Cert Advisory NOT reflected at bind-security.html .

Loomis, Rip GILBERT.R.LOOMIS at saic.com
Mon Jul 1 17:01:12 UTC 2002

> 	I am requesting of the team to put together a detailed 
>     description of implementing the work around.
The BIND 8 lib/bind wasn't originally included with BIND 9,
but was added later.  From a quick look at one Solaris 8
system, it doesn't appear to even get compiled by default.
If it *is* compiled, then you might be able to copy it into
/usr/lib on your system and force it to be used by dynamically-
linked applications...but some common commercial applications
are statically linked and would not benefit.

What I'm doing here:
1.  Ensure that all your client systems are using recursive
    servers that use BIND 9.2.1--which cleanses the data
    stream when it re-writes traffic.  This will provide
    some protection.
2.  Review applications/utilities that commonly perform
    DNS lookups against external servers.  Examples would
    be reverse-lookups for logging on web/FTP servers, etc.
    If any of those have a configurable option to only
    report IP addresses (and not try to resolve them to
    hostnames) then verify that the configuration is "IP
    addresses only; no reverse lookups"
3.  Remember that MS has stated that they're not vulnerable
    in any way, and that (based on discussions with Nominum
    and a quick check myself) it appears that Linux libc6/
    glibc2.x are not vulnerable.
4.  If any systems are left unprotected by this point, then
    start shutting them down or blocking external access
    until the vendors get patches out.

You'll notice that nowhere in there did I recommend trying
to install the BIND 8 resolver library as a fix.  If anyone
has instructions for how to reliably install that library
on Solaris/HP-UX/IRIX, then please share.  The *BSD folks
already have patches out, and Linuxen/MS systems appear to
be un-affected, so it's only the commercial OSs that I'm
still really worried about.  Comments welcomed--

Rip Loomis                         Senior Systems Security Engineer
SAIC Secure Business Solutions Group         www.saic.com/securebiz
Center for Information Security Technology   www.cist-east.saic.com

More information about the bind-workers mailing list