You are here

T-617: BIND RPZ Processing Flaw Lets Remote Users Deny Service

May 6, 2011 - 7:00am

Addthis

PROBLEM:

A vulnerability has been reported in BIND, which can be exploited by malicious people to cause a DoS (Denial of Service).

PLATFORM:

ISC BIND version 9.8.0.

ABSTRACT:

When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.

REFERENCE LINKS:

ISC Advisory: CVE-2011-1907
Secunia Advisory: SA44416
Vulnerability Report: ISC BIND
CVE-2011-1907
SecurityTracker Alert ID: 1025503

IMPACT ASSESSMENT:

High

Discussion:

This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.

Impact:

The vulnerability is caused due to an assertion failure when processing RRSIG queries if the Response Policy Zones (RPZ) mechanism is used for RRset replacement, which can be exploited to terminate the server via RRSIG queries.

Solution:

Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.

Install 9.8.0-P1 or higher

Addthis