Feds urged to plug software hole in Unix, NT servers

Security experts are urging network administrators to plug a software hole present in all Unix servers and many of Microsoft Corp.'s Windows NT servers - a hole that already has been used to redirect portions of Internet traffic.

The vulnerability exists in software called the Berkeley Internet Name Daemon (BIND) which is found on all Unix servers and many NT servers. Together the two systems account for a large majority of all servers in the federal government. BIND translates Internet name addresses into numeric addresses.

Because of the potential for further exploitation of this software hole Network Solutions Inc. - the company that registers Internet domain names that end with the suffixes .com .edu and .org - joined with the Computer Emergency Response Team (CERT) at Carnegie Mellon University to issue a warning this month urging network administrators to update the software.

Network Solutions under contract with the National Science Foundation has responsibility for registering .gov addresses. NSF announced in April that it would not renew its contract with Network Solutions the registration authority will be transferred to the General Services Administration Oct. 1.

The vulnerability was exploited in July by Eugene Kashpureff the operator of an Internet company called Alternic who has protested Network Solutions' monopoly of domain-name registering. He exploited the software hole in several name servers and diverted users away from two World Wide Web sites maintained by Network Solutions to prove the security vulnerability according to a Network Solutions official.

Network Solutions' own name servers were not affected because the company had installed an updated version of BIND. The vulnerability can be eliminated by updating BIND to Version 8.1.1 according to the advisory.

Of far greater concern however is that a hacker could use the hole to capture or corrupt all information sent between hosts on a network according to the security advisory. While hackers have routinely secretly installed a device called a "sniffer" to illegally monitor traffic at a specific network location this vulnerability could allow unauthorized users to direct traffic to themselves. Other than eliminating the hole with the updated version routinely encrypting data is the only sure way to prevent communications traffic from being deciphered if it is redirected said Rik Farrow an independent security consultant who specializes in Unix. A recent Network Solutions survey of the 50 000 most popular commercial Web servers indicated that 98 percent had not installed the 6-week-old updated version of the software to eliminate the hole said David Holtzman senior vice president of engineering at the company.

"We find that to be a pretty frightening statistic " Holtzman said. "We believe that most servers are vulnerable to this today. It could potentially have a very large impact."

The number of federal government servers who are vulnerable may be even greater Holtzman said because government network administrators tend to update software less frequently than their commercial counterparts.

Some agencies have heeded the warnings to update the software. Frank Marino a member of the Department of Veterans Affairs' computer emergency response team said the agency has updated the BIND software for the agency's 21 Unix firewalls.

Most of the large Unix vendors - including Digital Equipment Corp. Hewlett-Packard Co. Sun Microsystems Inc. IBM Corp. and The Santa Cruz Operation Inc. - noted in the security bulletin that various versions of their systems are vulnerable and that they are working on software patches.

While BIND was written primarily for Unix servers many NT users may have installed it because it is more popular than what comes with NT Farrow said.

BIND was devised in the 1980s soon after the massive growth of the Internet began when computers could not routinely search an internal list of names to find addresses because it became too cumbersome Farrow said. At the time it was devised security implications were not an issue he said.