Mailinglist Archive: opensuse-security (520 mails)
| < Previous | Next > |
RE: [suse-security] Bind9 & resolver libs
- From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
- Date: Thu, 4 Jul 2002 11:24:26 +0200
- Message-id: <96C102324EF9D411A49500306E06C8D1016F5C42@xxxxxxxxxxxxxxxxx>
> thanks Tobias, i am still unclear as to the possibility of exploiting
> bind9 if recursion is limited/not allowed afaik the overflow occurs
> at two of the variable parsers used by the resolver libs.
If BIND9 uses the vulnerable resolver lib or implements the same code, it is
vulnerable. If it doesn't, it isn't. That having been said, if you're
worried about BIND being exploitable now and in the future, which I would
be, then dump BIND and switch to something more secure. Such as djbdns.
You'll still need to resolve the issue on the DNS clients, though.
On a sidenote, proxy firewalled infrastructures don't require the
workstations to perform DNS lookups at all, the proxy handles that for them.
> and
> also afaik
> bind9 answers from cache anyway.
So? I don't see your meaning.
> the reason i am sceptical at
> this stage
> is one of my production boxen running only (SuSE) patched apache and
> bind9 (80 & 53) has been r00ted.
I don't believe it runs only those two apps.. ;-)
[box r00ted by unknown avenue of attack]
Post-breakin forensics can be tough (and therefore expensive). I believe we
(secunet, the company I work for) have done some of it in the past, so if
it's important enough to you, we could perhaps come to a deal, but it
probably won't be cheap.. I sincerely hope the list doesn't read this as an
advertisement of any sort, it's not meant that way.
Tobias
> bind9 if recursion is limited/not allowed afaik the overflow occurs
> at two of the variable parsers used by the resolver libs.
If BIND9 uses the vulnerable resolver lib or implements the same code, it is
vulnerable. If it doesn't, it isn't. That having been said, if you're
worried about BIND being exploitable now and in the future, which I would
be, then dump BIND and switch to something more secure. Such as djbdns.
You'll still need to resolve the issue on the DNS clients, though.
On a sidenote, proxy firewalled infrastructures don't require the
workstations to perform DNS lookups at all, the proxy handles that for them.
> and
> also afaik
> bind9 answers from cache anyway.
So? I don't see your meaning.
> the reason i am sceptical at
> this stage
> is one of my production boxen running only (SuSE) patched apache and
> bind9 (80 & 53) has been r00ted.
I don't believe it runs only those two apps.. ;-)
[box r00ted by unknown avenue of attack]
Post-breakin forensics can be tough (and therefore expensive). I believe we
(secunet, the company I work for) have done some of it in the past, so if
it's important enough to you, we could perhaps come to a deal, but it
probably won't be cheap.. I sincerely hope the list doesn't read this as an
advertisement of any sort, it's not meant that way.
Tobias
| < Previous | Next > |