Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2011-001: BIND DoS due to improper handling of RRSIG records

Hash: SHA1

                 NetBSD Security Advisory 2011-001

Topic:          BIND DoS due to improper handling of RRSIG records

Version:        NetBSD-current:         affected prior to 20101203
                NetBSD 5.1:             affected prior to 20110111
                NetBSD 5.0:             affected prior to 20110111
                NetBSD 4.0.*:           affected prior to 20110124
                NetBSD 4.0:             affected prior to 20110124
                pkgsrc:                 net/bind97 package prior to 20101203

Severity:       Denial of Service

Fixed:          NetBSD-current:         Dec 2nd, 2010
                NetBSD-5-1 branch:      Jan 10th, 2011
                NetBSD-5-0 branch:      Jan 10th, 2011
                NetBSD-5 branch:        Jan 6th, 2011
                NetBSD-4-0 branch:      Jan 23rd, 2011
                NetBSD-4 branch:        Jan 23rd, 2011
                pkgsrc net/bind97:      bind-9.7.2pl3 corrects this issue
                pkgsrc net/bind96:      bind-9.6.2pl3 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Failure to clear existing RRSIG records when a NO DATA is negatively
cached could cause subsequent lookups to crash named.

This vulnerability has been assigned CVE-2010-3613 and CERT
Vulnerability Note VU#706148.

Technical Details

Adding certain types of signed negative responses to the cache
doesn't clear any matching RRSIG records already in the cache.  A
subsequent lookup of the cached data can cause named to crash

This vulnerability affects recursive nameservers irrespective of
whether DNSSEC validation is enabled or disabled.  Exploitation
requires a DNS client authorized to use the nameserver for recursion
requesting information about a specially prepared zone not on the
same nameserver.

Solutions and Workarounds

We suggest fixing this vulnerability by using the current net/bind97
pkgsrc package instead of the in-system bind until the entire system
can be updated (eg to the next security/critical release, or a binary
snapshot from from past the
fix date).

Thanks To

Thanks to the Internet Systems Consortium for reporting this
vulnerability.  Thanks to Christos Zoulas for fixing this issue in
- -current.  Thanks to Petra Zeidler for preparing the pullups to
fix this issue on the branches.

Revision History

        2011-02-01      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-001.txt,v 1.1 2011/02/01 22:03:34 tonnerre Exp $

Version: GnuPG v1.4.11 (NetBSD)


Home | Main Index | Thread Index | Old Index