CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating

Chuck Aurora chucka at
Tue Jul 7 19:05:35 UTC 2015

CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to
		Crash when Validating

An attacker who can cause a validating resolver to query a zone
containing specifically constructed contents can cause that resolver to
fail an assertion and terminate due to a defect in validation code.

CVE:				CVE-2015-4620
Document Version:		2.0
Posting date:			7 July 2015
Program Impacted:		BIND
Versions affected:
	BIND 9.7.1 -> 9.7.7, 9.8.0 -> 9.8.8, 9.9.0 -> 9.9.7, 9.10.0 -> 9.10.2-P1.

Severity:			Critical
Exploitable:			Remotely


A very uncommon combination of zone data has been found that triggers a
bug in BIND, with the result that named will exit with a "REQUIRE"
failure in name.c when validating the data returned in answer to a
recursive query.

This means that a recursive resolver that is performing DNSSEC
validation can be deliberately stopped by an attacker who can cause the
resolver to perform a query against a maliciously-constructed zone.


A recursive resolver that is performing DNSSEC validation can be
deliberately terminated by any attacker who can cause a query to be
performed against a maliciously constructed zone.  This will result in
a denial of service to clients who rely on that resolver.

DNSSEC validation is only performed by a recursive resolver if it has
"dnssec-validation auto;" in its configuration or if it has a root
trust anchor defined and has "dnssec-validation yes;" set (either by
accepting the default or via an explicitly set value of "yes".)  By
default ISC BIND recursive servers will not validate.  (However, ISC
defaults may have been changed by your distributor.)

CVSS Score:			7.8

CVSS Vector:			(AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:


Disabling DNSSEC validation prevents exploitation of this defect but is
not generally recommended.  The recommended solution is to upgrade to a
patched version.

Active exploits:

There are no known active exploits at this time.

Solution:  Upgrade to the patched release most closely related to your
current version of BIND:

	BIND 9 version 9.9.7-P1
	BIND 9 version 9.10.2-P2

Acknowledgements: ISC would like to thank Breno Silveira Soares of
Serviço Federal de Processamento de Dados (SERPRO) for discovering and
reporting this defect.

Document Revision History:

1.0	Phase One: Advance Notification 23 June, 2015
1.1	Phase Two: Notification to BIND Packagers 29 June, 2015
1.2	Revised public release date (to 7 July 2015) and re-notified
	Phase One and Phase Two recipients: 30 June, 2015
2.0	Phase Three: Public Disclosure, 7 July 2015

Related Documents:

See our BIND9 Security Vulnerability Matrix at for a complete listing of Security
Vulnerabilities and versions affected.

If you'd like more information on ISC Subscription Support and Advance
Security Notifications, please visit

Do you still have questions?  Questions regarding this advisory should
go to security-officer at  To report a new issue, please encrypt
your message using security-officer at's PGP key which can be
found here: .
If you are unable to use encrypted email, you may also report new
issues at: .

Note: ISC patches only currently supported versions. When possible we
indicate EOL versions affected.  (For current information on which
versions are actively supported, please see

ISC Security Vulnerability Disclosure Policy:  Details of our current
security advisory policy and practice can be found here:

This Knowledge Base article is the
complete and official security advisory document.

    Chuck Aurora : ISC Software Support : chucka at
    Internet Systems Consortium, Inc.

More information about the bind-announce mailing list