");
     
     script_set_attribute(attribute:"synopsis", value:
    "It is possible to use the remote name server to break into the
    remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote name server, according to its version number, is affected
    by the following vulnerabilities :
    
    - When running the recursive DNS functionality, this server is
    vulnerable to a buffer overflow attack that may let an attacker
    execute arbitrary code on the remote host. 
    
    - It is vulnerable to a denial of service attack (crash) via SIG RR
    elements with invalid expiry times. 
    
    - It is vulnerable to a denial of service attack when a DNS lookup is
    requested on a nonexistent sub-domain of a valid domain and an OPT
    resource record with a large UDP payload is attached, the server may
    fail.");
     script_set_attribute(attribute:"solution", value:"Upgrade to BIND 8.3.4 or newer");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2002/03/08");
     script_set_attribute(attribute:"vuln_publication_date", value:"2002/11/12");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
     script_family(english: "DNS");
    
     script_dependencie("bind_version.nasl");
     script_require_keys("bind/version");
     exit(0);
    }
    
    vers = get_kb_item("bind/version");
    if(!vers)exit(0);
    
    if(ereg(string:vers,
    	 pattern:"^8\.(([0-1].*)|(2\.[0-6])|(3\.0\.[0-3])).*"))security_hole(53);
    
    

Oval

accepted2005-03-09T07:56:00.000-04:00
classvulnerability
contributors
nameBrian Soby
organizationThe MITRE Corporation
descriptionBIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.
familyunix
idoval:org.mitre.oval:def:449
statusaccepted
submitted2005-01-19T12:00:00.000-04:00
titleBind OPT Resource Record DoS Vulnerability
version35