Security Advisory: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

Larissa Shapiro larissas at isc.org
Tue Feb 22 20:54:42 UTC 2011 

                                    Internet Systems Consortium Security
Advisory

Title: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

(http://www.isc.org/software/bind/advisories/cve-2011-0414)

CVE-2011-0414

VU#559980

CVSS: 7.1  (AV:N/AC:M/Au:N/C:N/I:N/A:C)
for more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>

Posting date: 2011-02-22 

Program Impacted: BIND

Versions affected: 9.7.1-9.7.2-P3

Severity: High

Exploitable: Remotely

Description and Impact:

When an authoritative server processes a successful IXFR transfer or a
dynamic update, there is a small window of time during which the
IXFR/update coupled with a query may cause a deadlock to occur. This
deadlock will cause the server to stop processing all requests. A high
query rate and/or a high update rate will increase the probability of
this condition.

Workaround:

Depending on your performance requirements, a work-around may be
available. ISC was not able to reproduce this defect in 9.7.2 using -n
1, which causes named to use only one worker thread, thus avoiding the
deadlock. If your server is powerful enough to serve your data with a
single processor, this option may be fast to implement until you have
time to perform an upgrade.

Active exploits: None known, but a description of the issue is available
in the release notes for BIND 9.6.3 and 9.7.3.

Solution: If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3. Earlier
versions are not vulnerable. If you run BIND 9.6.x, 9.6-ESV-R?, or
9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is
not supported by ISC. BIND 9.8 is not vulnerable.

Credits: Thank you to Neustar for finding the initial defect and JPRS
for further testing and analysis.

Questions regarding this advisory or ISC's Support services should be
sent to bind9-bugs at isc.org <mailto:bind9-bugs at isc.org>
For more information on ISC's support, consulting, training, and other
services, visit
http://www.isc.org/community/blog/201102/open-source-software-unsupported-isnt-it

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-announce/attachments/20110222/122e056b/attachment.html>

More information about the bind-announce mailing list