Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2011-001: BIND DoS due to improper handling of RRSIG records
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2011-001
=================================
Topic: BIND DoS due to improper handling of RRSIG records
Version: NetBSD-current: affected prior to 20101203
NetBSD 5.1: affected prior to 20110111
NetBSD 5.0: affected prior to 20110111
NetBSD 4.0.*: affected prior to 20110124
NetBSD 4.0: affected prior to 20110124
pkgsrc: net/bind97 package prior to 20101203
Severity: Denial of Service
Fixed: NetBSD-current: Dec 2nd, 2010
NetBSD-5-1 branch: Jan 10th, 2011
NetBSD-5-0 branch: Jan 10th, 2011
NetBSD-5 branch: Jan 6th, 2011
NetBSD-4-0 branch: Jan 23rd, 2011
NetBSD-4 branch: Jan 23rd, 2011
pkgsrc net/bind97: bind-9.7.2pl3 corrects this issue
pkgsrc net/bind96: bind-9.6.2pl3 corrects this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
Failure to clear existing RRSIG records when a NO DATA is negatively
cached could cause subsequent lookups to crash named.
This vulnerability has been assigned CVE-2010-3613 and CERT
Vulnerability Note VU#706148.
Technical Details
=================
Adding certain types of signed negative responses to the cache
doesn't clear any matching RRSIG records already in the cache. A
subsequent lookup of the cached data can cause named to crash
(INSIST).
This vulnerability affects recursive nameservers irrespective of
whether DNSSEC validation is enabled or disabled. Exploitation
requires a DNS client authorized to use the nameserver for recursion
requesting information about a specially prepared zone not on the
same nameserver.
Solutions and Workarounds
=========================
We suggest fixing this vulnerability by using the current net/bind97
pkgsrc package instead of the in-system bind until the entire system
can be updated (eg to the next security/critical release, or a binary
snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past the
fix date).
Thanks To
=========
Thanks to the Internet Systems Consortium for reporting this
vulnerability. Thanks to Christos Zoulas for fixing this issue in
- -current. Thanks to Petra Zeidler for preparing the pullups to
fix this issue on the branches.
Revision History
================
2011-02-01 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-001.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2011-001.txt,v 1.1 2011/02/01 22:03:34 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)
iQIcBAEBAgAGBQJNSIjqAAoJEAZJc6xMSnBu3GQQAIiJ4rrAGtIuuJNdLJJMC0LB
3JhOG8c2+926KGQm+hZ90WDaKe8GxMie5GvXFHtX0ChvGtuVBQj18OAtwHjw1Dfh
j4erCmZF4KBNiK1IqUeQ1UM3DV3pT0zt/+uY/XzrCy/ppNK4tmY5+levWr/eMLpH
+utiNjvxU3/7cmChreypDbO8wkOABypCbELJBpJY1EgBFG+IZdlKVTKDWq0GRAnh
x+QQbJVpVAmzp5jwr99jJe66syqqE8za/giaFjwfeI6pSMNTsd9BjyOfu4KdlNQr
d4zvjeR/euFynwX4zq+pa6avgBxO+isJJPW/sDMfUN3+W9OctIm5/ghLzerxflo2
W+WdhtaoloBA5dmW/dI6HePZ8ht/Zb7p911BjxBDwKiTJ/Ae9uOjuuox89k8rvo6
wjJ/G9mlRAyAMhJyyEzhx0oaINVPH0rANYsGe5C+3DTB4mGiIsdwemNXC5MEd8gy
+Hj9d3GNB5wQlzEm6wxxnSsqcHJlJlr1wiDnxbQzvLi8e73FWjPvlD7vsHeiSxcT
wWOmu4HOoI4n0E3JE0JBUJJtHsn2RcNbvkj1Jk8txR7c0eL8TdI6MxRlmVzYaMi3
vpsIPxrzBdfZz9SernAbKPOBOzcoVKrMgo5Za+0Q4bOqw/rCrHzb3/MMtkDFN6Jp
JjIAmNPGq2EhJkk3gRmq
=WX9T
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index