bind-announce May 2011 archive
Main Archive Page > Month Archives  > bind-announce archives
bind-announce: BIND Security Advisory May 2011: Large RRSIG RRse

BIND Security Advisory May 2011: Large RRSIG RRsets and Negative Caching can crash named

From: Larissa Shapiro <larissas_at_nospam>
Date: Fri May 27 2011 - 05:35:44 GMT
To: bind-announce@lists.isc.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*Summary:* A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource record
sets (RRSets) when trying to negatively cache a response. This can
cause the BIND 9 DNS server (named process) to crash.

*Document ID:* CVE-2011-1910

*Document Status:* Draft

*Posting date:* 26 May 2011

*Program Impacted:* BIND

*Versions affected:* 9.4-ESV-R3 and later, 9.6-ESV-R2 and later,
9.6.3, 9.7.1 and later, 9.8.0 and later

*Severity:* High

*Exploitable:* Remotely

*CVSS Score:* Base 7.8

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

*Description:*

DNS systems use negative caching to improve DNS response time. This
will keep a DNS resolver from repeatedly looking up domains that do
not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into
the negative cache.

The authority data will be cached along with the negative cache
information. These authoritative ?Start of Authority? (SOA) and
NSEC/NSEC3 records prove the nonexistence of the requested name/type.
In DNSSEC, all of these records are signed; this adds one additional
RRSIG record, per DNSSEC key, for each record returned in the
authority section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative
cache can trigger an assertion failure that will crash named (BIND 9
DNS) due to an off-by-one error in a buffer size check.

The nature of this vulnerability would allow remote exploit. An
attacker can set up an DNSSEC signed authoritative DNS server with a
large RRSIG RRsets to act as the trigger. The attacker would then find
ways to query an organization?s caching resolvers, using the negative
caches and the ?trigger? the vulnerability. The attacker would require
access to an organization?s caching resolvers. Access to the resolvers
can be direct (open resolvers), through malware (using a BOTNET to
query negative caches), or through driving DNS resolution (a SPAM run
that has a domain in the E-mail that will cause the client to do look
up a negative cache).

*Workarounds:* Restricting access to the DNS caching resolver
infrastructure will provide partial mitigation. Active exploitation
can be accomplished through malware or SPAM/Malvertizing actions that
will force authorized clients to look up domains that would trigger
this vulnerability.

*Solution:*

Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2
ftp://ftp.isc.org/isc/bind9/9.8.0-P2
ftp://ftp.isc.org/isc/bind9/9.7.3-P1
ftp://ftp.isc.org/isc/bind9/9.6-ESV-R4-P1
BIND 9.4 is less vulnerable than other versions, and a patched version
will be available on May 27th at ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4-P1

*Exploit Status:* High. This issue has caused un-intentional outages.

US CERT is tracking this issue with INC000000152411.

*Credits:*

Thanks to Frank Kloeker and Michael Sinatra for getting the details to
this issue to the DNS Operations community and to Michael Sinatra,
Team Cmyru, and other community members for testing.

Questions regarding this advisory shoud go to security-officer@isc.org
<mailto:security-officer@isc.org>. Questions on ISC's Support services
or other offerings should be
sent to info@isc.org <mailto:dhcp-bugs@isc.org> More information on
ISC's support and other offerings are available
at:http://www.isc.org/community/blog/201102/BIND-support

- --
Larissa Shapiro
Internet Systems Consortium Product Manager
Technology Leadership for the Common Good
+1 650 423 1335
www.isc.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN3zgwAAoJEBOIp87tasiU0fcH/0iGEEX8oQwHX2D/4gzTTmZv
GIzAphLLBuN2wmnW2B1xRfHxm6N5bxR3doVGEmOQ3hZd5kT6EX7GH+qwxV0yfW9/
PbXWSd2nsh8jgu9XNjxgSYAh/ZXwJCt7YF2GklLZaK6qK13vuQul3eDjlVNvalcs
W7q2+4/TZzXjTwEeke75lJyYXDqogEjZJg4QBvAWPYmUFBw0QheTYs9DESr8Joed
TUyntiVv41XK9Kg60Hw/0EF5z6EnM7mohQiKMpCYMOVHnX46vTZwXZu7iG1vOwMG
rMDzh/MgRKosMggamu+PH5H3lhxiVGvWCYxTFjUFTe3jdLfbcz31RRxM3J1XnXg=
=cO8B
-----END PGP SIGNATURE-----

_______________________________________________
bind-announce mailing list
bind-announce@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce