Overview
A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system.
Description
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). A flaw exists in the way that some versions of BIND handle DNS Security Extensions (DNSSEC) signed Resource Record Sets (RRsets). The specific impact of this vulnerability is slightly different depending on the type of DNS server involved. For recursive servers, queries for SIG records will trigger an assertion failure if more than one SIG(covered) RRset is returned. For authoritative servers, if a name server is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g., a zone apex) then the name server daemon will trigger an assertion failure when it tries to construct the response. |
Impact
A remote attacker may be able to cause the name server daemon to crash, thereby causing a denial of service for DNS operations. |
Solution
Apply a patch from the vendor |
Restrict Access |
Vendor Information
Debian GNU/Linux Affected
Notified: August 23, 2006 Updated: September 11, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The Debian Security Team has published Debian Security Advisory DSA-1172 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks, Inc. Affected
Notified: August 23, 2006 Updated: September 07, 2006
Status
Affected
Vendor Statement
F5 was provided with advance notice of this advisory, and has prepared patches
for all affected actively-supported versions of BIG-IP and Enterprise Manager.
These patches will be released immediately upon final verification of test
results.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD, Inc. Affected
Notified: August 23, 2006 Updated: September 07, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The FreeBSD development team has published FreeBSD Security Advisory FreeBSD-SA-06:20.bind in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
The bind9 FreeBSD port was also updated on 2006-09-06 to include patches for this issue. Users who obtain BIND from the FreeBSD ports collection are encourage to upgrade to this version (or later) of the port.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Gentoo Linux Affected
Notified: August 23, 2006 Updated: October 02, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Gentoo has published Gentoo Linux Security Advisory GLSA 200609-11 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Internet Software Consortium Affected
Notified: August 18, 2006 Updated: September 06, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The Internet Software Consortium has published an alert on its BIND Vulnerabilities page (see CVE-2006-4095). Users who compile BIND from the original ISC source code distribution are encouraged to upgrade to BIND version 9.4.0b2, 9.3.3rc2, 9.3.2-P1, 9.2.7rc1, or 9.2.6-P1 (or later) as appropriate.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva, Inc. Affected
Notified: August 23, 2006 Updated: September 11, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Mandriva has published Mandriva Advisory MDKSA-2006:163 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Affected
Notified: August 23, 2006 Updated: October 02, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
NetBSD has published NetBSD Security Advisory 2006-022 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Affected
Notified: August 23, 2006 Updated: September 07, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Patches for this issue were committed to the HEAD, OPENBSD_3_8, and OPENBSD_3_9 branches of OpenBSD CVS repository on 2006-09-05. Users of OpenBSD-current and OpenBSD-stable can obtain these patches via the usual mechanisms for CVS access.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenPKG Affected
Updated: September 07, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The OpenPKG security team has published OpenPKG Security Advisory OpenPKG-SA-2006.019 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Affected
Notified: August 23, 2006 Updated: September 11, 2006
Status
Affected
Vendor Statement
We have fixed these issues by updating to BIND 9.3.2-P1 (with our usual
modifications) in Owl-current as of 2006/09/06 and Owl 2.0-stable as of
2006/09/09.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Slackware Linux Inc. Affected
Notified: August 23, 2006 Updated: October 02, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Slackware has published Slackware Security Advisory SSA:2006-257-01 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Trustix Secure Linux Affected
Notified: August 23, 2006 Updated: October 02, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Trustix has published Trustix Secure Linux Security Advisory #2006-0051 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ubuntu Affected
Notified: August 23, 2006 Updated: September 07, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The Ubuntu development team has published Ubuntu Security Notice USN-343-1 in response to this issue. Users are encouraged to review this notice and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
rPath Affected
Updated: September 25, 2006
Status
Affected
Vendor Statement
rPath Security Advisory: 2006-0166-1
Published: 2006-09-08
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Remote Deterministic Denial of Service
Updated Versions:
bind=/conary.rpath.com@rpl:devel//1/9.3.2_P1-0.1-1
bind-utils=/conary.rpath.com@rpl:devel//1/9.3.2_P1-0.1-1
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096
https://issues.rpath.com/browse/RPL-626
Description:
Previous versions of the bind package are vulnerable to
to multiple remote denial of service attacks.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hitachi Not Affected
Notified: August 23, 2006 Updated: September 05, 2006
Status
Not Affected
Vendor Statement
HI-UX/WE2 is NOT vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Infoblox Not Affected
Notified: August 23, 2006 Updated: September 07, 2006
Status
Not Affected
Vendor Statement
Infoblox does not believe Infoblox NIOS software is vulnerable to this
issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Juniper Networks, Inc. Not Affected
Notified: August 23, 2006 Updated: September 05, 2006
Status
Not Affected
Vendor Statement
Juniper Networks products are not susceptible to this vulnerability
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sun Microsystems, Inc. Not Affected
Notified: August 23, 2006 Updated: September 14, 2006
Status
Not Affected
Vendor Statement
Sun does not ship a version of BIND which is impacted by CERT VU#697164 or
VU#915404 in any of the currently supported releases of Solaris: Solaris 8,
9, and 10.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Computer, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
BlueCat Networks, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Check Point Software Technologies Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Cray Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
EMC, Inc. (formerly Data General Corporation) Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fedora Project Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fujitsu Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
GNU glibc Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Gnu ADNS Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM eServer Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Immunix Communications, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Lucent Technologies Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Men & Mice Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Metasolv Software, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NEC Corporation Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Nokia Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Nortel Networks, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
QNX, Software Systems, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Red Hat, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
SUSE Linux Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Shadowsupport Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sony Corporation Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Turbolinux Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Unisys Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: August 23, 2006 Updated: August 23, 2006
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Joao Damas of the Internet Software Consortium for reporting this vulnerability.
This document was written by Chad R Dougherty.
Other Information
| CVE IDs: | CVE-2006-4095 |
| Severity Metric: | 7.83 |
| Date Public: | 2006-09-05 |
| Date First Published: | 2006-09-05 |
| Date Last Updated: | 2006-10-02 19:42 UTC |
| Document Revision: | 15 |