FreeBSD Security Advisory: FreeBSD-SA-01:18.bind

FreeBSD Security Advisories security-advisories at
Wed Jan 31 13:24:13 PST 2001


FreeBSD-SA-01:18                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          BIND remotely exploitable buffer overflow

Category:       core, ports
Module:         bind
Announced:      2001-01-31
Credits:	COVERT Labs <seclabs at NAI.COM>
                Claudio Musmarra
Affects:        All released versions of FreeBSD 3.x, 4.x.
		FreeBSD 3.5-STABLE prior to the correction date.
		FreeBSD 4.2-STABLE prior to the correction date.
		Ports collection prior to the correction date.
Corrected:      2001-01-30 (FreeBSD 3.5-STABLE)
		2001-01-29 (FreeBSD 4.2-STABLE)
		2001-01-29 (Ports collection)
Vendor status:  Updated version released
FreeBSD only:   NO

I.   Background

BIND is an implementation of the Domain Name Service (DNS) protocols.

II.  Problem Description

An overflowable buffer related to the processing of transaction
signatures (TSIG) exists in all versions of BIND prior to
8.2.3-RELEASE.  The vulnerability is exploitable regardless of
configuration options and affects both recursive and non-recursive DNS

Additional vulnerabilities allow the leaking of environment variables
and the contents of the program stack.  These vulnerabilities may
assist the ability of attackers to exploit the primary vulnerability
described above, and make provide additional information about the
state or configuration of the system.

All previous versions of BIND 8, such as the beta versions included in
FreeBSD 4.x prior to the correction date (designated the version
number BIND 8.2.3-T<#>B) are vulnerable to this problem.  Systems
running versions of BIND 9.x (available in the FreeBSD ports
collection) are unaffected.

Further information about the vulnerabilities is contained in the CERT
advisory located at:

Note that this advisory also describes vulnerabilities in the BIND 4.x
software, which is not included in any recent version of FreeBSD.

All versions of FreeBSD 3.x and 4.x prior to the correction date
including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this
problem, if they have been configued to run named (this is not enabled
by default).  In addition, the bind8 port in the ports collection
(versions prior to 8.2.3) is also vulnerable.

To check whether a DNS server is running a vulnerable version of BIND,
perform the following command as any user:

% dig @serverip version.bind. CHAOS TXT

The following segment of output indicates a non-vulnerable server
running BIND 8.2.3-RELEASE:

VERSION.BIND.           0S CHAOS TXT    "8.2.3-REL"

III. Impact

Malicious remote users can cause arbitrary code to be executed as the
user running the named daemon.  This is often the root user, although
FreeBSD provides built-in support for the execution of named as an
unprivileged 'bind' user, which greatly limits the scope of the
vulnerability should a successful penetration take place.

IV.  Workaround

There is no known practical workaround to prevent the vulnerability
from being exploited, short of upgrading the software.  A partial
workaround to limit the impact of the vulnerability should it be
exploited is to run named as an unprivileged user.

Add the following line to /etc/rc.conf:

named_flags="-u bind -g bind"  # Flags for named

Add the following line to your /etc/namedb/named.conf file, in the
"options" section:

	pid-file "/var/named/";

See the named.conf(5) manual page for more details about configuring

Perform the following commands as root:

Create a directory writable by the bind user where named can store its
pid file:

# mkdir /var/named
# chown bind:bind /var/named

Shut down the DNS server:

# ndc stop

Restart it using the non-privileged user and group:

# ndc -p /var/named/ start -u bind -g bind

Note that when not running as the root user, named will lose the
ability to re-bind to interfaces which change address, or which are
added to the system after named has been started.  If such an event
takes place, named will need to be stopped and restarted in order to
re-bind to the interface(s).  See the ndc(8) manual page for more
information about how to do this.

Use of the -t option to named will also increase security when run as
a non-privileged user by confining the named process to a chroot
environment and thereby partially limiting the access it has to the
rest of the system.  Configuration of these options is beyond the
scope of the advisory.  The following website contains information
which may be useful to administrators wishing to perform this step:

Note that this tutorial does not specifically relate to FreeBSD, and
the information contained therein may need to be modified for FreeBSD

Note that such a penetration of the unprivileged bind user may still
allow the attacker to take advantage of a local security vulnerability
or misconfiguration to further increase privileges.  Therefore this
should only be considered a temporary workaround while preparations
can be made to upgrade permanently.

It is recommended that all affected users upgrade their systems
immediately as described in the following section.

V.   Solution

Note that BIND 8.2.3-RELEASE is more strict about invalid zone file
syntax than older versions.  DNS zones which contain errors may need
to be corrected before the new version can be run.

[Base system]

Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the respective correction dates.

A binary tarball containing the updated BIND files may be released in
a few days, but is being held back for quality assurance reasons.  In
the meantime an unofficial tarball is available from the following
location.  Users are advised that the following tarball has not been
tested on a production system, and those wishing to perform an upgrade
without upgrading the entire OS are advised to use the bind8 port as
described below.

To fetch and install it, perform the following actions as root:

# fetch
# fetch

Verify the detached PGP signature using your PGP utility.

# cd /
# tar xvfz /path/to/bind-8.2.3-4.x.tgz

Stop and restart the named process as shown:

# ndc restart

See the note in the previous section about how to restart ndc as a
non-privileged user if it has been configued to run that way.

[Ports collection]

If you have chosen to install BIND from the ports collection and are
using it instead of the version in the base system, perform one of the
following steps:

1) Update your entire ports collection and rebuild the bind8 port.

If you are installing the port for the first time, be sure to edit the
named_program variable in /etc/rc.conf to point to the installed
location of the named executable.

The bind8 port can be configured to install itself in /usr and read
configuration data from /etc so that it is drop-in compatible with the
system version of BIND.  Install the port as follows:

# cd /usr/ports/net/bind8
# make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \
 DESTRUN=/var/run all install clean

If you install the BIND port over the top of the system version in
this way, be sure to add the following line to /etc/make.conf to
prevent the future rebuilding of the system version during 'make

NO_BIND=       true    # do not build BIND

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:


NOTE: It may be several days before updated packages are available.

Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

3) download a new port skeleton for the bind8 port from:

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above.  The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see


This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at

To Unsubscribe: send mail to majordomo at
with "unsubscribe freebsd-announce" in the body of the message

More information about the freebsd-announce mailing list