PROBLEM:
A vulnerability was reported in BIND. A remote user can cause denial of service conditions.
PLATFORM:
BIND Version(s): 9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3, 9.7.1 and later, 9.8.0 and later; prior to 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1, 9.8.0-P2
ABSTRACT:
A remote DNS server can supply very large RRSIG RRsets in a negative response to trigger an off-by-one error in a buffer size check and cause the target requesting named process to crash. A remote user can cause named to crash.
reference LINKS:
SecurityTracker Alert ID: 1025575
SecurityTracker Alert ID: 1025572
ISC Advisory
BIND Software
CVE-2011-1910
iMPACT ASSESSMENT:
High
Discussion:
DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the negative cache.
The authority data will be cached along with the negative cache information. These authoritative "Start of Authority" (SOA) and NSEC/NSEC3 records prove the nonexistence of the requested name/type. In DNSSEC, all of these records are signed; this adds one additional RRSIG record, per DNSSEC key, for each record returned in the authority section of the response.
In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.
Impact:
The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization's caching resolvers for non-existent names in the domain served by the bad server, getting a response that would "trigger" the vulnerability. The attacker would require access to an organization's caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).This issue has caused unintentional outages.
DNSSEC does not need to be enabled on the resolver for it to be vulnerable.
Solution:
Restricting access to the DNS caching resolver infrastructure will provide partial mitigation. Active exploitation can be accomplished through malware or SPAM/Malvertizing actions that will force authorized clients to look up domains that would trigger this vulnerability.
Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2 or the latest fixed version of the software.
Note: FreeBSD BIND has confirmed that 9.6.2-P3 is unaffected.
FreeBSD BIND Software Downloads