You are here

T-662: ISC BIND Packet Processing Flaw Lets Remote Users Deny Service

July 6, 2011 - 7:47am

Addthis

PROBLEM:

A vulnerability was reported in ISC BIND. A remote user can cause denial of service conditions.

PLATFORM:

9.6.3, 9.6-ESV-R4, 9.6-ESV-R4-P1, 9.6-ESV-R5b1 9.7.0, 9.7.0-P1, 9.7.0-P2, 9.7.1, 9.7.1-P1, 9.7.1-P2, 9.7.2, 9.7.2-P1, 9.7.2-P2, 9.7.2-P3, 9.7.3, 9.7.3-P1, 9.7.3-P2, 9.7.4b1 9.8.0, 9.8.0-P1, 9.8.0-P2, 9.8.0-P3, 9.8.1b1

ABSTRACT:

A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time. A remote attacker would need to be able to send a specially crafted packet directly to a server running a vulnerable version of BIND. There is also the potential for an indirect attack via malware that is inadvertently installed and run, where infected machines have direct access to an organization's nameservers.

OTHER LINKS:

SecurityTracker Alert ID: 1025742
Red Hat Bugzilla - Bug 718966
BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers

IMPACT ASSESSMENT:

High

Discussion:

A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time.

Impact:

A remote user can cause the target DNS service to exit. A remote attacker would need to be able to send a specially crafted packet directly to a server running a vulnerable version of BIND. There is also the potential for an indirect attack via malware that is inadvertently installed and run, where infected machines have direct access to an organization's nameservers.

Solution:

Upgrade to: 9.6-ESV-R4-P3, 9.7.3-P3 or 9.8.0-P4. Download these versions from the following locations: ISC releases of BIND 9 software may be downloaded from http://www.isc.org/software/bind If you do not obtain your BIND software directly from ISC, contact your operating system or software vendor for an update. If you are participating in ISC's beta or release candidate (RC) programs, please upgrade. ISC Beta/RC testers are expected to remove vulnerable versions and upgrade. No security advisories are issued for beta / release candidates once the corresponding final release is made. In addition, 9.5.3b1 and 9.5.3rc1 are affected although ISC has not released a final production version of 9.5.3. Note that BIND 9.5 is End-of-Life, therefore if you are running a pre-release version of 9.5.3 we recommend upgrading to a supported production version of BIND. 9.6-ESV-R4-P2 is not affected by any known attack vectors, but has been replaced by 9.6-ESV-R4-P3 which carries a more complete fix Other versions of BIND 9 not listed in this advisory are not vulnerable to this problem.

Addthis