Recent ISS Security Announcement

Ragnar Paulson ragnar at wanware.com
Sat Nov 16 22:48:32 UTC 2002




> On Thu, Nov 14, 2002 at 05:13:40PM -0500, Joseph S D Yao wrote:
>
> > On Thu, Nov 14, 2002 at 03:23:23PM -0500, Ragnar Paulson wrote:
> > ...
> > > Put another way,  if I have named/bind configure to only allow
recursion =
> > > to local users ... is this still remotely exploitable? =20
> > ...
>
> > My understanding is that it is exploitable if the client can do
> > recursion ... so, in the case you posit, local users could exploit it
> > but remote users could not.
>
> Here there be dragons...
>
> What if someone sends you and E-Mail message that prompts a
> DNS lookup to the hostile nameserver.  How about a URL?  You have to
> trust ALL of your local clients to NEVER (not even in one of those
> transparent, under-the-hood type, checks that you don't even know about)
> be tricked into requesting a bad RR record.
>
> This is not a road to be walked down.  It's quibiling on when
> and how you will get screwed when, in fact, you are going to get screwed.
> Fact is that, even if you control all the requesting clients, you don't
> control all the paths which may trigger a request from all the clients.
> There are just too many variables and paths.
>

Thanks everyone for the clarifications.  I recognize that trusting to be
protected by the recursion restriction alone is not a good plan.   We have
in fact started working with Bind 9 and found the conversion remarkably
painless (in fact no pain at all so far ... this is pleasantly startling,
actual backwards compatibility :-).

I think the whole security issues could be handled better.  The ISS
announcement left much to be desired in describing the exposure in bind.  As
an admin I need to know if a problem is one that has to be addressed
immediately "you better not go home", "high priority during regular business
hours", "at the next major software upgrade" or "when you get to it".

The only way I can make that decision is by understanding the exploit well
enough to judge "my" exposure.  Which may not be the same as the person
making the announcement.  I don't need details of the lines of code in
error, or how to write an exploit, but i need to know the few details I
asked for above ... how to trigger the fault, and the results.

Ragnar Paulson




More information about the bind-users mailing list