January 29, 2001

PITTSBURGH— A newly discovered vulnerability in arguably the Internet’s single most important software package threatens the Internet’s integrity. On Monday, January 29, the CERT Coordination Center (CERT/CC) and the COVERT Labs at PGP Security simultaneously released advisories describing serious new vulnerabilities in BIND, the most commonly used software for domain name system (DNS) servers. DNS servers translate names suitable for use by humans (such as www.cert.org) into network addresses suitable for use by computers.

The vulnerabilities, which were discovered by COVERT Labs, could allow intruders to gain control of the machines used for name-to-number translation, possibly allowing intruders to change these mappings. The result of a change in mapping could be devastating: Internet traffic such as Web access, electronic mail, and file transfers could be redirected to arbitrary sites chosen by an intruder. Furthermore, intruders could use these vulnerabilities to disable access to or from their chosen victims, effectively cutting them off from the rest of the Internet. Virtually every site on the Internet depends on one or more name servers; the CERT/CC conservatively estimates that more than 80% of the name servers on the Internet are vulnerable to one or more of these problems. The CERT/CC urges system and network administrators of vulnerable organizations to upgrade their versions of BIND immediately to a non-vulnerable version such as 4.9.8, 8.2.3, or 9.1, depending on the existing local configuration. Technical information and advice on upgrading is available at http://www.cert.org/advisories/CA-2001-02.html.  

Since 1997, the CERT/CC has published 12 documents describing vulnerabilities in BIND, including information about active exploitation of these vulnerabilities. Unfortunately, not all system and network administrators heeded the advice. On November 10, 1999, the CERT/CC published CA-1999-14, which detailed multiple vulnerabilities in BIND. The CERT/CC continued to receive reports of compromises based on those vulnerabilities through December of 2000. On April 8, 1998, the CERT/CC published CA-1998-05; reports of compromises based on the vulnerabilities described therein continued through November of 1998.  

Compounding the problem is the rapid pace at which intruders develop exploits for newly discovered vulnerabilities. In the case of CA-1998-05, an exploit appeared within six weeks. In the case of CA-1999-14, an exploit appeared within one week. The CERT/CC is concerned that exploits for these new vulnerabilities will appear equally quickly and that unless vulnerable software is updated now, many networks may be at risk. The CERT/CC is now taking the unusual step of issuing a press release to alert organizations to take action to prevent potentially devastating compromises. 

® CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office.