Cert Advisory NOT reflected at bind-security.html .
GILBERT.R.LOOMIS at saic.com
Mon Jul 1 17:01:12 UTC 2002
> I am requesting of the team to put together a detailed
> description of implementing the work around.
The BIND 8 lib/bind wasn't originally included with BIND 9,
but was added later. From a quick look at one Solaris 8
system, it doesn't appear to even get compiled by default.
If it *is* compiled, then you might be able to copy it into
/usr/lib on your system and force it to be used by dynamically-
linked applications...but some common commercial applications
are statically linked and would not benefit.
What I'm doing here:
1. Ensure that all your client systems are using recursive
servers that use BIND 9.2.1--which cleanses the data
stream when it re-writes traffic. This will provide
2. Review applications/utilities that commonly perform
DNS lookups against external servers. Examples would
be reverse-lookups for logging on web/FTP servers, etc.
If any of those have a configurable option to only
report IP addresses (and not try to resolve them to
hostnames) then verify that the configuration is "IP
addresses only; no reverse lookups"
3. Remember that MS has stated that they're not vulnerable
in any way, and that (based on discussions with Nominum
and a quick check myself) it appears that Linux libc6/
glibc2.x are not vulnerable.
4. If any systems are left unprotected by this point, then
start shutting them down or blocking external access
until the vendors get patches out.
You'll notice that nowhere in there did I recommend trying
to install the BIND 8 resolver library as a fix. If anyone
has instructions for how to reliably install that library
on Solaris/HP-UX/IRIX, then please share. The *BSD folks
already have patches out, and Linuxen/MS systems appear to
be un-affected, so it's only the commercial OSs that I'm
still really worried about. Comments welcomed--
Rip Loomis Senior Systems Security Engineer
SAIC Secure Business Solutions Group www.saic.com/securebiz
Center for Information Security Technology www.cist-east.saic.com
More information about the bind-workers