[12519] in bugtraq
Re: BIND NXT Bug Vulnerability
daemon@ATHENA.MIT.EDU (Richard Trott)
Wed Nov 10 18:30:24 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.9911101501550.9107-100000@www>
Date: Wed, 10 Nov 1999 15:03:16 -0800
Reply-To: trott@SLOWPOISONERS.COM
From: Richard Trott <trott@SLOWPOISONERS.COM>
X-To: Elias Levy <aleph1@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991110135525.A21417@securityfocus.com>
You might wish to note that there is a fix: upgrade to 8.2.2 patchlevel
3.
Of course, this will be obvious to anyone who follows the link... but for
those that don't, the "Workaround: None" part will give the wrong
impression.
Rich
On Wed, 10 Nov 1999, Elias Levy wrote:
> http://www.isc.org/products/BIND/bind-security-19991108.html
>
>
> Name: "nxt bug"
>
> Versions affected: 8.2, 8.2 patchlevel 1, 8.2.1
> Severity: CRITICAL
> Exploitable: Remotely
> Type: Access possible
>
> Description:
>
> A bug in the processing of NXT records can theoretically allow an
> attacker to gain access to the system running the DNS server at
> whatever privilege level the DNS server runs at.
>
> Workarounds:
>
> None.
>
> Active Exploits:
>
> At this time, ISC is unaware of any active exploits of this
> vulnerability however given the potential access this vulnerability
> represents, it is probable scripts will be created in the near future
> that make use of this vulnerability.
>
> --
> Elias Levy
> Security Focus
> http://www.securityfocus.com/
>
