4: CA-1996-01: UDP Port Denial-of-Service Attack
`
`4 CA-1996-01: UDP Port Denial-of-Service Attack
`
`Original issue date: February 8, 1996
`Last revised: September 24, 1997
`Updated copyright statement
`
`A complete revision history is at the end ofthisfile.
`
`The CERT Coordination Center has received reports ofprogramsthat Jaunch denial-of-service at-
`tacks by creating a "UDPpacket storm"either on a system or between twosystems. An attack on
`one host causesthat host to perform poorly. An attack between two hnosts can cause extreme net-
`work congestion in addition to adversely affecting host performance.
`
`The CERTstaffrecommends disabling unneeded UDPservices on each host, in particular the
`chargen andechoservices, andfiltering these services at the firewall or Internet gateway.
`
`Becausethe UDP port denial-of-service attacks typically involve IP spoofing, we encourage you
`to follow the recommendationsin advisory CA-96.21.
`
`Wewill update this advisory as we receive additional information. Please check advisory files
`regularly for updatesthatrelate to your site
`
`|. Description
`
`When a connectionis established between two UDPservices, each ofwhich producesoutput,
`these two services can produce a very high number ofpackets that can lead to a denial of service
`on the machine(s) wherethe services are offered. Anyone with network connectivity can launch
`an attack; no accountaccess is needed.
`
`For example, by connecting a host's chargen service to the echo service on the same or another
`machine,all affected machines may be effectively taken out of service because of the excessively
`high numberofpackets produced.In addition, if two or morehosts are so connected, the interven-
`ing network may also become congested and denyservice to all hosts whose traffic traverses that
`network.
`
`Il. Impact
`
`Anyonewith network connectivity can cause a denialof service. This attack doesnot enable them
`to gain additional access.
`
`Ill. Solution
`
`Werecommendtakingall the steps described below.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA] Approvedfor public release and unlimited distribution.
`
`i
`
`CS-1026
`CS-1026
`Cisco Systems, Inc. v. Finjan, Inc.
`Cisco Systems, Inc. v. Finjan, Inc.
`
`

`

`4: CA-1996-01: UDP Port Denial-of-Service Attack
`
`1, Disable andfilter chargen and echoservices.
`This attack is most readily exploited using the chargen or echo services, neither of which is gener-
`ally neededas far as we are aware. We recommend that you disable both services on the host and
`filter them at the firewall or Internet gateway.
`
`To disable these services on a host, it is necessary to edit the inetd configuration file and cause
`inetd to begin using the new configuration. Exactly how to do this is system dependent so you
`should check your vendor's documentation for inetd(8); but on many UNIX systemsthe steps will
`be as follows:
`
`1. Edit the inetd configurationfile (e.g./etc/inetd.conf).
`_ Commentoutthe echo, chargen, and other UDP services not used.
`3. Cause the inetd processto reread the configurationfile (e.g., by sending it a HUP signal).
`
`2. Disable andfilter other unused UDPservices.
`
`Toprotect against similar attacks against other services, we recommend:
`-
`disabling all unused UDPservices on hosts and
`-
`blockingat firewalls all UDPports less than 900 with the exception ofspecific services you
`require, such as DNS(port 53).
`
`3. If you mustprovide external access to some UDPservices, considerusing a proxy
`mechanism to protect that service from misuse.
`Techniques to do this are discussed in Chapter8, "Configuring Internet Services," in Building
`Internet Firewalls by Chapman and Zwicky (see Section IV below).
`
`4. Monitor your network.
`Ifyou do provide external UDP services, we recommend monitoring your network to learn which
`systems are using these services and to monitor for signs ofmisuse. Tools for doing so include
`Argus, tcpdump,andnetlog.
`
`Argusis available from
`
`ftp://fip.net.cmu.edu/pub/argus-1.5/
`MDS(argus-1.5-tar.gz) = 9c7052fb17429f6232a890267c03f3¢c
`
`Note that Argus requires the TCP wrapperstoinstall:
`
`ftp://ftp.cert.org/pub/tools/tep_wrappers/tcp_wrappers_72.Aar.Z
`
`MD5(tcp_wrappers_7.2.tar.Z) = $83d00cbd2dedd9bfc783b7065740e74
`
`tcpdumpis available from
`
`
`ftp://fip.ee.Ibl.gov/tepdump-3.0.2.tar.Z
`MDS(tcpdump-3.0.2.tar.Z) = €757608d5823aa68e406 1 ebd4753e591
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE| CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTAJ Approved for public release and unlimited distribution.
`
`2
`
`

`

`4: CA-1996-01; UDP Port Denial-of-Service Attack
`
` Note that tcpdump requireslibpcap,available at ftp://ftp.ee.Ibl.gow/libpcap-0.0.6.tar.Z
`MD5(libpcap-0.0.6.tar.Z) = cda0980f786932a7e2eebfb264 laa7a0
`netlogis available from ftp://net.tamu.edu/pub/security/TAMU/netlog-1_.2.tar.9z
`MDS (netlog-1.2.tar.gz) = 1dd62e7e96192456e8c75047¢3 8e994b
`
`5. Take steps against IP spoofing.
`Because IP spoofingis typically involved in UDPport denial-of-service attacks, we encourage
`you to follow the guidance in advisory CA-95:01, available from
`www.cert.org/advisories/CA-95.01.IP.spoofinghtml.
`
`IV. Sources of further information about packetfiltering
`
`For a general packet-filtering recommendations, see
`ftp://ftp.cert.org/pub/tech_tips/packet_filtering.
`
`Forin-depth discussions of how to configure your firewall, see
`
`Firewalls and Internet Security: Repelling the Wily Hacker
`William R. Cheswick and Steven M.Bellovin
`Addison-Wesley Publishing Company, 1994
`ISBN 0-201-63357
`
`Building Internet Firewalls
`Brent Chapman and Elizabeth D. Zwicky
`O'Reilly & Associates, Inc., 1995
`ISBN 1-56592-124-0
`
`
`The CERT Coordination Centerstaffthanks Peter D. Skopp of Columbia University for reporting
`the vulnerability and Steve Bellovin ofAT&T Bell Labs for his support in respondingto this
`problem.
`
`UPDATES
`
`Cisco
`
`Cisco Alert Summary: http://www.cisco.com/warp/public/146/917 security.html
`
`Cisco Security Guide: http://www.cisco.com/univercd/data/doc/cintrnet/ics/icssecur.htm
`
`Silicon GraphicsInc.
`SGI acknowledges CERT Advisory CA-96.01 andis currently investigating. No further infor-
`mation is available at this time.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE| CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA] Approved for public release andunlimited distribution.
`
`3
`
`

`

`4: CA-1996-01: UDP Port Denial-of-Service Attack
`
`Copyright 1996, 1997 Camegie Mellon University.
`
`Revision History
`
`Sep. 24, 1997 Updated copyright statement
`
`Feb, 14, 1997 Introduction - updated the IP spoofing reference to
`CA-96.21.
`
`Updates section - added pointers to CISCO documents.
`
`Aug. 30, 1996 Information previously in the README was inserted into
`the advisory.
`
`Feb. 23, 1996 Updates section - added information from Silicon
`Graphics,
`Inc.
`
`Feb. 21, 1996 Solution, Sec. III.4 - added new URL for Argus.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approvedfor public release and unlimited distribution.
`
`

`

`2: CA-1996-02: BIND Version 4.9.3
`
`$$$
`2 CA-1996-02: BIND Version 4.9.3
`
`CERT (sm) Advisory CA-96.02
`Original issue date:
`February 15, 1996
`Last revised: August 13, 1997
`Superseded by CA-97.22
`A complete revision history is at the end of this ad-
`
`visory.
`Topic: BIND Version 4.9.3
`
`** This advisory has been superseded by CA-97.22.bind **
`Vulnerabilities in the Berkeley Internet Name Domain (BIND) program
`make it possible for intruders to render Domain Name System (DNS)
`information unreliable. At the beginning of this year, a version of
`BIND (4.9.3) became available that fixes several security problems
`that are being exploited by the intruder community. The CERT staff
`urges you to install the appropriate patch from your vendor. If a
`patch is not currently available, an alternative is to install BIND
`4.9.3 yourself.
`(Note: Although BIND will be further improved in the
`future, we urge you to upgrade now because of the seriousness of the
`problems addressed by version 4.9.3.) If neither of the above alter-
`natives is possible, we strongly recommend blocking or turning off
`DNS name-based authentication services such as rlogin. We will up-
`date this advisory as we receive additional
`information. Please
`check advisory files regularly for updates that relate to your site.
`
`Description
`ee
`Version 4.9.3 of the Berkeley Internet Name Domain (BIND) program
`fixes several security problems that are well known and being ex-
`ploited by the intruder community to render Domain Name System (DNS)
`information unreliable. BIND is an implementation of the Domain Name
`System.
`(For details, see RFC 1035, a publication of the Internet
`Engineering Task Force.) The full distribution of BIND includes a
`number of programs and resolver library routines. The main program
`is "named",
`the daemon that provides DNS information from local con-
`figuration files and a local cache. The named daemon is often called
`/etc/named or /etc/in.named. Programs such as Telnet communicate
`with named via the resolver library routines provided in the BIND
`distribution. Services in widespread use that depend on DNS infor-
`mation for authentication include rlogin, rsh (rep), xhost, and NFS.
`Sites may have installed locally other services that trust DNS in-
`formation.
`In addition, many other services, such as Telnet, FTP,
`and email,
`trust DNS information. If these services are used only to
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTAJ Approvedfor public release and unlimited distribution.
`
`5
`
`

`

`2: CA-1996-02: BIND Version 4.9.3
`
`make outbound connections or informational logs about the source of
`connections,
`the security impact is less severe than for services
`such as rlogin. Although you might be willing to accept the risks
`associated with using these services for now, you need to consider
`the impact that spoofed DNS information may have. Although the new
`BIND distributions do address important security problems, not all
`known problems are’ fixed.
`In particular, several problems can be
`fixed only with the use of cryptographic authentication techniques.
`Implementing and deploying this solution is non-trivial; work on
`this task is currently underway within the Internet community. The
`CERT staff has received information that the next minor release of
`BIND nameserver will be enforcing RFC952 (as modified by RFC1123)
`hostname conformance as part of its SECURITY measures. Following The
`BIND release, hostnames that fail to conform to these rules will be
`unreachable from sites running these servers. Hostnames
`(A records)
`are restricted to the following characters only:
`me. gn, War - gh mgr s omgm, §." and ™—"
`These characters are specifically excluded:
`"_" and nm" For a@ full
`description of what is allowed in a hostname, please refer to RFC952
`and RFC1123, available from http://ds.internic.net/ds/
`RFC952: DOD INTERNET HOST TABLE SPECIFICATION, October 1985
`RFC1123: Requirements for Internet Hosts -— Application and
`Support, October 1989
`A program is available for checking hostnames and IP addresses.
`It is available in
`ftp: //info.cert.org/pub/tools/ValidateHostname/IsValid.c
`ftp://ftp.cert .dfn.de/pub/tools/net/ValidateHostname/Is-
`
`Valid.c
`The following files are in the directory (from the README) :
`IsValid.1
`The lex/flex file containing the code for
`IsValidHostname and IsValidIPAddress
`MDS
`(IsValid.1) = 2d35040aacae4fb12906eb1b48957776
`The C file created by running flex
`on IsValid.1
`
`IsValid-raw.c
`
`(IsValid-raw.c) =
`MD5
`367c7 7d3ef8 4bc63a5c23d90eeb69330
`IsValid.c
`The editted file created by internalizing
`variable and function definitions in
`IsValid-raw.c
`MDS
`(IsValid.c) = ffe45f1256210aeb71691f4f7cdad27f
`The set of diffs between IsValid-raw.c
`and IsValid.c
`
`IsValid.diffs
`
`MD5 (IsValid.diffs) =
`3619022c£31d735151£8e8c83cce3744
`htest.c
`-A main routing for testing IsValidHostname
`and IsValidIPAddress
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA]Approvedfor public release and unlimited distribution.
`
`

`

`2: CA-1996-02: BIND Version 4.9.3
`
`MD5 (htest.c) = 2d50b2bFfb537cc4e637ddifo7als7f4
`
`II.
`Impact
`Tt is possible for intruders to spoof BIND into providing incorrect
`name data. Some systems and programs depend on this information for
`authentication, so it is possible to spoof those systems and gain
`unauthorized access.
`
`III. Solutions The preferred solution, described in Section A,
`install your vendor's patch if one is available. An alternative
`(Section B)
`is to install the latest version of BIND.
`In both cases,
`we encourage you to take the additional precautions described in
`Section C.
`
`is to
`
`A. Obtain the appropriate patch from your vendor and install it ac-
`cording to instructions included with the program. Redistributing
`BIND and all programs affected by these problems is not a simple
`matter, so some vendors are working on new named daemon as an imme-
`diate patch. Although installing a new named daemon addresses some
`problems, significant problems remain that can be addressed only by
`fully installing fixes to the library resolver routines. If your
`vendor's patch does not include both named and new resolver rou-
`tines, we recommend that you install the current version of BIND
`(Solution B) if possible. We also encourage you to take the precau-
`tions described in Section C. Below is a list of the vendors and the
`status they have provided concerning BIND. More complete information
`is provided in Appendix A of this advisory. We will update the ap-
`pendix as we receive more information from vendors. If your vendor's
`name is not on the list, contact the vendor directly for status in-
`formation and further instructions.
`Vendor
`New named available Full distribution available
`
`
`Under investigation.
`
`Work is under way.
`Currently porting and
`
`Digital Equipment
`Hewlett-Packard
`testing
`
`Calendar 97
`
`process
`
`IBM Corporation
`NEC Corporation
`Santa Cruz Operation
`Silicon Graphics,
`Inc.
`Solbourne (Grumman)
`BIND 4.9.3.
`Sun Microsystems
`
`(BIND 4.9.3) for the Ql,
`
`general release. Patch in
`
`for 10.X releases.
`Work is under way.
`Work is under way.
`Under consideration.
`Under investigation.
`Customers should install
`
`Patches available.
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA] Approved for public release and unlimited distribution.
`
`

`

`2: CA-1996-02: BIND Version 4.9.3
`
`B. Install the latest version of BIND (version 4.9.3), available
`from Paul Vixie,
`the current maintainer of BIND:
`ftp://ftp.vix.com/pub/bind/release/4.9.3/bind-4.9.3-
`REL.tar.gz
`MD5 (bind-4.9.3-REL.tar.gz) =
`dal908b001f£8e6dc93fe0258 9bI89ef1
`Also get Patch #1 for 4.9.3:
`ftp: //ftp.vix.com/pub/bind/release/4.9.3/Patch1
`MDS
`(Patchl) = 5a€57ad13381e242cb08b5da0ele9c5b9
`To find the most current version of bind, see
`ftp: //info.cert.org/pub/latest_sw_versions/
`
`C. Take additional precautions.
`To protect against vulnerabilities that have not yet been addressed,
`and as good security practice in general, filter at a router all
`name-based authentication services so that you do not rely on DNS
`information for authentication. This includes the services rlogin,
`rsh (rep), xhost, NFS, and any other locally installed services that
`provide trust based on domain name information.
`
`Appendix A
`Below is information we have received from vendors. If you do not
`see an entry for your vendor, please contact the vendor directly for
`status information and further instructions.
`
`
`Paul Vixie
`See Updates Section
`
`Digital Equipment Corporation
`At the time of writing this advisory, Digital intends to support
`final revision of BIND 4.9.3. The project plan for incorporating
`Version 4.9.3 BIND for Digital's ULTRIX platforms has been approved.
`This includes 4.3, V4.3A, V4.4 and V4.5. A similar project plan for
`Digital UNIX versions is under review. The first implementations
`will be V3.0 through V3.2D, and V4.0, when released. It is our plan
`to evaluate and then incorporate V4.9.3 Bind into other UNIX ver-
`sions as necessary to reduce risk to our customer base. Digital will
`provide notice of the completion of the kits through AES services
`(DIA, DSNlink FLASH) and be available from your normal Digital Sup-
`port channel.
`
`the
`
`Hewlett-Packard Company
`The named daemon is under investigation. HP will provide updated
`information for the CERT advisory. HP is currently porting and test-
`ing BIND 4.9.3 for a general release first quarter of 1997. A patch
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA] Approved for public release andunlimited distribution.
`
`

`

`2: CA-1996-02: BIND Version 4.9.3
`
`is in process for 10.X releases. Watch for CERT advisory updates and
`a Security Bulletin from HP.
`
`IBM Corporation
`Work is under way.
`
`NEC Corporation
`Some systems are vulnerable. We are developing the patches and plan
`to put them on our anonymous FIP server. You can contact us with the
`following e-mail address if you need.
`E-mail: UX48-security-support@nec.co.jp
`FTP server: ftp://ftp.meshnet.or.jp
`
`Inc.
`The Santa Cruz Operation,
`SCO is currently considering a port of the new BIND into its product
`line, but no timeline is yet available. This includes SCO OpenServer
`and SCO UNIXWare.
`
`Silicon Graphics Inc.
`SGI acknowledges CERT Advisory CA-96.02 and is currently investigat-
`ing.
`No further information is available at this time.
`As further information becomes available, additional advisories will
`be available from ftp://sgigate.sgi.com.
`
`Solbourne (Grumman)
`Solbourne have determined that Solbourne Computers are vulnerable A
`patch is not available and they recommend Solbourne customers in-
`stall
`BIND version 4.9.3.
`
`Sun Microsystems,
`Inc.
`Sun Security Patches and Bulletins are available through your local
`SunService and SunSoft Support Services organizations, via the secu-
`rity-alert alias (security-alert@sun.com) and on SunSolve Online:
`http: //sunsolvel.sun.com/
`SunOS 5.3/Solaris 2.3
`
`101359-03
`
`SunOS 5.3: DNS spoofing is possible per CERT
`
`CA-96.02
`
`101739-12
`102167-03
`103705-01
`SunOS 5,.4/Solaris 2.4
`
`sendmail patch
`nss_dns.so.1 rebuild for BIND 4.9.3
`rpc.nisdresolv rebuild for BIND 4.9.3
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approvedfor public release and unlimited distribution.
`
`

`

`2: CA-1996-02: BIND Version 4.9.3
`
`102479-02
`
`SunOS 5.4: DNS spoofing is possible per CERT
`
`CA-96.02
`
`sendmail patch
`102066-11
`nss_dns.so.1 rebuild for BIND 4.9.3
`102165-03
`rpc.nisd_resolv rebuild for BIND 4.9.3
`103706-01
`SunOS 5.4x86/Solaris 2.4x86
`
`102480-02
`
`SunOS 5.4x86: DNS spoofing is possible per
`CERT CA-96.02
`
`102064-10
`102166-03
`103707-01
`SunOS 5.5/Solaris 2.5
`
`sendmail patch
`nss_dns.so.1 rebuild for BIND 4.9.3
`rpc.nisd_resolv rebuild for BIND 4.9.3
`
`103667-01
`
`SunOS 5.5: DNS spoofing is possible per CERT
`
`CA-96.02
`
`sendmail patch
`102980-07
`nscd/nscd_nischeck rebuild for BIND 4.9.3
`103279-02
`nss_dns.so.1 rebuild for BIND 4.9.3
`103703-01
`rpc.nisd_resolv rebuild for BIND 4.9.3
`103708-01
`SunOS 5.5_x86/Solaris 2.5x86
`
`103668-01
`
`SunOS 5.5x86: DNS spoofing is possible per
`CERT CA-96.02
`
`sendmail patch
`102981-07
`nscd/nsced_nischeck rebuild for BIND 4.9.3
`103280-02
`nss_dns.so.1 rebuild for BIND 4.9.3
`103704-01
`rpe.nisd_resolv rebuild for BIND 4.3.3
`103709-01
`SunOS 5.5.1/Solaris 2.5.1
`
`103663-01
`CERT CA-96.02
`
`SunOS 5.5.1: DNS spoofing is possible per
`
`sendmail patch
`103594-03
`nscd/nscd_nischeck rebuild for BIND 4.9.3
`103680-01
`nss_dns.so.1 rebuild for BIND 4.9.3
`103683-01
`rpe.nisd_resolv rebuild for BIND 4.9.3
`103686-01
`SunOS 5.5.1_ppc/Solaris 2.5.1ppc
`
`103665-01
`
`SunOS 5.5.1ppc: DNS spoofing is possible
`Per CERT CA-96.02
`
`sendmail patch
`103596-03
`nscd/nscd_nischeck rebuild for BIND 4.9.3
`103682-01
`nss_dns.so.1 rebuild for BIND 4.9.3
`103685-01
`rpe.nisd_resolv rebuild for BIND 4.9.3
`103688-01
`SunOS 5.5.1_x86/Solaris 2.5.1x86
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT Aj Approved for public release and unlimited distribution.
`
`10
`
`

`

`2: CA-1996-02: BIND Version 4.9.3
`
`103664-01
`
`103595-03
`103681-01
`103684-01
`103687-01
`
`SunOS 5.5.1_x86: DNS spoofing is possible
`Per CERT CA-96.02
`sendmail patch
`nscd/nscd_nischeck rebuild for BIND 4.9.3
`nss_dns.so.1 rebuild for BIND 4.9.3
`rpc.nisd_resolv rebuild for BIND 4.9.3
`
`The CERT Coordination Center wishes to thank Paul Vixie for his ef-
`forts in responding to this problem and his aid in developing this
`advisory.
`,
`
`If you believe that your system has been compromised, contact the
`CERT Coordination Center or your representative in the Forum of In-
`cident Response and Security Teams
`(FIRST). We strongly urge you to
`encrypt any sensitive information you send by email. The CERT Coor-
`dination Center can support a shared DES key and PGP. Contact the
`CERT staff for more information.
`
`Location of CERT PGP key
`ftp://info.cert.org/pub/CERT PGP.key
`
`CERT Contact Information
`
`Email
`Phone
`
`cert@cert.org
`41 412-268-7090 (24-hour hotline)
`CERT personnel answer 8:30-5:00 p.m. EST
`(GMT-5) /EDT(GMT-4), and are on call for
`emergencies during other hours.
`+1 412-268-6989
`Fax
`Postal address
`CERT Coordination Center
`Software Engineering Institute
`Carnegie Mellon University
`Pittsburgh PA 15213-3890
`USA
`To be added to our mailing list for CERT advisories and bulletins,
`send your email address to cert-advisory-request€@cert.org
`
`information about FIRST representatives, and
`CERT publications,
`other security-related information are available for anonymous FTP
`from ftp://info.cert.org/pub/
`CERT advisories and bulletins are also posted on the USENET news~
`group comp.security.announce
`
`Copyright 1996 Carnegie Mellon University
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE| CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT AjApprovedfor public release and unlimited distribution.
`
`1
`
`

`

`2: CA-1996-02: BIND Version 4.9.3
`
`This material may be reproduced and distributed without permission
`provided it is used for noncommercial purposes and the copyright
`statement is included. CERT is a service mark of Carnegie Mellon
`University.
`
`UPDATES
`
`June 25, 1997
`
`If you are running BIND 8.1 you want to upgrade. The current version
`of BIND (8.8.1)
`is available by anonymous FTP from
`ftp://ftp.isc.org/isc/bind/src/8.1.1
`If you are still running BIND-4 rather than BIND-8, you need the se-
`curity patches contained in BIND 4.9.6. Available from
`ftp://ftp.isc.org/isc/bind/srce/4.9.6/
`The author of BIND encourages sites to switch to BIND-8.
`
`Revision History
`Aug. 13, 1997 This advisory superseded by CA-97.22.
`June 25, 1997 Appendix, Changed Vixie entry to point to Updates.
`Updates section - Current release information.
`May 22, 1997 Updates section - noted current version of BIND and
`new location for the BIND archives.
`Aug. 30, 1996
`Information previously in the README was inserted
`into the advisory.
`Aug. 01, 1996 Appendix - updated Sun patch information
`Apr. 08, 1996 Sec.
`I - added information about the next release of
`BIND and the IsValid program to the end of the section
`Mar. 29, 1996 Appendix, Sun — added information
`Feb. 27, 1996 Appendix, SGI - added an entry
`Feb. 21, 1996 Appendix,
`IBM & Solbourne - added entries
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA] Approved for public release and unlimited distribution.
`
`12
`
`

`

`3: CA-1996-03: Vulnerability in Kerberos 4 Key Server
`
`3 CA-1996-03: Vulnerability in Kerberos 4 Key Server
`
`Original issue date: February 21, 1996
`Last revised: September 24, 1997
`Updated copyright statement
`
`A complete revision history is at the end ofthisfile.
`The CERT Coordination Center has received reports of a vulnerability in the Kerberos Version 4
`server. On unpatched Kerberos 4 systems, under certain circumstances, intruders can masquerade
`as authorized Kerberos users and gain access to services and resources not intended for their use.
`The CERTteam recommendsthat you apply oneofthe solutions given in Section II.
`
`The Kerberos Version 5 server running in Version 4 compatibility modeis also vulnerable under
`certain circumstances. The Massachusetts Institute of Technology (MIT) is working on the
`patchesfor that version.
`Wewill update this advisory as we receive additional information. Please check advisory files
`regularly for updates that relate to your site.
`
`|. Description
`
`The Kerberos Version 4 server is using a weak random number generator to produce session keys.
`On a computerof average speed, the session keyfora ticket can be broken in a maximum of 2-4
`minutes, and sometimes in much less time. This meansthat usable session keys can be manufac-
`tured withouta userfirst being authorized by Kerberos.
`
`Il. Impact
`
`Undercertain circumstances, intruders can masqueradeas authorized Kerberosusers and gain ac-
`cess to services and resources notintended for their use.
`
`Il. Solution
`
`If you are running Kerberos Version 4 and havebuilt Kerberos from a sourcedistribution, use so-
`Jution A.If you have obtained Kerberos4 binaries from a vendor, use solution B. If you are now
`using Kerberos Version 5, be aware that MIT is working on patchesfor that version. Notice will
`be made whenthe patches are available.
`
`A. Solution for Source Distributions
`
`Ifyou havebuilt Kerberos Version 4 from source, follow these instructionsto retrieve the fixes
`necessary to correct this problem:
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA] Approvedfor public release and unlimited distribution.
`
`13
`
`

`

`3: CA-1996-03: Vulnerability in Kerberos 4 Key Server
`
`Use anonymousFTP to athena-dist.mit.edu. Changedirectory to /pub/kerberos, fetch and read
`"README.KRB4"foundin thatdirectory.It will provide the nameofthe distribution directory
`(which is otherwise hidden and cannotbe foundbylisting its parent directory). Changedirectory
`to the hidden distribution directory. There you willfind the original Kerberos distribution plus a
`new file named "random.patch.tar.Z" (and random_patch.tar.gz for those with "gzip"). This tar
`file contains twofiles, the patch itself and a README.PATCH file. Read this file carefully be-
`fore proceeding.
`As ofFebruary 23, 1996, MIT has updatedthe patch describedin advisory CA-96.03. The actual
`patch has not changed, but the README.PATCH file (part ofrandom_patch.tar.*) which con-
`tains instructions on howto install the patch has been edited to include the following new para-
`graph:
`
`IMPORTANT:After running fix_kdb_keys you mustkill andrestart the kerberos server process
`(it has the old keys cached in memory). Also,ifyou operate any Kerberos slave servers, you need
`to perform a slave propagation immediately to update the keys on the slaves.
`Updated files are now available on “athena-dist.mit.edu" including an updated random_patch.md5
`file which contains the MDS checksums of random_patch.tar.* The PGP Signature is issued by
`Jeffrey I. Schiller <jis@mit.edu> using PGP keyid O0x0DBF906D.Thefingerprintis
`
`DD DC 88 AA 92 DC DD DS BA 0A 6B 59 C1 65 AD 01
`
`The updatedfiles are also available from
`ftp://ftp.cert.org/pub/vendors/mit/Patches/Kerberos-V4/.
`
`The new checksumsare
`
`MDS(random_patch.md5) = ecf5412094572e183aa33ae4e5fl 97b8
`MD5(random_patch.tar.Z) = e925b687a05a8c632 1628050262533 15
`MDS(random_patch.tar.gz) = 0032269 14427094a642fd1 £067f589d2
`
`Thesefiles are also available from
`
`ftp://ftp.cert.org/pub/vendors/mit/Patches/Kerberos-V4/random_patch.md5
`ftp://ftp.cert.org/pub/vendors/mit/Patches/Kerberos-V4/random|patch.tar.Z
`ftp://ftp.cert.org/pub/vendors/mit/Patches/Kerberos-V4/random_patch.tar.9z
`
`The checksums are the same as above.
`
`B. Solution for Binary Distributions
`
`Contact your vendor.
`Some vendors who provide Kerberos are sending the CERT Coordination Center information
`abouttheir patches. Thusfar, we have received information from one vendorand placedit in the
`appendix ofthis advisory. We will update the appendix as we hear from vendors.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA) Approved for public release and unlimited distribution.
`
`14
`
`

`

`3: CA-1996-03: Vulnerability in Kerberos 4 Key Server
`
`Appendix A: VendorInformation
`Below is information wehave received from vendors concerning the vulnerability described in
`this advisory. Ifyou do notsee your vendor's name, please contact the vendordirectly for infor-
`mation.
`
`The Santa Cruz Operation,Inc.
`
`The Kerberos 4 problem does not affect SCO.
`SCO OpenServer, SCO Open Desktop, SCO UnixWare, SCO Unix, and SCO Xenix do not sup-
`port Kerberos.
`.
`The SCO Security Server, an add-on product for SCO OpenServer3 and SCO OpenServer5, sup-
`ports Kerberos V5 authentication. This product cannot be configured to be Kerberos V4 compati-
`ble; therefore, it is not vulnerable.
`
`TGV Software,Inc.
`TGV has made two Kerberos ECO kits available (one for MultiNet V3.4 and one for V3.5) for
`Anonymous FTP.Ifyou are running Kerberos, we _strongly_ urge you to apply this kit.
`To obtain the kit, FTP to ECO.TGV.COM, username ANONYMOUS,passwordeither
`KERBEROS-034 or KERBEROS-035 (depending onthe version of MultiNet that you are run-
`ning) and download the ECOkit: fip://anonymous:kerberos-035@eco.tgv.com.
`The kit is available in both VMS BACKUPsaveset format as well as in a compressed .ZIP file.
`Use VMSINSTAL to apply the ECO.
`Once you have completed the upgrade, the KITREMARK.VURfile from the ECOkit will be dis-
`played providing instructions during the installation process.
`
`If you have any questions, please send an e-mail message to
`MultiNet-VMS@Support.TGV.COM.
`
`Transarc Corporation
`Kerberos Version 4.0 is used in our AFS product(all versions of AFS), while Kerberos Version
`5.0 is used in our DCEproduct (Kerberos Version 5.0 is used in ALL DCEproducts).
`In light ofthe COASTwork,Transarc is doing a security review ofKerberos 4.0 and AFS. We
`expect to provide some procedural changes to improvesecurity in new cells, and we will make
`code changesas necessary. OSFalso reviewed Kerberos 5.0, and they have released a source
`patch for Kerberos 5.0 that strengthensthe random number generator in Kerberos 5.0. This patch
`is relevantto all versions of DCE (butnot to AFSsince it is based on Kerberos 4.0).
`
`4996 CERT ADVISORIES | SOFTWARE ENGINEERINGINSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENTA]Approved for public release and unlimited distribution.
`
`15
`
`

`

`3: CA-1996-03: Vulnerability in Kerberos 4 Key Server
`
`Transarc has this OSFpatch available for DCE 1.1 on Solaris 2.4, DCE 1.0.3a on Solaris 2.4,
`DCE1.0.3a onSolaris 2.3, and DCE 1.0.3a on Sun OS4.1.3. Please contact Transarc Customer
`Support for access to these patches.
`
`Please feel free to contact medirectly if you have further questions aboutthis issue.
`
`For pointers and backgroundon theseissues pleaserefer to
`http://www.transarc.com/afs/transarc.com/public/www/Public/Support/security-\ update.html.
`
`Liz Hines
`Hines@transarc.com
`
`The CERT Coordination Center thanks Jeffrey Schiller and Theodore Ts'o ofMassachusetts Insti-
`tute of Technology for their effort in respondingto this problem, and thanks Gene Spafford of
`COASTfor the initial information about the problem.
`
`Copyright 1996 Carnegie Mellon University.
`
`Revision History
`
`Sep. 24, 1997 Updated copyright statement
`
`Aug. 30, 1996 Information previously in the README was inserted into
`the advisory.
`
`Mar. 08, 1996 Appendix, TGV Software & Transarc —- added entries
`
`Feb. 23, 1996 Sec. III.A - noted a change in the readme.patch file
`and put new MD5 checksums at the end of the section.
`
`1996 CERT ADVISORIES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
`[DISTRIBUTION STATEMENT A] Approvedfor public release and unlimited distribution.
`
`16
`
`

`

`4: CA-1996-04: Corrupt Information from Network Servers
`
`a4
`
`CA-1996-04: Corrupt Information from Network Servers
`
`Original issue date: February 22, 1996
`Last revised: April 28, 1998
`Corrected URL for obtaining RFCs. Removed obsolete references to a latest_sw_versions direc-
`tory.
`
`A complete revisionhistory is at the end ofthis file.
`The CERT Coordination Center has receivedreports ofintruders exploiting systems by corrupting
`data provided by a Domain NameService (DNS)server. Although these reports have focused
`only on DNS,this vulnerability could apply to any network service from which data is received
`and subsequently used.
`Section IIIA contains a pointer to two subroutines that address the DNS problem. These subrou-
`tines, written in the C programming language, can be usedto validate host names and IP ad-
`dresses according to RFCs 952 and 1123, as well as names containing characters drawn from
`commonpractice, namely "_" and "/".
`In the specific case o