ISC Security Advisory: BIND 9 Resolver crashes after logging an error in query.c

[Larissa Shapiro]

BIND 9 Resolver crashes after logging an error in query.c

Summary: Organizations across the Internet reported crashes interrupting
service on BIND 9 nameservers performing recursive queries. Affected
servers crashed after logging an error in query.c with the following
message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple
versions were reported being affected, including all currently supported
release versions of ISC BIND 9. ISC is actively investigating the root
cause and has produced patches which prevent the crash. Further
information will be made available soon.

CVE: CVE-2011-4313
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313>
Document Version: 1.1
Document URL: http://www.isc.org/software/bind/advisories/cve-2011-4313
Posting date: 16 Nov 2011
Program Impacted: BIND
Versions affected: All currently supported versions of BIND, 9.4-ESV,
9.6-ESV, 9.7.x, 9.8.x
Severity: Serious
Exploitable: Remotely

Description: 
An as-yet unidentified network event caused BIND 9 resolvers to cache an
invalid record, subsequent queries for which could crash the resolvers
with an assertion failure. ISC is working on determining the ultimate
cause by which a record with this particular inconsistency is cached.At
this time we are making available a patch which makes named recover
gracefully from the inconsistency, preventing the abnormal exit.

The patch has two components. When a client query is handled, the code
which processes the response to the client has to ask the cache for the
records for the name that is being queried. The first component of the
patch prevents the cache from returning the inconsistent data. The
second component prevents named from crashing if it detects that it has
been given an inconsistent answer of this nature.
 
*CVSS Score: 7.8

CVSS Equation: *(AV:N/AC:L/Au:N/C:N/I:N/A:C)**

Workarounds: 
No workarounds are known. The solution is to upgrade. Upgrade BIND to
one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1,
9.6-ESV-R5-P1, 9.4-ESV-R5-P1

Active exploits: 
Under investigation

Solution: 
Patches mitigating the issue are available at:
https://www.isc.org/software/bind/981-p1
https://www.isc.org/software/bind/974-p1
https://www.isc.org/software/bind/96-esv-r5-p1
https://www.isc.org/software/bind/94-esv-r5-p1

ISC is receiving multiple reports and working with multiple customers on
this issue. Please E-mail all questions, packet captures, and details to
security-officer at isc.org <mailto:security-officer at isc.org>

We very much appreciate all reports received on this issue.

Related Documents: 
Do you have Questions? Questions regarding this advisory should go to
security-officer at isc.org <mailto:security-officer at isc.org>.

ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
https://www.isc.org/security-vulnerability-disclosure-policy

Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice
and none should be implied. ISC expressly excludes and disclaims any
warranties regarding this notice or materials referred to in this
notice, including, without limitation, any implied warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of non-infringement. Your use or reliance on this notice or
materials referred to in this notice is at your own risk. ISC may change
this notice at any time.
 
A stand-alone copy or paraphrase of the text of this document that omits
the document URL is an uncontrolled copy. Uncontrolled copies may lack
important information, be out of date, or contain factual errors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-announce/attachments/20111116/b5a300f8/attachment.html>