Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -----BEGIN PGP SIGNED MESSAGE-----
- Hash: SHA1
- ===========================================================================
- AUSCERT External Security Bulletin Redistribution
- ESB-2011.0693
- A number of vulnerabilities have been identified in BIND
- 5 July 2011
- ===========================================================================
- AusCERT Security Bulletin Summary
- ---------------------------------
- Product: BIND 9
- Publisher: ISC
- Operating System: UNIX variants (UNIX, Linux, OSX)
- Windows
- Impact/Access: Denial of Service -- Remote/Unauthenticated
- Resolution: Patch/Upgrade
- CVE Names: CVE-2011-2465 CVE-2011-2464
- Comment: This bulletin contains two (2) ISC security advisories.
- - --------------------------BEGIN INCLUDED TEXT--------------------
- - -----BEGIN PGP SIGNED MESSAGE-----
- Hash: SHA512
- Title: ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers
- Summary: A specially constructed packet will cause BIND 9 ("named") to exit, affecting DNS service.
- Document ID: CVE-2011-2464
- Document Version: 1.7 "Interim"
- Document URL: http://www.isc.org/security (to be published July 6)
- Posting Date: 28 June, 2011
- Program Impacted: BIND 9
- Versions Affected:
- 9.6 versions: 9.6.3, 9.6-ESV-R4, 9.6-ESV-R4-P1, 9.6-ESV-R5b1
- 9.7
- versions: 9.7.0, 9.7.0-P1, 9.7.0-P2, 9.7.1, 9.7.1-P1, 9.7.1-P2, 9.7.2, 9.7.2-P1, 9.7.2-P2, 9.7.2-P3, 9.7.3, 9.7.3-P1, 9.7.3-P2, 9.7.4b1
- 9.8
- versions: 9.8.0, 9.8.0-P1, 9.8.0-P2, 9.8.0-P3, 9.8.1b1
- In addition,
- 9.5.3b1 and 9.5.3rc1 are affected although ISC has not released a final production version of 9.5.3. Note that BIND 9.5 is End-of-Life, therefore if you are running a pre-release version of 9.5.3 we recommend upgrading to a supported production version of BIND.
- 9.6-ESV-R4-P2 is not affected
- by any known attack vectors, but has been replaced by 9.6-ESV-R4-P3 which carries a more complete fix.
- Other versions of BIND 9 not listed here are not vulnerable to this problem.
- Severity: Severe
- Exploitable: Remotely
- Description:
- A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time.
- A remote attacker would need to be able to send a specially crafted packet directly to a server running a vulnerable version of BIND. There is also the potential for an indirect attack via malware that is inadvertently installed and run, where infected machines have direct access to an organization's nameservers.
- CVSS Score: 7.8
- CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please
- visit:
- http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
- Workarounds:
- There are no known workarounds for publicly available servers.
- Administrators of servers that are not publicly available may be able to limit exposure via firewalls and packet filters.
- Solution:
- Upgrade to: 9.6-ESV-R4-P3, 9.7.3-P3 or 9.8.0-P4.
- Download these versions from the following locations:
- * ISC releases of BIND 9 software may be downloaded from http://www.isc.org/software/bind
- * If you do not obtain your BIND software directly from ISC, contact your operating system or software vendor for an update.
- * If you are participating in ISC's beta or release candidate (RC) programs, please upgrade. ISC Beta/RC testers are expected to remove vulnerable versions and upgrade. No security advisories are issued for beta / release candidates once the corresponding final release is made.
- Exploit Status: ISC knows of no public tools to exploit this defect at the time of this advisory.
- Acknowledgement: ISC thanks Roy Arends from Nominet for pin-pointing the exact nature of the vulnerability. We also thank Ramesh Damodaran of Infoblox for finding a variation of the attack vector and Mats Dufberg of TeliaSonera? Sweden for confirming additional variants.
- Document Revision History
- * 1.0 14 June 2011 - Phase One Disclosure Date
- * 1.1 20 June 2011 - Phase Two Disclosure Date with updates.
- * 1.2 21 June 2011 - Updates on beta, RC, and clarity editing
- * 1.3 21 June 2011 - Sent Hold Notices to Phase I constituents, added Ramesh to Acknowledgments
- * 1.4 23 June 2011 - Updated -P versions to include Advanced Security Patches released to Phase I, and "Upgrade to:" versions
- * 1.5 24 June 2011 - Added Document URL, sent schedule Update to Phase I constituents.
- * 1.6 28 June 2011 - Updated Versions Affected, added Mats to Acknowledgments, sent Phase I updates.
- * 1.7 30 June 2011 - Updated attribution text.
- References:
- * Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.
- * Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at:
- http://www.isc.org/community/blog/201102/BIND-support
- * ISC Security Vulnerability Disclosure Policy. Details of our current security advisory policy and practice can be found here:
- https://www.isc.org/security-vulnerability-disclosure-policy
- Legal Disclaimer:
- Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
- basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
- A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
- - -----BEGIN PGP SIGNATURE-----
- Version: 10.1.0.860
- wsBVAwUBThHZpL2X3GOe6MR7AQoeIAf9FtFIRySFFPlFFYz0TGw9YLq4FdpKPV2p
- QrMuA0bcAHLhCa3qdMNDdgycMN4IiRWs4+DKGuVDM4/9e0JixWhoOpT0W+6jlIJQ
- UZqmE0ajeFffY6+LPiYP30bPMTjuieOT33TW6WqvtCpCRPKuhzHp8Agicop0dMH1
- jHLfJq2PTkOEm9MY60Z/bl82HCqnCCy+jILxObZo52GF++DGEfZ8wbt4807uUAz6
- scJF30jfzn/JEdMvEGAnF8F9J5BIvLR7O6vWYwHoT+q/rBE+Eo1vadCKz/Mo1Kw5
- kESRrMST8hP0O5IrdFlkaKrw2RTJTTghF8bh4KkLmd6z6XrLq9zQ2A==
- =h8Nu
- - -----END PGP SIGNATURE-----
- - -----BEGIN PGP SIGNED MESSAGE-----
- Hash: SHA512
- Title: ISC BIND 9 Remote Crash with Certain RPZ Configurations
- Summary: Two defects were discovered in ISC's BIND 9 code. These defects only affect BIND 9 servers which have recursion enabled and which use a specific feature of the software known as Response Policy Zones (RPZ) and where the RPZ zone contains a specific rule/action pattern.
- RPZ is a technology developed by ISC which provides DNS recursive resolver operators with a simple way to block certain queries which they wish to or legally must prevent, or to redirect them to an alternate location. RPZ allows a great deal of flexibility and fine-grained selection of resolver policy. For more information, please see https://www.isc.org/software/rpz.
- Document ID: CVE-2011-2465
- Document Version: 1.4
- Document URL: http://www.isc.org/security (not publicly published)
- Posting date: 28 June, 2011
- Program Impacted: BIND 9
- Versions affected: 9.8.0, 9.8.0-P1, 9.8.0-P2 and 9.8.1b1
- Other versions of BIND 9 not listed here are not vulnerable to this problem.
- Severity: Severe
- Exploitable: Remotely
- Description:
- A defect in the affected versions of BIND could cause the "named" process to exit when queried, if the server has recursion enabled and was configured with an RPZ zone containing certain types of records.
- Specifically, these are any DNAME record and certain kinds of CNAME records.
- The patch release of BIND 9.8.0-P4 alters the behavior of RPZ zones by ignoring any DNAME records in an RPZ zone, and correctly returning CNAME records from RPZ zones.
- Note that DNAME has no defined effect on the RPZ engine and its presence in an RPZ zone is ignored. The definitive list of meaningful patterns in an RPZ zone is given in the BIND 9 Administrative Reference Manual and also in ISC Technical Note 2010-1.
- CVSS Score: 7.8
- CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
- http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
- Workarounds:
- Do not put certain CNAME or any DNAME records into an RPZ zone file until your software can be patched. If you subscribe to a service which supplies your RPZ zone data, ensure that it does not contain any DNAME or certain CNAME records. The CNAME records which must not be used are those which signal the RPZ engine to rewrite query names. CNAME records which signal the RPZ engine to forge an NXDOMAIN response are not affected by this defect.
- An example of an RPZ rule which causes a query name to be rewritten is:
- *.malicious-domain.com CNAME walled-garden.isp.net
- An example of an RPZ rule which causes an NXDOMAIN response to be returned
- is:
- *.malicious-domain.com CNAME .
- Please refer to the BIND 9 Administrative Reference Manual or to ISC Technical Note 2010-1 for more information about the Response Policy Zone
- (RPZ) feature which was added to BIND 9 in Version 9.8.0.
- Solution:
- Upgrade to: 9.8.0-P4. (Note that 9.8.0-P3 is not affected but has been replaced by 9.8.0-P4 due to CVE-2011-2464)
- Download this version from the following location:
- ADD NEW 9.8.0-P4 tarball location here
- * ISC releases of BIND 9 software may be downloaded from http://www.isc.org/software/bind
- * If you do not obtain your BIND software directly from ISC, contact your operating system or software vendor for an update.
- * If you are participating in ISC's Beta or release candidate (RC) program, please upgrade. ISC Beta/RC testers are expected to remove vulnerable versions and upgrade. No security advisories are issued for beta / release candidates once the corresponding final release is made.
- Exploit Status: ISC received reports of this software flaw and verified the report's accuracy.
- Acknowledgement: ISC thanks Bryce Moore from TELUS Security Labs for finding and reporting this issue.
- Document Revision History
- 1.0 14 June 2011 - Phase One Disclosure Date
- 1.1 20 June 2011 - Phase Two Disclosure Date with updates.
- 1.2 21 June 2011 - Updates on beta, RC, and clarity editing
- 1.3 24 June 2011 - Added document URL
- 1.4 28 June 2011 - Updated Solution and description (revised to recommend 9.8.0-P4 per CVE-2011-2464)
- References:
- * Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.
- * Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at:
- http://www.isc.org/community/blog/201102/BIND-support
- * ISC Security Vulnerability Disclosure Policy Details of our current security advisory policy and practice can be found here:
- https://www.isc.org/security-vulnerability-disclosure-policy
- Legal Disclaimer:
- Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
- basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
- A stand-alone copy or paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy.
- Uncontrolled copies may lack important information, be out of date, or contain factual errors.
- - -----BEGIN PGP SIGNATURE-----
- Version: 10.1.0.860
- wsBVAwUBThHa772X3GOe6MR7AQpBWgf/a/EwyTr3E9ZcKhimAA2mr/OOBzXfYxjg
- ZIAZ2gW8Ji4oDBfd77eqriAtFReavytR3FQsdeEi2Cypb/4ncpwQtwZ3yvQxKA6w
- 4IrzkmRKumvuZzplUa+cOIGi+PD60+XS92wQHWmA/U2tQ1AO6GhF6GXTWfALPyEK
- 3GBkScqfPO6iSRTLNiny6WRAsLZtn5bfcc8wH2ej2wa7wA9B8tcvSxuAvFxapATq
- VItptDoPTpz2IMjzc0qaRdnEkJqVuBfUdrCn1eEbc5W4nt99bQhU0A245hkVlrbW
- zPmcc8kc/j0ykofVd5OFXB/BCheS8np9/j2BfPxWzUxS4eAO6DcU9g==
- =xKWg
- - -----END PGP SIGNATURE-----
- - --------------------------END INCLUDED TEXT--------------------
- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person.
- NOTE: Third Party Rights
- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin.
- NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current.
- Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly.
- Previous advisories and external security bulletins can be retrieved from:
- http://www.auscert.org.au/render.html?cid=1980
- ===========================================================================
- Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072
- Internet Email: auscert@auscert.org.au
- Facsimile: (07) 3365 7031
- Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
- AusCERT personnel answer during Queensland business hours
- which are GMT+10:00 (AEST).
- On call after hours for member emergencies only.
- ===========================================================================
- -----BEGIN PGP SIGNATURE-----
- Comment: http://www.auscert.org.au/render.html?it=1967
- iQIVAwUBThJi9e4yVqjM2NGpAQJAMQ/+L9+STkibTra1nKPvVcW5bElX7dqCplyL
- 4jYU/62XnGjgwWzRRMj++HgItNRYWAs+xytIQ8BolWgZK93vT8cr5/xWhE9PYTXe
- pyl4thgiJqiDLKdkHgjqIUVcLe3AlqPT168Bo6O85ZXkKOiRNhptMDJ4jkG98cJs
- 3rZi5FfjZAJVFPwexlERsc7E9wiBFZK7HOFD+vja667gf75gB3jQseMe1Y/AhfMS
- ekTt72gEabY1qEVkRU6P9x6ThSPKMfWWt9rTmhe+GCnlMO5rU7U0Kj5oJKq2TCcV
- LLg9iB2YCJzLf/KBoHh47/vwtLob1auHZuWT7L+6LzFKOl9oYPW6xCbNDVU3X1o0
- PRLBnKr0gGi8iuv8qFaajE4QRWc2eeR3fv4wQBOhGUlKgtRBVGUwPQaqpJnaPUaC
- NMuLFgG6SgoQEwAS20u3eNKhXRycIvVrWUiszuhGwDhzNUMa1Uty+C3hmO309e1Y
- 6drruJC7TIIRV4TaU6mNW/yZZ4K45MCWXFimUikCfqieKHK0hyP2ts1CfOdTB96l
- FoJecfFxc32rQzyIDZUiRx0HYyEolK1dvukuqf+othiYDCgJ7yJ5xRmDo0Xdey1E
- pLXILUmm/1/S8CmoH9X7C5O8EqtReuoakiBX/Lw3X1lEuN23oAVRjgsr7+qzqPV7
- QWwdoU6cO6I=
- =GGXR
- -----END PGP SIGNATURE-----
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement