[LINK] Urgency of security updates, BIND nameserver, BUGTRAQ etc.
Robin Whittle
rw@firstpr.com.au
Wed, 31 Jan 2001 23:09:12 +1100
In the following, I am using the term "hack" to mean malicious attack -
but the terms "hack" and "hacker" also have positive connotations and do
not necessarily involve attacks of any kind.
In 1998, before I put myself on the BUGTRAQ and Red Hat security mailing
lists, my permanently connected (Telstra Internet permanent 56 k modem)
Linux gateway machine was hacked, removing the packet filtering, and
allowing my Window's machines to be attacked a few days later, making
them unbootable. (The Windows attack was only hours before the police
arrested a suspect in Melbourne. I was later told by police that the
suspect committed suicide shortly before the matter was to come to
court.)
The problem is that certain programs have security vulnerabilities which
can give a remote attacker complete control over the machine. This is
primarily an issue for Unix systems, since Windows machines are insecure
to start with - those with file sharing enabled should never be exposed
to the Net without packet filtering to protect the Microsoft protocols
from being used by an attacker. (Also, many commonly used Windows
programs such as MIRC have had security vulnerabilities too.)
While I never found out who attacked my Linux machine, I quickly found
that I was running an older version of BIND ("Berkeley Internet Name
Domain" according to my O'Rielly DNS - BIND book) which some months
earlier had been shown to have a vulnerability enabling a remote
attacker to gain root privileges. The attacker had installed a "root
kit" which gave them complete control of the machine, removed packet
filtering etc. and replaced system utilities such as "ps" and "ls" (I
think) with versions which hid the existence of the root kit.
Since then I have watched the security mailing lists carefully and kept
an eye on the Red Hat security-related errata.
This latest BIND vulnerability report came through on BUGTRAQ from
pgp.com and from CERT. The BIND I was using was 8.2.2.P3-1 - a RedHat
package from 14 November 1999, which I had installed to replace an
earlier version with security problems. The latest CERT advisory:
http://www.cert.org/advisories/CA-2001-02.html
covers "8.2.x prior to 8.2.3" so I needed to upgrade my BIND. If I was
keen, I could have compiled the new source which was immediately
available, but since I do other things than Unix systems admin I decided
to wait for the official Red Hat package.
I looked at the RedHat 6.1 security errata page:
http://www.redhat.com/support/errata/rh61-errata-general.html
but it was empty. (I filled in a web-form to report this and many hours
later it is still empty. Now I check and it appears empty with
Netscape, but not with IE5 or Opera. I guess it is an inproperly closed
table or similar. Netscape composer reads it fine. There's no mention
of BIND in it. I reported all this too.)
I looked at the 6.2 page and after a while found an updated version of
BIND which I downloaded and installed with no problems whatsoever.
I imagine that many other people were running a vulnerable version of
BIND, so a large proportion of nameservers were susceptible to attack as
soon as the details were announced by pgp.com. (I assume that no
malevolent people had discovered the problems before this.)
According to postings on BUGTRAQ, a few other Linux distribution
companies had new versions of BIND available before Red Hat. By the
times I received the emails, the CERT advisory was 3.51 AM, the Covert
Labs (pgp.com) announcement was 4.29 AM, the first fix (Slackware) was
5.34 AM and the Red Hat announcement was 9.30 AM.
I figured that it would take a few hours for hackers to code an exploit,
and that there were an awful lot of nameservers out there in addition to
mine. As far as I can tell, my machine has not been hacked. (Arguably
I should be better organised with something like Tripwire to detect any
attack-like changes to the system.)
Security problems such as these latest BIND vulnerabilities enable not
just interference with the program itself, but control of the entire
machine - from which other attacks can be launched.
The moral is, if you run a computer system connected to the Net, then
you have to keep up to date with the security vulnerabilities of all its
software. BUGTRAQ seems like a pretty good way of doing this.
http://www.securityfocus.com
Its not just for your own sake, but to protect everyone else against
your computer being used to launch attacks.
According to:
http://www.securityfocus.com/news/144
"It’s a very subtle bug, and I would hope that people won’t turn
around and have an exploit out in eight hours," says NAI's Magdych.
"But it would probably be very optimistic to think that it’ll be
more than a day or two.”
CERT recommends that users of BIND 4.9.x or 8.2.x upgrade to the
newly-released BIND 4.9.8 or BIND 8.2.3, respectively. But if
history is a guide, then many network administers will not hear, or
not act on, that advice, and thousands of vulnerable systems will
remain open.
In April, 1998, discovery of a buffer overflow in an earlier version
of BIND led to a cyber-crime wave, with CERT logging intrusion
* reports into November of that year, despite a similar advisory and
available patches. According to court records, victims included the
U.S. Defense Department, which suffered intrusions into unpatched
systems around the country.
* That was me - hacked in July, I think.
Generally, a dial-up modem connection from an ISP will have packet
filtering to stop access to Windows file sharing protocols. Ideally, so
should a cable modem or DSL connection, but many people run "firewall"
software on their Windows machines to protect against any such attacks.
A cable-modem or DSL connected machine is a better target for an
attacker. It has a greater bandwidth, stable or fixed IP address and
hacking activity is unlikely to be noticed by the user, compared with a
56kbps dial-up modem. A successful attack provides a new base from
which to launch further attacks.
- Robin