search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

ISC BIND named negative caching vulnerability

Vulnerability Note VU#795694

Original Release Date: 2011-05-27 | Last Revised: 2011-06-01

Overview

ISC BIND contains a vulnerability in the processing of large RRSIG RRsets included in a negative cache response.

Description

According to ISC:

DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the negative cache.

The authority data will be cached along with the negative cache information. These authoritative “Start of Authority” (SOA) and NSEC/NSEC3 records prove the nonexistence of the requested name/type. In DNSSEC, all of these records are signed; this adds one additional RRSIG record, per DNSSEC key, for each record returned in the authority section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.

The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).

Impact

A remote, unauthenticated attacker can cause the named daemon to crash creating a denial of service condition.

Solution

Apply an update

Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC BIND versions 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 and 9.8.0-P2. Users of BIND from the original source distribution should upgrade to this version.

See also http://www.isc.org/software/bind/advisories/cve-2011-1910

According to ISC:
Restricting access to the DNS caching resolver infrastructure will provide partial mitigation. Active exploitation can be accomplished through malware or SPAM/Malvertizing actions that will force authorized clients to look up domains that would trigger this vulnerability.

Vendor Information

795694
 
Expand all

Internet Systems Consortium Affected

Updated:  May 27, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Mandriva S. A. Affected

Updated:  June 01, 2011

Status

Affected

Vendor Statement

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

Vendor Information

Mandriva Linux 2009.0:
ebe0e9136ca078d55e8474b7e4774fa0
2009.0/i586/bind-9.6.2-0.3mdv2009.0.i586.rpm
4bcead4d6fffece6a8786e20580f433b
2009.0/i586/bind-devel-9.6.2-0.3mdv2009.0.i586.rpm
7c4269cc12c36c81b8d5e6beda01db22
2009.0/i586/bind-doc-9.6.2-0.3mdv2009.0.i586.rpm
180a7897d73d5f81bb22403bbfd01301
2009.0/i586/bind-utils-9.6.2-0.3mdv2009.0.i586.rpm
9ce92b36b69535037658b12de6ba91f3
2009.0/SRPMS/bind-9.6.2-0.3mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
b9711c2fc96a83b7b3ce16e872480a94
2009.0/x86_64/bind-9.6.2-0.3mdv2009.0.x86_64.rpm
835c967bdb7e163ee650ad4c2a93a02e
2009.0/x86_64/bind-devel-9.6.2-0.3mdv2009.0.x86_64.rpm
afd62cab2b8be8ab47307541cda19b1b
2009.0/x86_64/bind-doc-9.6.2-0.3mdv2009.0.x86_64.rpm
949e7df04821a40c180a43323fb1b6b3
2009.0/x86_64/bind-utils-9.6.2-0.3mdv2009.0.x86_64.rpm
9ce92b36b69535037658b12de6ba91f3
2009.0/SRPMS/bind-9.6.2-0.3mdv2009.0.src.rpm

Mandriva Linux 2010.1:
facbc4e2c06e947c116f22c6ab546dc9
2010.1/i586/bind-9.7.3-0.0.P1.1.1mdv2010.2.i586.rpm
15fe702c18438ad9a9d07d1a08e8dc5e
2010.1/i586/bind-devel-9.7.3-0.0.P1.1.1mdv2010.2.i586.rpm
f67cc34ea4fa188c6e1ce78a2f418cec
2010.1/i586/bind-doc-9.7.3-0.0.P1.1.1mdv2010.2.i586.rpm
c954e45cc2f928f8c241c1c544b76c1b
2010.1/i586/bind-utils-9.7.3-0.0.P1.1.1mdv2010.2.i586.rpm
a258d307cde57f5f8f750311d1922aee
2010.1/SRPMS/bind-9.7.3-0.0.P1.1.1mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
7fc178b5236b9d82e028f1d95a0995e7
2010.1/x86_64/bind-9.7.3-0.0.P1.1.1mdv2010.2.x86_64.rpm
b9a1c2434083eec6bdf537249f62ef12
2010.1/x86_64/bind-devel-9.7.3-0.0.P1.1.1mdv2010.2.x86_64.rpm
923cbacff1dd7b8a35b248af46979f84
2010.1/x86_64/bind-doc-9.7.3-0.0.P1.1.1mdv2010.2.x86_64.rpm
c564274f9fd0a837963cd7359ef520de
2010.1/x86_64/bind-utils-9.7.3-0.0.P1.1.1mdv2010.2.x86_64.rpm
a258d307cde57f5f8f750311d1922aee
2010.1/SRPMS/bind-9.7.3-0.0.P1.1.1mdv2010.2.src.rpm

Corporate 4.0:
438be9cf334ebfabac9128ab17488b16
corporate/4.0/i586/bind-9.4.3-0.4.20060mlcs4.i586.rpm
73bdfc4039746f9f5ecc95c8b02c9baa
corporate/4.0/i586/bind-devel-9.4.3-0.4.20060mlcs4.i586.rpm
b659532890edec643588df8097b4f9a4
corporate/4.0/i586/bind-utils-9.4.3-0.4.20060mlcs4.i586.rpm
6264781c61bac05330db0300520686aa
corporate/4.0/SRPMS/bind-9.4.3-0.4.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
a202e00d59ea543e2e2683ebd21509c2
corporate/4.0/x86_64/bind-9.4.3-0.4.20060mlcs4.x86_64.rpm
c020841e7cc8ee34ec576a3dd3a6c053
corporate/4.0/x86_64/bind-devel-9.4.3-0.4.20060mlcs4.x86_64.rpm
47ee68c9f935447a0160850a6f151fb5
corporate/4.0/x86_64/bind-utils-9.4.3-0.4.20060mlcs4.x86_64.rpm
6264781c61bac05330db0300520686aa
corporate/4.0/SRPMS/bind-9.4.3-0.4.20060mlcs4.src.rpm

Mandriva Enterprise Server 5:
467bf36fd2f979b44936a5048e66b177
mes5/i586/bind-9.6.2-0.3mdvmes5.2.i586.rpm
cb277066933724335637f05c89371a06
mes5/i586/bind-devel-9.6.2-0.3mdvmes5.2.i586.rpm
fc839ab342e30da3777d4e15af7412f6
mes5/i586/bind-doc-9.6.2-0.3mdvmes5.2.i586.rpm
e71726f1845cb35577fe18af40ec8798
mes5/i586/bind-utils-9.6.2-0.3mdvmes5.2.i586.rpm
ca697b83e7ae5d4d108ae6ca6ce95107
mes5/SRPMS/bind-9.6.2-0.3mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
7a488676d28da8704b51ca731b726697
mes5/x86_64/bind-9.6.2-0.3mdvmes5.2.x86_64.rpm
4803a569597c7372b7b2323da9220d4d
mes5/x86_64/bind-devel-9.6.2-0.3mdvmes5.2.x86_64.rpm
1a6c027085db39464be568061c70c877
mes5/x86_64/bind-doc-9.6.2-0.3mdvmes5.2.x86_64.rpm
f520ec26e2c0e68e1f82767f1a4b6d54
mes5/x86_64/bind-utils-9.6.2-0.3mdvmes5.2.x86_64.rpm
ca697b83e7ae5d4d108ae6ca6ce95107
mes5/SRPMS/bind-9.6.2-0.3mdvmes5.2.src.rpm

Ubuntu Affected

Updated:  June 01, 2011

Status

Affected

Vendor Statement

Ubuntu has issued an update for bind9. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Apply updated packages via Launchpad.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.isc.org/software/bind/advisories/cve-2011-1910

Acknowledgements

Thanks to Internet Systems Consortium for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: cve-2011-1910
Severity Metric: 4.93
Date Public: 2011-05-26
Date First Published: 2011-05-27
Date Last Updated: 2011-06-01 18:22 UTC
Document Revision: 12

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis