ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named

ISC Support Staff support-staff at
Tue Mar 26 16:02:06 UTC 2013


   This email advisory is provided for your information. The most
   up to date advisory information will always be at:  please use this URL for the
   most up to date advisory information.


A critical defect in BIND 9 allows an attacker to cause excessive

memory consumption in named or other programs linked to libdns.

CVE:                  CVE-2013-2266

Document Version:     2.0

Posting date:         26 March 2013

Program Impacted:     BIND

Versions affected:    "Unix" versions of  BIND 9.7.x, 9.8.0 -> 9.8.5b1,

                       9.9.0 -> 9.9.3b1.  (Windows versions are not

                       Versions of BIND 9 prior to BIND 9.7.0 (including

                       BIND 9.6-ESV) are not affected.  BIND 10 is

                       not affected.)

Severity:             Critical

Exploitable:          Remotely


    A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled

    on Unix and related operating systems, allows an attacker to

    deliberately cause excessive memory consumption by the named

    process, potentially resulting in exhaustion of memory resources

    on the affected server.  This condition can crash BIND 9 and

    will likely severely affect operation of other programs running

    on the same machine.

    Please Note: Versions of BIND 9.7 are beyond their "end of life"

    (EOL) and no longer receive testing or security fixes from ISC.

    However, the re-compilation method described in the "Workarounds"

    section of this document will prevent exploitation in BIND 9.7

    as well as in currently supported versions.

    For current information on which versions are actively supported,

    please see

    Additional information is available in the CVE-2013-2266 FAQ and

    Supplemental Information article in the ISC Knowledge base,


    Intentional exploitation of this condition can cause denial of

    service in all authoritative and recursive nameservers running

    affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0

    through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1

    (inclusive)].   Additionally, other services which run on the

    same physical machine as an affected BIND server could be

    compromised as well through exhaustion of system memory.

    Programs using the libdns library from affected versions of BIND

    are also potentially vulnerable to exploitation of this bug if

    they can be forced to accept input which triggers the condition.

    Tools which are linked against libdns (e.g. dig) should also be

    rebuilt or upgraded, even if named is not being used.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

    For more information on the Common Vulnerability Scoring System

    and to obtain your specific environmental score please visit:


    Patched versions are available (see the "Solutions:" section

    below) or operators can prevent exploitation of this bug in any

    affected version of BIND 9 by compiling without regular expression


    Compilation without regular expression support:

       BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),

       and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely

       safe from this bug by re-compiling the source with regular

       expression support disabled.  In order to disable inclusion

       of regular expression support:

       - After configuring BIND features as desired using the configure

         script in the top level source directory, manually edit the

         "config.h" header file that was produced by the configure


       - Locate the line that reads "#define HAVE_REGEX_H 1" and

         replace the contents of that line with "#undef


       - Run "make clean" to remove any previously compiled object

         files from the BIND 9 source directory, then proceed to

         make and install BIND normally.

Active exploits:

    No known active exploits.


    Compile BIND 9 without regular expression support as described

    in the "Workarounds" section of this advisory or upgrade to the

    patched release most closely related to your current version of

    BIND. These can be downloaded from

    BIND 9 version 9.8.4-P2

    BIND 9 version 9.9.2-P2


    ISC would like to thank Matthew Horsfall of Dyn, Inc. for

    discovering this bug and bringing it to our attention.

Document Revision History:

    1.0 Phase One - Advance Notification, 11 March 2013

    1.1 Phase Two & Three, 25 March 2013

    2.0 Notification to Public (Phase Four), 26 March 2013

Related Documents:

    Japanese Translation:

    Spanish Translation:

    German Translation:

    Portuguese Translation:

    See our BIND Security Matrix for a complete listing of Security

    Vulnerabilities and versions affected.

If you'd like more information on our product support please visit

Do you still have questions?  Questions regarding this advisory

should go tosecurity-officer at


    ISC patches only currently supported versions. When possible we

    indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy:  Details of our current

security advisory policy and practice can be found here:

This Knowledge Base article  is

the complete and official security advisory document.

Legal Disclaimer:

    Internet Systems Consortium (ISC) is providing this notice on

    an "AS IS" basis. No warranty or guarantee of any kind is expressed

    in this notice and none should be implied. ISC expressly excludes

    and disclaims any warranties regarding this notice or materials

    referred to in this notice, including, without limitation, any

    implied warranty of merchantability, fitness for a particular

    purpose, absence of hidden defects, or of non-infringement. Your

    use or reliance on this notice or materials referred to in this

    notice is at your own risk. ISC may change this notice at any

    time.  A stand-alone copy or paraphrase of the text of this

    document that omits the document URL is an uncontrolled copy.

    Uncontrolled copies may lack important information, be out of

    date, or contain factual errors.

(c) 2001-2013 Internet Systems Consortium

More information about the bind-announce mailing list