exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BIND 9 Denial Of Service

BIND 9 Denial Of Service
Posted May 27, 2011
Site isc.org

DNS BIND Security Advisory - A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash. Versions affected include 9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3, 9.7.1 and later, 9.8.0 and later.

tags | advisory, denial of service
advisories | CVE-2011-1910
SHA-256 | fa50a97638e2f7e6a97d4f93201d255bcf855b0b42fd27b17eea562af70dec7f

BIND 9 Denial Of Service

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


- -----
Posted from: http://www.isc.org/software/bind/advisories/cve-2011-1910
- -----

Title: Large RRSIG RRsets and Negative Caching can crash named.

Summary: A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource record
sets (RRSets) when trying to negatively cache a response. This can cause
the BIND 9 DNS server (named process) to crash.

Document ID: CVE-2011-1910

Posting date: 26 May 2011

Program Impacted: BIND

Versions affected: 9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3,
9.7.1 and later, 9.8.0 and later

Severity: High

Exploitable: Remotely

CVSS Score: Base 7.8

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Description:

DNS systems use negative caching to improve DNS response time. This will
keep a DNS resolver from repeatedly looking up domains that do not
exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the
negative cache.

The authority data will be cached along with the negative cache
information. These authoritative “Start of Authority” (SOA) and
NSEC/NSEC3 records prove the nonexistence of the requested name/type. In
DNSSEC, all of these records are signed; this adds one additional RRSIG
record, per DNSSEC key, for each record returned in the authority
section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative
cache can trigger an assertion failure that will crash named (BIND 9
DNS) due to an off-by-one error in a buffer size check.

The nature of this vulnerability would allow remote exploit. An attacker
can set up an DNSSEC signed authoritative DNS server with a large RRSIG
RRsets to act as the trigger. The attacker would then find ways to query
an organization’s caching resolvers, using the negative caches and the
“trigger” the vulnerability. The attacker would require access to an
organization’s caching resolvers. Access to the resolvers can be direct
(open resolvers), through malware (using a BOTNET to query negative
caches), or through driving DNS resolution (a SPAM run that has a domain
in the E-mail that will cause the client to do look up a negative cache).

Workarounds: Restricting access to the DNS caching resolver
infrastructure will provide partial mitigation. Active exploitation can
be accomplished through malware or SPAM/Malvertizing actions that will
force authorized clients to look up domains that would trigger this
vulnerability.

Solution:

Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2
ftp://ftp.isc.org/isc/bind9/9.8.0-P2
ftp://ftp.isc.org/isc/bind9/9.7.3-P1
ftp://ftp.isc.org/isc/bind9/9.6-ESV-R4-P1
BIND 9.4 is less vulnerable than other versions, and a patched version
will be available soon at ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4-P1

Exploit Status: High. This issue has caused unintentional outages.

US CERT is tracking this issue with INC000000152411.

Credits:

Thanks to Frank Kloeker and Michael Sinatra for getting the details to
this issue to the DNS Operations community and to Michael Sinatra, Team
Cmyru, and other community members for testing.

Questions regarding this advisory should go to security-officer@isc.org.
Questions on ISC's Support services or other offerings should be sent to
sales@isc.org. More information on ISC's support and other offerings are
available at: http://www.isc.org/community/blog/201102/BIND-support

-----BEGIN PGP SIGNATURE-----
Version: 10.1.0.860

wsBVAwUBTd87bFVuk3AWv0XzAQjaxgf/Skv9OMW5ri012RUeLT92R70LW1wQ5ZBK
YpDdc3XgsfvNKcfW0zlcrCfmt7nFNWBe6SmAuI8tz6hfgcuYgp3OcuEJHt1UKKl3
E30QSuyjd0Pt/HTHlTd2IlNfpgbp3LzH1yL6phfCUi1CzqY0SmtpJuOUSPJbYfvO
V1S+eARLzfflzwEWUxzZM05LqFo4jqMFWhjvNZdk3lRmZ0bcJv92oEeXHwaWDUKC
qSt2RBCQ6zITydgkK0BvnVQ/SsN/DFv7o809zFpJiqdjpwkL55dkqeI79m0zOMYp
b+luCihB12ukliMdkhfA9iPSDNsghTZayOMQVg0sonCOkWbr1IseSg==
=EcbL
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close