Flaws could spark fresh wave of Net attacks

Major flaws have been discovered in the software running much of the Internet's domain name system.

Major flaws have been discovered in the software running much of the Internet's domain name system.

Security specialist ISS has identified vulnerabilities in the Berkeley Internet Name Domain (BIND) domain name system (DNS) software that could allow hackers to carry out denial-of-service attacks against servers using BIND.

BIND is the most commonly used type of DNS server software on the Internet, but has come under increasing scrutiny for security holes. The US Federal Bureau of Investigation's list of the top 20 security vulnerabilities, released last month, listed BIND and DNS as a top concern.

The ISS bulletin detailed three separate vulnerabilities that make BIND susceptible to denial of service attacks from Internet users or rogue DNS administrators.

Solaris, HP-UX and AIX users are also vulnerable, according to Cert, the security advisory run by Carnegie Mellon University in the US. Sun has issued a patch for version 2.5.1, 2.6.7 and version 8 of Solaris.

IBM has issued a patch for version 4.3.3 and version 5.1.0 of AIX. Cert is awaiting a response from HP regarding the availability of an HP-UX patch.

According to Cert, all versions of Linux using version 2.2.5 of the GNU C library are affected including DEbian, Mandrake, Red Hat and SuSE.

One of the three vulnerabilities also involves a buffer overflow in the BIND code that could enable malicious code to be placed and executed on the machine running the name server software.

The latest vulnerabilities all allow hackers to use what are referred to as "malformed requests" to attack BIND.

These attacks rely on passing invalid or improperly formatted information to the BIND DNS, targeting specific weaknesses in the way the BIND code processes requests, to cause the DNS server to fail, according to Dan Ingevaldson, team leader of ISS's X-Force security research group.

The vulnerabilities affect earlier versions of BIND including BIND 4 and the more recent BIND 8 distributions, up to and including 8.3.3, according to ISS. BIND 9, the version of the software that was rewritten to deal with many security flaws, is not affected by any of the vulnerabilities in ISS's advisory, said Ingevaldson.

Colin Phipps, consultant at security firm Netcraft said the latest vulnerabilities "should now persuade a lot of people to switch to BIND 9".

Read ISS advisory >>

Read more on Hackers and cybercrime prevention