ID CVE-2008-0122
Summary Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
References
Vulnerable Configurations
  • FreeBSD 6.2
    cpe:2.3:o:freebsd:freebsd:6.2
  • FreeBSD 6.3
    cpe:2.3:o:freebsd:freebsd:6.3
  • cpe:2.3:o:freebsd:freebsd:7.0:pre-release
    cpe:2.3:o:freebsd:freebsd:7.0:pre-release
  • ISC BIND 9.4.2
    cpe:2.3:a:isc:bind:9.4.2
CVSS
Base: 10.0 (as of 24-08-2016 - 10:05)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_BIND-4931.NASL
    description Certain input data could trigger a buffer overflow in the 'inet_network' function of libbind. Applications that use this function could therefore potentially be crashed or exploited to execute arbitrary code. Bind itself is not affected though (CVE-2008-0122).
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 31449
    published 2008-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31449
    title openSUSE 10 Security Update : bind (bind-4931)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_X86_109327.NASL
    description SunOS 5.8_x86: libresolv.so.2, in.named an. Date this patch was last updated by Sun : Mar/09/09
    last seen 2018-09-02
    modified 2016-12-12
    plugin id 13429
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13429
    title Solaris 8 (x86) : 109327-24
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_109152.NASL
    description SunOS 5.8: /usr/4lib/libc.so.x.9 and libdb. Date this patch was last updated by Sun : Jun/04/08
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 13315
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13315
    title Solaris 8 (sparc) : 109152-03
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_109326.NASL
    description SunOS 5.8: libresolv.so.2, in.named and BI. Date this patch was last updated by Sun : Mar/09/09
    last seen 2018-09-01
    modified 2016-12-12
    plugin id 13321
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13321
    title Solaris 8 (sparc) : 109326-24
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080521_BIND_ON_SL5_X.NASL
    description It was discovered that the bind packages created the 'rndc.key' file with insecure file permissions. This allowed any local user to read the content of this file. A local user could use this flaw to control some aspects of the named daemon by using the rndc utility, for example, stopping the named daemon. This problem did not affect systems with the bind-chroot package installed. (CVE-2007-6283) A buffer overflow flaw was discovered in the 'inet_network()' function, as implemented by libbind. An attacker could use this flaw to crash an application calling this function, with an argument provided from an untrusted source. (CVE-2008-0122) As well, these updated packages fix the following bugs : - when using an LDAP backend, missing function declarations caused segmentation faults, due to stripped pointers on machines where pointers are longer than integers. - starting named may have resulted in named crashing, due to a race condition during D-BUS connection initialization. This has been resolved in these updated packages. - the named init script returned incorrect error codes, causing the 'status' command to return an incorrect status. In these updated packages, the named init script is Linux Standard Base (LSB) compliant. - in these updated packages, the 'rndc [command] [zone]' command, where [command] is an rndc command, and [zone] is the specified zone, will find the [zone] if the zone is unique to all views. - the default named log rotation script did not work correctly when using the bind-chroot package. In these updated packages, installing bind-chroot creates the symbolic link '/var/log/named.log', which points to '/var/named/chroot/var/log/named.log', which resolves this issue. - a previous bind update incorrectly changed the permissions on the '/etc/openldap/schema/dnszone.schema' file to mode 640, instead of mode 644, which resulted in OpenLDAP not being able to start. In these updated packages, the permissions are correctly set to mode 644. - the 'checkconfig' parameter was missing in the named usage report. For example, running the 'service named' command did not return 'checkconfig' in the list of available options. - due to a bug in the named init script not handling the rndc return value correctly, the 'service named stop' and 'service named restart' commands failed on certain systems. - the bind-chroot spec file printed errors when running the '%pre' and '%post' sections. Errors such as the following occurred : Locating //etc/named.conf failed: [FAILED] This has been resolved in these updated packages. - installing the bind-chroot package creates a '/dev/random' file in the chroot environment; however, the '/dev/random' file had an incorrect SELinux label. Starting named resulted in an 'avc: denied { getattr } for pid=[pid] comm='named' path='/dev/random'' error being logged. The '/dev/random' file has the correct SELinux label in these updated packages. - in certain situations, running the 'bind +trace' command resulted in random segmentation faults. As well, these updated packages add the following enhancements : - support has been added for GSS-TSIG (RFC 3645). - the 'named.root' file has been updated to reflect the new address for L.ROOT-SERVERS.NET. - updates BIND to the latest 9.3 maintenance release.
    last seen 2019-01-16
    modified 2019-01-07
    plugin id 60402
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60402
    title Scientific Linux Security Update : bind on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12060.NASL
    description Certain input data could trigger a buffer overflow in the 'inet_network' function of libbind. Applications that use this function could therefore potentially be crashed or exploited to execute arbitrary code. Bind itself is not affected though. (CVE-2008-0122)
    last seen 2019-01-16
    modified 2012-04-23
    plugin id 41191
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41191
    title SuSE9 Security Update : bind (YOU Patch Number 12060)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-0903.NASL
    description - CVE-2008-0122, libbind.so off-by-one buffer overflow, very low severity Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2016-12-08
    plugin id 30080
    published 2008-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30080
    title Fedora 8 : bind-9.5.0-23.b1.fc8 (2008-0903)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_111327.NASL
    description SunOS 5.8: libsocket patch. Date this patch was last updated by Sun : Jun/06/08
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 33211
    published 2008-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33211
    title Solaris 8 (sparc) : 111327-06
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_136892.NASL
    description SunOS 5.10: libc.so.1.9 patch. Date this patch was last updated by Sun : Jun/06/08
    last seen 2018-09-01
    modified 2018-08-13
    plugin id 33205
    published 2008-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33205
    title Solaris 10 (sparc) : 136892-01
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_X86_111328.NASL
    description SunOS 5.8_x86: libsocket patch. Date this patch was last updated by Sun : Jun/06/08
    last seen 2018-09-02
    modified 2014-08-30
    plugin id 33212
    published 2008-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33212
    title Solaris 8 (x86) : 111328-05
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0066.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix CVE-2017-3136 (ISC change 4575) - Fix CVE-2017-3137 (ISC change 4578) - Fix and test caching CNAME before DNAME (ISC change 4558) - Fix CVE-2016-9147 (ISC change 4510) - Fix regression introduced by CVE-2016-8864 (ISC change 4530) - Restore SELinux contexts before named restart - Use /lib or /lib64 only if directory in chroot already exists - Tighten NSS library pattern, escape chroot mount path - Fix (CVE-2016-8864) - Do not change lib permissions in chroot (#1321239) - Support WKS records in chroot (#1297562) - Do not include patch backup in docs (fixes #1325081 patch) - Backported relevant parts of [RT #39567] (#1259923) - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1326283) - Fix multiple realms in nsupdate script like upstream (#1313286) - Fix multiple realm in nsupdate script (#1313286) - Use resolver-query-timeout high enough to recover all forwarders (#1325081) - Fix (CVE-2016-2848) - Fix infinite loop in start_lookup (#1306504) - Fix (CVE-2016-2776)
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 99569
    published 2017-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99569
    title OracleVM 3.3 / 3.4 : bind (OVMSA-2017-0066)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-0904.NASL
    description - CVE-2008-0122, libbind.so off-by-one buffer overflow, very low severity Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2016-12-08
    plugin id 30081
    published 2008-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30081
    title Fedora 7 : bind-9.4.2-3.fc7 (2008-0904)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_BIND-4932.NASL
    description Certain input data could trigger a buffer overflow in the 'inet_network' function of libbind. Applications that use this function could therefore potentially be crashed or exploited to execute arbitrary code. Bind itself is not affected though. (CVE-2008-0122)
    last seen 2019-01-16
    modified 2012-05-17
    plugin id 31450
    published 2008-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31450
    title SuSE 10 Security Update : bind (ZYPP Patch Number 4932)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-6281.NASL
    description 9.5.0-P1 release which contains fix for CVE-2008-1447. This update also fixes parsing of inner ACLs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2016-12-12
    plugin id 33470
    published 2008-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33470
    title Fedora 8 : bind-9.5.0-28.P1.fc8 (2008-6281)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_136892-01.NASL
    description SunOS 5.10: libc.so.1.9 patch. Date this patch was last updated by Sun : Jun/06/08
    last seen 2018-10-27
    modified 2018-10-26
    plugin id 107478
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107478
    title Solaris 10 (sparc) : 136892-01
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0300.NASL
    description Updated bind packages that fix two security issues, several bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. It was discovered that the bind packages created the 'rndc.key' file with insecure file permissions. This allowed any local user to read the content of this file. A local user could use this flaw to control some aspects of the named daemon by using the rndc utility, for example, stopping the named daemon. This problem did not affect systems with the bind-chroot package installed. (CVE-2007-6283) A buffer overflow flaw was discovered in the 'inet_network()' function, as implemented by libbind. An attacker could use this flaw to crash an application calling this function, with an argument provided from an untrusted source. (CVE-2008-0122) As well, these updated packages fix the following bugs : * when using an LDAP backend, missing function declarations caused segmentation faults, due to stripped pointers on machines where pointers are longer than integers. * starting named may have resulted in named crashing, due to a race condition during D-BUS connection initialization. This has been resolved in these updated packages. * the named init script returned incorrect error codes, causing the 'status' command to return an incorrect status. In these updated packages, the named init script is Linux Standard Base (LSB) compliant. * in these updated packages, the 'rndc [command] [zone]' command, where [command] is an rndc command, and [zone] is the specified zone, will find the [zone] if the zone is unique to all views. * the default named log rotation script did not work correctly when using the bind-chroot package. In these updated packages, installing bind-chroot creates the symbolic link '/var/log/named.log', which points to '/var/named/chroot/var/log/named.log', which resolves this issue. * a previous bind update incorrectly changed the permissions on the '/etc/openldap/schema/dnszone.schema' file to mode 640, instead of mode 644, which resulted in OpenLDAP not being able to start. In these updated packages, the permissions are correctly set to mode 644. * the 'checkconfig' parameter was missing in the named usage report. For example, running the 'service named' command did not return 'checkconfig' in the list of available options. * due to a bug in the named init script not handling the rndc return value correctly, the 'service named stop' and 'service named restart' commands failed on certain systems. * the bind-chroot spec file printed errors when running the '%pre' and '%post' sections. Errors such as the following occurred : Locating //etc/named.conf failed: [FAILED] This has been resolved in these updated packages. * installing the bind-chroot package creates a '/dev/random' file in the chroot environment; however, the '/dev/random' file had an incorrect SELinux label. Starting named resulted in an 'avc: denied { getattr } for pid=[pid] comm='named' path='/dev/random'' error being logged. The '/dev/random' file has the correct SELinux label in these updated packages. * in certain situations, running the 'bind +trace' command resulted in random segmentation faults. As well, these updated packages add the following enhancements : * support has been added for GSS-TSIG (RFC 3645). * the 'named.root' file has been updated to reflect the new address for L.ROOT-SERVERS.NET. * updates BIND to the latest 9.3 maintenance release. All users of bind are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 32424
    published 2008-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32424
    title RHEL 5 : bind (RHSA-2008:0300)
oval via4
accepted 2013-04-29T04:03:09.459-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
family unix
id oval:org.mitre.oval:def:10190
status accepted
submitted 2010-07-09T03:56:16-04:00
title Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.
version 18
redhat via4
advisories
bugzilla
id 429149
title CVE-2008-0122 libbind off-by-one buffer overflow
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhsa:tst:20070055001
  • OR
    • AND
      • comment bind is earlier than 30:9.3.4-6.P1.el5
        oval oval:com.redhat.rhsa:tst:20080300002
      • comment bind is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070057003
    • AND
      • comment bind-chroot is earlier than 30:9.3.4-6.P1.el5
        oval oval:com.redhat.rhsa:tst:20080300014
      • comment bind-chroot is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070057005
    • AND
      • comment bind-devel is earlier than 30:9.3.4-6.P1.el5
        oval oval:com.redhat.rhsa:tst:20080300004
      • comment bind-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070057007
    • AND
      • comment bind-libbind-devel is earlier than 30:9.3.4-6.P1.el5
        oval oval:com.redhat.rhsa:tst:20080300006
      • comment bind-libbind-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070057015
    • AND
      • comment bind-libs is earlier than 30:9.3.4-6.P1.el5
        oval oval:com.redhat.rhsa:tst:20080300010
      • comment bind-libs is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070057017
    • AND
      • comment bind-sdb is earlier than 30:9.3.4-6.P1.el5
        oval oval:com.redhat.rhsa:tst:20080300008
      • comment bind-sdb is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070057009
    • AND
      • comment bind-utils is earlier than 30:9.3.4-6.P1.el5
        oval oval:com.redhat.rhsa:tst:20080300016
      • comment bind-utils is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070057011
    • AND
      • comment caching-nameserver is earlier than 30:9.3.4-6.P1.el5
        oval oval:com.redhat.rhsa:tst:20080300012
      • comment caching-nameserver is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070057013
rhsa
id RHSA-2008:0300
released 2008-05-20
severity Moderate
title RHSA-2008:0300: bind security, bug fix, and enhancement update (Moderate)
rpms
  • bind-30:9.3.4-6.P1.el5
  • bind-chroot-30:9.3.4-6.P1.el5
  • bind-devel-30:9.3.4-6.P1.el5
  • bind-libbind-devel-30:9.3.4-6.P1.el5
  • bind-libs-30:9.3.4-6.P1.el5
  • bind-sdb-30:9.3.4-6.P1.el5
  • bind-utils-30:9.3.4-6.P1.el5
  • caching-nameserver-30:9.3.4-6.P1.el5
refmap via4
bid 27283
bugtraq 20080124 rPSA-2008-0029-1 bind bind-utils
cert-vn VU#203611
confirm
fedora
  • FEDORA-2008-0903
  • FEDORA-2008-0904
freebsd FreeBSD-SA-08:02
sectrack 1019189
secunia
  • 28367
  • 28429
  • 28487
  • 28579
  • 29161
  • 29323
  • 30313
  • 30538
  • 30718
sunalert 238493
suse SUSE-SR:2008:006
vupen
  • ADV-2008-0193
  • ADV-2008-0703
  • ADV-2008-1743
xf freebsd-inetnetwork-bo(39670)
statements via4
contributor Mark J Cox
lastmodified 2008-05-21
organization Red Hat
statement This issue did not affect the versions of GNU libc as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affects the versions of libbind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, however the vulnerable function is not used by any shipped applications. The Red Hat Security Response Team has therefore rated this issue as having low security impact, a future update may address this flaw. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0122 An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0300.html
Last major update 06-12-2016 - 21:59
Published 15-01-2008 - 21:00
Last modified 15-10-2018 - 17:58
Back to Top