Critical domain server security holes exposed

Network managers and ISPs have been warned about several major security loops in a critical piece of Internet software, one of which could give hackers free reign over a company's Internet servers.

Six new vulnerabilities have been identified in Bind, the widely used open source domain name server, by its creators, the Internet Software Consortium (ISC). Most could let a malicious user crash or jam a server, while one could give root access to domain name servers.

Hewlett-Packard, IBM and Sun are among the vendors whose Unix servers are vulnerable to the exploits, which affect most versions of Bind. All are working on patches, and users are advised to upgrade to Bind version 8.2.2 patch level 3 or higher.

Full details of the vulnerabilities can be found on the ISC website (http://www.isc.org). US computer security watcher Cert (http://www.cert.org) has issued an advisory about the vulnerabilities and has detailed information about the products affected and where to get fixes.

Bind is a domain name system (DNS) server that allows a user to connect to a website or server by its name rather than its address. A user's machine will ask a local DNS server for the numerical address of a system with a given name, much like looking up a name in a phone directory to get a phone number.

The Bind DNS server is used on the vast majority of domain name machines on the Internet. It is used by ISPs and some businesses.

Keith Mitchell, excutive chariman at UK Internet exchange Linx, said damage caused by the exploits is likely to be limited as most servers have extra security safeguards. "It's not a case of anyone being able to hack into any server on the Internet. There is usually a second line of defence.

"It's part of the constant arms race between the people who develop server applications and the people who try to hack into them," Mitchell said.

The fact that Bind is open source makes it easy to quickly respond to and fix security problems, he added.

ISC classifies the severity of three of the vulnerabilities, all of which can be used for denial of service attacks - jamming or crashing a Web server - as serious. Two other similar vulnerabilities are classified as minor.

However, the NXT bug, which could allow intruders to gain privileged access to name servers, is classified as 'critical' by ISC. This vulnerability affects Bind version 8.2.

"Any hole in a server that enables you to run code as the root user ID is very dangerous," said Paul Offord, managing director of computer consultants Advance Seven.

But Offord noted that the NXT bug and the SIG bug, one of the three 'serious' risk bugs, could only be exploited if someone had already hacked into a user's DNS server, firewall or a higher DNS server.

"The code to exploit the NXT bug would be very difficult to write, but I guess not impossible," said Offord.