ESB-2011.0693 - [Win][UNIX/Linux] BIND 9: Denial of service

1. -----BEGIN PGP SIGNED MESSAGE-----
2. Hash: SHA1
3.  
4. ===========================================================================
5. AUSCERT External Security Bulletin Redistribution
6.  
7. ESB-2011.0693
8. A number of vulnerabilities have been identified in BIND
9. 5 July 2011
10.  
11. ===========================================================================
12.  
13. AusCERT Security Bulletin Summary
14. ---------------------------------
15.  
16. Product: BIND 9
17. Publisher: ISC
18. Operating System: UNIX variants (UNIX, Linux, OSX)
19. Windows
20. Impact/Access: Denial of Service -- Remote/Unauthenticated
21. Resolution: Patch/Upgrade
22. CVE Names: CVE-2011-2465 CVE-2011-2464
23.  
24. Comment: This bulletin contains two (2) ISC security advisories.
25.  
26. - --------------------------BEGIN INCLUDED TEXT--------------------
27.  
28. - -----BEGIN PGP SIGNED MESSAGE-----
29. Hash: SHA512
30.  
31. Title: ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers
32.  
33. Summary: A specially constructed packet will cause BIND 9 ("named") to exit, affecting DNS service.
34.  
35. Document ID: CVE-2011-2464
36.  
37. Document Version: 1.7 "Interim"
38.  
39. Document URL: http://www.isc.org/security (to be published July 6)
40.  
41. Posting Date: 28 June, 2011
42.  
43. Program Impacted: BIND 9
44.  
45. Versions Affected:
46.  
47. 9.6 versions: 9.6.3, 9.6-ESV-R4, 9.6-ESV-R4-P1, 9.6-ESV-R5b1
48. 9.7
49. versions: 9.7.0, 9.7.0-P1, 9.7.0-P2, 9.7.1, 9.7.1-P1, 9.7.1-P2, 9.7.2, 9.7.2-P1, 9.7.2-P2, 9.7.2-P3, 9.7.3, 9.7.3-P1, 9.7.3-P2, 9.7.4b1
50. 9.8
51. versions: 9.8.0, 9.8.0-P1, 9.8.0-P2, 9.8.0-P3, 9.8.1b1
52.  
53. In addition,
54. 9.5.3b1 and 9.5.3rc1 are affected although ISC has not released a final production version of 9.5.3. Note that BIND 9.5 is End-of-Life, therefore if you are running a pre-release version of 9.5.3 we recommend upgrading to a supported production version of BIND.
55.  
56. 9.6-ESV-R4-P2 is not affected
57. by any known attack vectors, but has been replaced by 9.6-ESV-R4-P3 which carries a more complete fix.
58. Other versions of BIND 9 not listed here are not vulnerable to this problem.
59.  
60. Severity: Severe
61.  
62. Exploitable: Remotely
63.  
64. Description:
65.  
66. A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time.
67.  
68. A remote attacker would need to be able to send a specially crafted packet directly to a server running a vulnerable version of BIND. There is also the potential for an indirect attack via malware that is inadvertently installed and run, where infected machines have direct access to an organization's nameservers.
69.  
70. CVSS Score: 7.8
71.  
72. CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
73.  
74. For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please
75. visit:
76. http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
77.  
78. Workarounds:
79.  
80. There are no known workarounds for publicly available servers.
81. Administrators of servers that are not publicly available may be able to limit exposure via firewalls and packet filters.
82.  
83. Solution:
84.  
85. Upgrade to: 9.6-ESV-R4-P3, 9.7.3-P3 or 9.8.0-P4.
86.  
87. Download these versions from the following locations:
88.  
89. * ISC releases of BIND 9 software may be downloaded from http://www.isc.org/software/bind
90. * If you do not obtain your BIND software directly from ISC, contact your operating system or software vendor for an update.
91. * If you are participating in ISC's beta or release candidate (RC) programs, please upgrade. ISC Beta/RC testers are expected to remove vulnerable versions and upgrade. No security advisories are issued for beta / release candidates once the corresponding final release is made.
92.  
93. Exploit Status: ISC knows of no public tools to exploit this defect at the time of this advisory.
94.  
95. Acknowledgement: ISC thanks Roy Arends from Nominet for pin-pointing the exact nature of the vulnerability. We also thank Ramesh Damodaran of Infoblox for finding a variation of the attack vector and Mats Dufberg of TeliaSonera? Sweden for confirming additional variants.
96.  
97. Document Revision History
98.  
99. * 1.0 14 June 2011 - Phase One Disclosure Date
100. * 1.1 20 June 2011 - Phase Two Disclosure Date with updates.
101. * 1.2 21 June 2011 - Updates on beta, RC, and clarity editing
102. * 1.3 21 June 2011 - Sent Hold Notices to Phase I constituents, added Ramesh to Acknowledgments
103. * 1.4 23 June 2011 - Updated -P versions to include Advanced Security Patches released to Phase I, and "Upgrade to:" versions
104. * 1.5 24 June 2011 - Added Document URL, sent schedule Update to Phase I constituents.
105. * 1.6 28 June 2011 - Updated Versions Affected, added Mats to Acknowledgments, sent Phase I updates.
106. * 1.7 30 June 2011 - Updated attribution text.
107.  
108. References:
109.  
110. * Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.
111.  
112. * Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at:
113. http://www.isc.org/community/blog/201102/BIND-support
114.  
115. * ISC Security Vulnerability Disclosure Policy. Details of our current security advisory policy and practice can be found here:
116. https://www.isc.org/security-vulnerability-disclosure-policy
117.  
118. Legal Disclaimer:
119.  
120. Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
121. basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
122.  
123. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
124.  
125. - -----BEGIN PGP SIGNATURE-----
126. Version: 10.1.0.860
127.  
128. wsBVAwUBThHZpL2X3GOe6MR7AQoeIAf9FtFIRySFFPlFFYz0TGw9YLq4FdpKPV2p
129. QrMuA0bcAHLhCa3qdMNDdgycMN4IiRWs4+DKGuVDM4/9e0JixWhoOpT0W+6jlIJQ
130. UZqmE0ajeFffY6+LPiYP30bPMTjuieOT33TW6WqvtCpCRPKuhzHp8Agicop0dMH1
131. jHLfJq2PTkOEm9MY60Z/bl82HCqnCCy+jILxObZo52GF++DGEfZ8wbt4807uUAz6
132. scJF30jfzn/JEdMvEGAnF8F9J5BIvLR7O6vWYwHoT+q/rBE+Eo1vadCKz/Mo1Kw5
133. kESRrMST8hP0O5IrdFlkaKrw2RTJTTghF8bh4KkLmd6z6XrLq9zQ2A==
134. =h8Nu
135. - -----END PGP SIGNATURE-----
136.  
137. - -----BEGIN PGP SIGNED MESSAGE-----
138. Hash: SHA512
139.  
140. Title: ISC BIND 9 Remote Crash with Certain RPZ Configurations
141.  
142. Summary: Two defects were discovered in ISC's BIND 9 code. These defects only affect BIND 9 servers which have recursion enabled and which use a specific feature of the software known as Response Policy Zones (RPZ) and where the RPZ zone contains a specific rule/action pattern.
143.  
144. RPZ is a technology developed by ISC which provides DNS recursive resolver operators with a simple way to block certain queries which they wish to or legally must prevent, or to redirect them to an alternate location. RPZ allows a great deal of flexibility and fine-grained selection of resolver policy. For more information, please see https://www.isc.org/software/rpz.
145.  
146. Document ID: CVE-2011-2465
147.  
148. Document Version: 1.4
149.  
150. Document URL: http://www.isc.org/security (not publicly published)
151.  
152. Posting date: 28 June, 2011
153.  
154. Program Impacted: BIND 9
155.  
156. Versions affected: 9.8.0, 9.8.0-P1, 9.8.0-P2 and 9.8.1b1
157.  
158. Other versions of BIND 9 not listed here are not vulnerable to this problem.
159.  
160. Severity: Severe
161.  
162. Exploitable: Remotely
163.  
164. Description:
165.  
166. A defect in the affected versions of BIND could cause the "named" process to exit when queried, if the server has recursion enabled and was configured with an RPZ zone containing certain types of records.
167. Specifically, these are any DNAME record and certain kinds of CNAME records.
168.  
169. The patch release of BIND 9.8.0-P4 alters the behavior of RPZ zones by ignoring any DNAME records in an RPZ zone, and correctly returning CNAME records from RPZ zones.
170.  
171. Note that DNAME has no defined effect on the RPZ engine and its presence in an RPZ zone is ignored. The definitive list of meaningful patterns in an RPZ zone is given in the BIND 9 Administrative Reference Manual and also in ISC Technical Note 2010-1.
172.  
173. CVSS Score: 7.8
174.  
175. CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
176.  
177. For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
178. http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
179.  
180. Workarounds:
181.  
182. Do not put certain CNAME or any DNAME records into an RPZ zone file until your software can be patched. If you subscribe to a service which supplies your RPZ zone data, ensure that it does not contain any DNAME or certain CNAME records. The CNAME records which must not be used are those which signal the RPZ engine to rewrite query names. CNAME records which signal the RPZ engine to forge an NXDOMAIN response are not affected by this defect.
183.  
184. An example of an RPZ rule which causes a query name to be rewritten is:
185.  
186. *.malicious-domain.com CNAME walled-garden.isp.net
187.  
188. An example of an RPZ rule which causes an NXDOMAIN response to be returned
189. is:
190.  
191. *.malicious-domain.com CNAME .
192.  
193. Please refer to the BIND 9 Administrative Reference Manual or to ISC Technical Note 2010-1 for more information about the Response Policy Zone
194. (RPZ) feature which was added to BIND 9 in Version 9.8.0.
195.  
196. Solution:
197.  
198. Upgrade to: 9.8.0-P4. (Note that 9.8.0-P3 is not affected but has been replaced by 9.8.0-P4 due to CVE-2011-2464)
199.  
200. Download this version from the following location:
201.  
202. ADD NEW 9.8.0-P4 tarball location here
203.  
204. * ISC releases of BIND 9 software may be downloaded from http://www.isc.org/software/bind
205.  
206. * If you do not obtain your BIND software directly from ISC, contact your operating system or software vendor for an update.
207.  
208. * If you are participating in ISC's Beta or release candidate (RC) program, please upgrade. ISC Beta/RC testers are expected to remove vulnerable versions and upgrade. No security advisories are issued for beta / release candidates once the corresponding final release is made.
209.  
210. Exploit Status: ISC received reports of this software flaw and verified the report's accuracy.
211.  
212. Acknowledgement: ISC thanks Bryce Moore from TELUS Security Labs for finding and reporting this issue.
213.  
214. Document Revision History
215.  
216. 1.0 14 June 2011 - Phase One Disclosure Date
217. 1.1 20 June 2011 - Phase Two Disclosure Date with updates.
218. 1.2 21 June 2011 - Updates on beta, RC, and clarity editing
219. 1.3 24 June 2011 - Added document URL
220. 1.4 28 June 2011 - Updated Solution and description (revised to recommend 9.8.0-P4 per CVE-2011-2464)
221.  
222. References:
223.  
224. * Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.
225.  
226. * Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at:
227. http://www.isc.org/community/blog/201102/BIND-support
228.  
229. * ISC Security Vulnerability Disclosure Policy Details of our current security advisory policy and practice can be found here:
230. https://www.isc.org/security-vulnerability-disclosure-policy
231.  
232. Legal Disclaimer:
233.  
234. Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
235. basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
236.  
237. A stand-alone copy or paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy.
238. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
239.  
240. - -----BEGIN PGP SIGNATURE-----
241. Version: 10.1.0.860
242.  
243. wsBVAwUBThHa772X3GOe6MR7AQpBWgf/a/EwyTr3E9ZcKhimAA2mr/OOBzXfYxjg
244. ZIAZ2gW8Ji4oDBfd77eqriAtFReavytR3FQsdeEi2Cypb/4ncpwQtwZ3yvQxKA6w
245. 4IrzkmRKumvuZzplUa+cOIGi+PD60+XS92wQHWmA/U2tQ1AO6GhF6GXTWfALPyEK
246. 3GBkScqfPO6iSRTLNiny6WRAsLZtn5bfcc8wH2ej2wa7wA9B8tcvSxuAvFxapATq
247. VItptDoPTpz2IMjzc0qaRdnEkJqVuBfUdrCn1eEbc5W4nt99bQhU0A245hkVlrbW
248. zPmcc8kc/j0ykofVd5OFXB/BCheS8np9/j2BfPxWzUxS4eAO6DcU9g==
249. =xKWg
250. - -----END PGP SIGNATURE-----
251.  
252. - --------------------------END INCLUDED TEXT--------------------
253.  
254. You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person.
255.  
256. NOTE: Third Party Rights
257. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin.
258.  
259. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current.
260.  
261. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly.
262.  
263. Previous advisories and external security bulletins can be retrieved from:
264.  
265. http://www.auscert.org.au/render.html?cid=1980
266.  
267. ===========================================================================
268. Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072
269.  
270. Internet Email: auscert@auscert.org.au
271. Facsimile: (07) 3365 7031
272. Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
273. AusCERT personnel answer during Queensland business hours
274. which are GMT+10:00 (AEST).
275. On call after hours for member emergencies only.
276. ===========================================================================
277. -----BEGIN PGP SIGNATURE-----
278. Comment: http://www.auscert.org.au/render.html?it=1967
279.  
280. iQIVAwUBThJi9e4yVqjM2NGpAQJAMQ/+L9+STkibTra1nKPvVcW5bElX7dqCplyL
281. 4jYU/62XnGjgwWzRRMj++HgItNRYWAs+xytIQ8BolWgZK93vT8cr5/xWhE9PYTXe
282. pyl4thgiJqiDLKdkHgjqIUVcLe3AlqPT168Bo6O85ZXkKOiRNhptMDJ4jkG98cJs
283. 3rZi5FfjZAJVFPwexlERsc7E9wiBFZK7HOFD+vja667gf75gB3jQseMe1Y/AhfMS
284. ekTt72gEabY1qEVkRU6P9x6ThSPKMfWWt9rTmhe+GCnlMO5rU7U0Kj5oJKq2TCcV
285. LLg9iB2YCJzLf/KBoHh47/vwtLob1auHZuWT7L+6LzFKOl9oYPW6xCbNDVU3X1o0
286. PRLBnKr0gGi8iuv8qFaajE4QRWc2eeR3fv4wQBOhGUlKgtRBVGUwPQaqpJnaPUaC
287. NMuLFgG6SgoQEwAS20u3eNKhXRycIvVrWUiszuhGwDhzNUMa1Uty+C3hmO309e1Y
288. 6drruJC7TIIRV4TaU6mNW/yZZ4K45MCWXFimUikCfqieKHK0hyP2ts1CfOdTB96l
289. FoJecfFxc32rQzyIDZUiRx0HYyEolK1dvukuqf+othiYDCgJ7yJ5xRmDo0Xdey1E
290. pLXILUmm/1/S8CmoH9X7C5O8EqtReuoakiBX/Lw3X1lEuN23oAVRjgsr7+qzqPV7
291. QWwdoU6cO6I=
292. =GGXR
293. -----END PGP SIGNATURE-----