You are here

T-633: BIND RRSIG RRsets Negative Caching Off-by-one Bug Lets Remote Users Deny Service

May 31, 2011 - 3:35pm

Addthis

PROBLEM:

A vulnerability was reported in BIND. A remote user can cause denial of service conditions.

PLATFORM:

BIND Version(s): 9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3, 9.7.1 and later, 9.8.0 and later; prior to 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1, 9.8.0-P2

ABSTRACT:

A remote DNS server can supply very large RRSIG RRsets in a negative response to trigger an off-by-one error in a buffer size check and cause the target requesting named process to crash. A remote user can cause named to crash.

reference LINKS:

SecurityTracker Alert ID: 1025575
SecurityTracker Alert ID: 1025572
ISC Advisory
BIND Software
CVE-2011-1910

iMPACT ASSESSMENT:

High

Discussion:

DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the negative cache.
The authority data will be cached along with the negative cache information. These authoritative "Start of Authority" (SOA) and NSEC/NSEC3 records prove the nonexistence of the requested name/type. In DNSSEC, all of these records are signed; this adds one additional RRSIG record, per DNSSEC key, for each record returned in the authority section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.

Impact:

The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization's caching resolvers for non-existent names in the domain served by the bad server, getting a response that would "trigger" the vulnerability. The attacker would require access to an organization's caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).This issue has caused unintentional outages.

DNSSEC does not need to be enabled on the resolver for it to be vulnerable.

Solution:

Restricting access to the DNS caching resolver infrastructure will provide partial mitigation. Active exploitation can be accomplished through malware or SPAM/Malvertizing actions that will force authorized clients to look up domains that would trigger this vulnerability.
Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2 or the latest fixed version of the software.

Note: FreeBSD BIND has confirmed that 9.6.2-P3 is unaffected.

FreeBSD BIND Software Downloads

 

Addthis