NetBSD Security Advisory 2009-013: BIND named dynamic update Denial of Service vulnerability

[NetBSD Security Officer <security-officer%NetBSD.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2009-013
                 =================================

Topic:          BIND named dynamic update Denial of Service vulnerability

Version:        NetBSD-current:         affected prior to 2009-07-29
                NetBSD 5.0:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected
                pkgsrc:                 bind package prior to 9.5.1pl3 and 
9.6.1pl1

Severity:       Denial of Service

Fixed:          NetBSD-current:         July 28, 2009 21:13 UTC
                NetBSD-5-0 branch:      July 28, 2009 22:26 UTC
                NetBSD-5 branch:        July 28, 2009 22:26 UTC
                NetBSD-4-0 branch:      July 28, 2009 22:19 UTC
                NetBSD-4 branch:        July 28, 2009 22:19 UTC
                pkgsrc 2009Q2:          bind-9.5.1pl3 and bind-9.6.1pl1 
corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An assertion failure in the Berkeley Internet Name Domain server
software shipped in NetBSD can be used by a remote attacker to
cause the server process to crash by sending specially crafted
dynamic update messages.

This vulnerability has been assigned CVE-2009-0696 and CERT
Vulnerability Note VU#725188.


Technical Details
=================

An error handling dynamic DNS update packets with the record data
type being set to "ANY" will cause an assertion in the
dns_db_findrdataset() function to trigger, causing the name server
to exit. This requires at least one of the record set entries
specified in the update to exist on the local server.

The assertion triggered will typically cause the following message:

  db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
  exiting (due to assertion failure). 

Note that this assertion will be triggered even if dynamic DNS
updates are disabled.


Solutions and Workarounds
=========================

In order to avoid this vulnerability, either filter incoming dynamic
DNS update requests using a firewall or upgrade your bind software
to a non-vulnerable version.

The following instructions describe how to upgrade your bind binaries
by updating your source tree and rebuilding and installing a new
version of bind.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2009-07-28
        21:13 UTC should be upgraded to NetBSD-current dated
        2009-07-28 21:13 UTC or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                external/bsd/bind/dist

        To update from CVS, re-build, and re-install bind:
                # cd src
                # cvs update -d -P external/bsd/bind/dist
                # cd external/bsd/bind/bin/named
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 5.*:

        Systems running NetBSD 5.* sources dated from before
        2009-07-28 22:26 UTC should be upgraded from NetBSD 5.*
        sources dated 2009-07-28 22:26 UTC or later.

        The following files/directories need to be updated from the
        netbsd-5 or netbsd-5-0 branches:
                dist/bind/bin/named/update.c

        To update from CVS, re-build, and re-install bind:

                # cd src
                # cvs update -r <branch_name> -d -P dist/bind/bin/named/update.c
                # cd usr.sbin/bind/named
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2009-07-28 22:19 UTC should be upgraded from NetBSD 4.* sources
        dated 2009-07-28 22:19 UTC or later.

        The following files/directories need to be updated from the
        netbsd-4 or netbsd-4-0 branches:
                dist/bind/bin/named/update.c

        To update from CVS, re-build, and re-install bind:

                # cd src
                # cvs update -r <branch_name> -d -P dist/bind/bin/named/update.c
                # cd usr.sbin/bind/named
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Thanks To
=========

Matthias Urlichs for finding and reporting this bug and Christos Zoulas
for fixing it in NetBSD.


Revision History
================

        2009-07-29      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-013.txt,v 1.1 2009/07/29 06:54:37 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKb/JnAAoJEAZJc6xMSnBu9+UP+gJmgL1T1NkLAkecNDH/i5ST
sHSY3ifMoEDaMnEIYe+h/LtdiQx6BFOhUbtVuT8trInjjvSmwfw0j/gF7WnHoKxO
9BgR4Z0BoTL2N+g5+opZHnn/m3JI7Q3X7oVw3YSAVT3OzAhSANT8bijhs/XlvCIu
A1B6gjxfRb1A5oiD94qlBT072WLakDj9C42kTqyt1H5Bf5zLbD7V6E9HZVW6kRI4
YiYDTTXgOrHpRxKprFYszn7r0bb8JeJeDnMq7M/u2ZcnNGjz3VB9PXU7Qbotytc2
Or2bDpGanpnn0/9ARS+GAEfmVR7v8bG7Q32IUyV+o1RbGcdH4Z66d9nnopjrC6Fp
OfAzQHR00QOgMibuvuvV1bzIgsDoJ7lZ97ptFHEZM+nMx4j6p/exCowZIlLv1OGD
myREoE2tHxstvQpXBd7mszcYBdr+9BzE6tRSY/TtzFHj4uMzt2/nOo8iCq7ac6U1
XXLzTmAMG7+sRHgEpv9TAn2of0azUXkwGYhNX8ibJyQXdalVowpCti99+bzJjUSF
OTPOT0CGrAU0URnYZfsF+03Uj0REccmRqR5WZBpegmSBy8AoUtG0BjREABDifB3m
PDi12xUawr8xdbNHTTTfiKzyAXbmfcg4NrTqw3o1OvtIVueNu6+56apMZyk7oUAY
OZwSsME+s8EkcORvH8ks
=05bL
-----END PGP SIGNATURE-----