Unless you've been living under a rock, you already know about the latest buffer-overflow vulnerability in the Berkeley Internet Name Domain (BIND) software, a domain name server (DNS) utility that matches Web server names to Internet Protocol addresses so people can find companies on the Web. By all accounts, BIND is the glue that holds the entire addressing scheme together, making up at least 80% of the Internet naming system.
Rightly, the CERT Coordination Center made a big deal when it announced two weeks ago that BIND Versions 4 and 8 are vulnerable to root-level compromise, traffic rerouting and all other sorts of nasty possibilities.
The following are some other disturbing facts about BIND:
- BIND is controlled by the Internet Software Consortium (ISC), a nonprofit vendor group in Redwood City, Calif. Heavyweights like Sun, IBM, Hewlett-Packard, Network Associates and Compaq support it.
- By virtue of the ubiquity of BIND, the ISC wields a lot of power.
- Just before this latest vulnerability went public, the ISC announced preliminary plans to charge for critical BIND security documentation and alerts through subscription fees starting with resellers. This set off an outcry in the nonvendor IT community.
- BIND has had 12 security patches in recent years.
- This latest vulnerability is a buffer overflow, a notorious coding problem that's been well documented for a decade. Through code that's vulnerable to buffer overflow, attackers can gain root simply by confusing the program with illegal input.
- Ironically, the buffer overflow popped up in BIND code written to support a new security feature: transactional signatures.
The ISC is now asking IT managers to trust it once again and upgrade to Version 9 of BIND, which doesn't have this buffer-overflow problem, according to CERT.
IT pros aren't buying it.
Hardening Your DNS
1. Run BIND in a nonroot environment.
2. Set up a split-brain DNS configuration.
3. Tighten your BIND 8 configuration using built-in security options.
4. Consider running a nonrecursive name server.
5. Configure your operating system to mark the stack nonexecutable.
"BIND is a big, unwieldy piece of software that's been completely rewritten, but it can still have buffer overflows anywhere in the code," says Ian Poynter, president of Jerboa Inc., a security consulting firm in Cambridge, Mass. "BIND is the biggest point of failure on the entire infrastructure of the Internet."
DNS administrators should indeed upgrade, per CERT's recommendation. But there are other things they can do to cut the umbilical cord from the ISC.
First, don't allow BIND to run at root, says William Cox, an IT administrator at Thaumaturgix Inc., an IT services firm in New York. "The best way to limit your exposure is to run the server in a 'chrooted' environment," he says. "Chroot is a specific Unix command that limits a program to only a certain portion of the file system."
Second, Cox recommends breaking up DNS server farms to protect against getting knocked off the Web the way Microsoft and Yahoo were two weeks ago. He suggests keeping internal IP addresses on internal DNS servers that aren't open to Web traffic and spreading Internet-facing DNS servers around to different branch offices.
Still others are looking at Internet naming alternatives. One that's gaining popularity is named djbdns (cr.yp.to/djbdns.html), after Daniel Bernstein, author of Qmail, a more secure form of SendMail, says Elias Levy, chief technology officer at SecurityFocus.com, a San Mateo, Calif.-based Internet services company and list server for Bugtraq security alerts.
Diagnosis: Trojan Horse
Speaking of Bugtraq and the pervasive threat posed by vulnerabilities, Bugtraq issued a utility on Feb. 1 to its 37,000 subscribers, which was supposed to determine whether machines are vulnerable to the BIND buffer overflow. The program was delivered to Bugtraq via an anonymous source. It was checked by the Bugtraq technical team, then cross-checked by Santa Clara, Calif.-based Network Associates.
Turns out the program's binary shell was really a Trojan horse. Each time this diagnostic program was installed on a test machine, it sent denial-of-service packets to Network Associates, taking some of the security vendor's servers off the Net for as long as 90 minutes.
Oh, what a tangled Web we weave.
This story, "Stuck in a BIND" was originally published by Computerworld.