search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ISC BIND denial of service vulnerability

Vulnerability Note VU#718460

Original Release Date: 2007-05-03 | Last Revised: 2007-07-03

Overview

A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.

Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC).


BIND version 9.4.0 contains a vulnerability in the way that the query_addsoa() function is called. A remote attacker with the ability to send a specific sequence of queries to a vulnerable system can cause the nameserver to exit. Note that recursion must be enabled on the nameserver for this vulnerability to be exposed.

Impact

A remote attacker may be able to cause the name server daemon to exit prematurely, thereby causing a denial of service for DNS operations.

Solution

Upgrade

Users who compile their own copies of the affected version of BIND (9.4.0) from the original ISC source code are encouraged to upgrade to BIND version 9.4.1 (or later), which includes a patch for this issue.

Workarounds


Disable Recursion
Users, particularly those who are not able to upgrade, are encouraged to disable recursion ('recursion no;' set in named.conf) if it is not required by their configuration.

Vendor Information

718460
 

Internet Software Consortium Affected

Notified:  April 30, 2007 Updated: May 02, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

ISC has published BIND version 9.4.1 to address this vulnerability. Users who compile their own versions of BIND from the original ISC source code are encouraged to upgrade to this version (or later) of the software.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. Affected

Notified:  May 02, 2007 Updated: May 15, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandriva has published Mandriva Security Advisory MDKSA-2007:100 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Affected

Notified:  May 02, 2007 Updated: July 03, 2007

Status

Affected

Vendor Statement

No formal NetBSD release included BIND 9.4.0.  However 9.4.0 was in CVS
HEAD sources for a little while before being updated to 9.4.1.  We have
sent out a short note to anyone who might be running with 9.4.0:

http://mail-index.netbsd.org/current-users/2007/07/01/0010.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. Not Affected

Notified:  May 02, 2007 Updated: May 15, 2007

Status

Not Affected

Vendor Statement

Please list Apple as not vulnerable to VU#718460.  We do not currently ship BIND 9.4.0 in our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Not Affected

Notified:  May 02, 2007 Updated: May 09, 2007

Status

Not Affected

Vendor Statement

Our development team has reviewed this information and determined that
there is no impact on NetWare and OES Linux DNS Servers.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux Not Affected

Notified:  May 02, 2007 Updated: May 09, 2007

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not affected.  We currently use BIND 9.3.4, not
the affected version 9.4.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. Not Affected

Notified:  May 02, 2007 Updated: May 03, 2007

Status

Not Affected

Vendor Statement

The newest version of BIND in any Slackware distribution is 9.3.4, so we
are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Not Affected

Notified:  May 02, 2007 Updated: May 15, 2007

Status

Not Affected

Vendor Statement

This is to inform you that Sun Solaris is not affected by this issue since we
do not ship any of the BIND releases that are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu Not Affected

Notified:  May 02, 2007 Updated: May 03, 2007

Status

Not Affected

Vendor Statement

Ubuntu is unaffected.  None of our releases contain BIND 9.4.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

BlueCat Networks, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Check Point Software Technologies Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation) Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

GNU glibc Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gnu ADNS Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Infoblox Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Lucent Technologies Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Men & Mice Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Metasolv Software, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Shadowsupport Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified:  May 02, 2007 Updated: May 02, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 52 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Mark Andrews of the Internet Systems Consortium (ISC) for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2007-2241
Severity Metric: 6.90
Date Public: 2007-05-01
Date First Published: 2007-05-03
Date Last Updated: 2007-07-03 14:13 UTC
Document Revision: 13

Sponsored by CISA.