tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2011-009: BIND resolver DoS



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                NetBSD Security Advisory 2011-009
                =================================

Topic:          BIND resolver DoS


Version:        NetBSD-current:         affected prior to 20111116
                NetBSD 5.1:             affected prior to 20111118
                NetBSD 5.0:             affected prior to 20111118
                NetBSD 4.0.*:           affected prior to 20111120
                NetBSD 4.0:             affected prior to 20111120
                pkgsrc:                 net/bind96, net/bind97 and net/bind98
                                        packages prior to 20111116


Severity:       Denial of Service


Fixed:          NetBSD-current:         Nov 16th, 2011
                NetBSD-5-1 branch:      Nov 18th, 2011
                NetBSD-5-0 branch:      Nov 18th, 2011
                NetBSD-5 branch:        Nov 18th, 2011
                NetBSD-4-0 branch:      Nov 20th, 2011
                NetBSD-4 branch:        Nov 20th, 2011
                pkgsrc net/bind96:      bind-9.6.3.1.ESV.5pl1 mitigates this 
issue
                pkgsrc net/bind97:      bind-9.7.4pl1 mitigates this issue
                pkgsrc net/bind98:      bind-9.8.1pl1 mitigates this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Resolvers crash after logging:
        "INSIST(! dns_rdataset_isassociated(sigrdataset))"

This vulnerability has been assigned CVE-2011-4313.


Technical Details
=================

An accidential operational error exposed a previously unknown bug in BIND
that could be exploited intentionally:

Unpatched BIND 9 resolvers may cache an invalid record, subsequent
queries for which could crash the resolvers with an assertion failure.
ISC provided a patch which makes named recover gracefully from the
inconsistency, preventing the abnormal exit.

The patch has two components. When a client query is handled, the code
which processes the response to the client has to ask the cache for
the records for the name that is being queried. The first component
of the patch prevents the cache from returning the inconsistent data.
The second component prevents named from crashing if it detects
that it has been given an inconsistent answer of this nature.


Solutions and Workarounds
=========================

We suggest fixing this vulnerability by using the current net/bind98 or
net/bind97 pkgsrc package instead of the in-system bind until the entire
system can be updated (eg to the next security/critical release, or a
binary snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past
the fix date).


Thanks To
=========

Thanks to the Internet Systems Consortium for reporting this
vulnerability and providing fixed versions.


Revision History
================

        2011-12-15      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-009.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-009.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)

iQIcBAEBAgAGBQJO6f//AAoJEAZJc6xMSnBuNrAQANaJI5xwWXvyOocYWijvw+DH
kZbudh1rDAtd6IXjJTsxyGty0bKcDVzXtn0pal5MaClViFaXMCPkBjSWXwbY5rXJ
OXiqqllj29DK/I1yzEbOtEYx4sAWD8kpK1d+OdqwmPtJcUoK8zGJi2K707o/kPFo
vWGtvUmrbznZ8PJHuMiDJCw53nqGddOl3e9SqegITPdpNdQirIgVOTNded84nXQ8
aRlAIVF7fMzZQ+WhI8FJParheCG3J9mtk8fSNCy2wYgXPsBlcMHXF5i7OnsW83bt
Iby8h0Z65x3fq8LGT1Vg0YVYWQAFJVJcYvKlJFSxG8565CBm+lRex1tyEqPmmcdU
2LM9+rEzak7Ag4E8GVCNN3sIUIjdyoDjHwQODfdIjFc74g79r8XxNXHIHBqg8dG0
pYuELdj+7w+HTxG+JhqCtbqTWFq0rsVIVQHtTB4S3Z91o63OQybIqlNzA0ElliSO
KL9AP0sEPfpoU3CvLJ1dmPQaU+OOiMjJg/chDuU1TmjQvVt3lijyfTGjcO8yWU+p
W6GxiS5SPenxA9JIql2RdPx1AS9QTZ05R68ob8sPiY8mckZcCdgK+QxRsfVEgv3s
o6eGVonmrf4QXuFDBm+Szm/RxY+v68AE3ohKTtwMq9KkLHfVzdoN3HoKwuoOyk3b
VydWKh9yDn89/nv75Kun
=1DiA
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index