CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating
chucka at isc.org
Tue Jul 7 19:05:35 UTC 2015
CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to
Crash when Validating
An attacker who can cause a validating resolver to query a zone
containing specifically constructed contents can cause that resolver to
fail an assertion and terminate due to a defect in validation code.
Document Version: 2.0
Posting date: 7 July 2015
Program Impacted: BIND
BIND 9.7.1 -> 9.7.7, 9.8.0 -> 9.8.8, 9.9.0 -> 9.9.7, 9.10.0 -> 9.10.2-P1.
A very uncommon combination of zone data has been found that triggers a
bug in BIND, with the result that named will exit with a "REQUIRE"
failure in name.c when validating the data returned in answer to a
This means that a recursive resolver that is performing DNSSEC
validation can be deliberately stopped by an attacker who can cause the
resolver to perform a query against a maliciously-constructed zone.
A recursive resolver that is performing DNSSEC validation can be
deliberately terminated by any attacker who can cause a query to be
performed against a maliciously constructed zone. This will result in
a denial of service to clients who rely on that resolver.
DNSSEC validation is only performed by a recursive resolver if it has
"dnssec-validation auto;" in its configuration or if it has a root
trust anchor defined and has "dnssec-validation yes;" set (either by
accepting the default or via an explicitly set value of "yes".) By
default ISC BIND recursive servers will not validate. (However, ISC
defaults may have been changed by your distributor.)
CVSS Score: 7.8
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
Disabling DNSSEC validation prevents exploitation of this defect but is
not generally recommended. The recommended solution is to upgrade to a
There are no known active exploits at this time.
Solution: Upgrade to the patched release most closely related to your
current version of BIND:
BIND 9 version 9.9.7-P1
BIND 9 version 9.10.2-P2
Acknowledgements: ISC would like to thank Breno Silveira Soares of
Serviço Federal de Processamento de Dados (SERPRO) for discovering and
reporting this defect.
Document Revision History:
1.0 Phase One: Advance Notification 23 June, 2015
1.1 Phase Two: Notification to BIND Packagers 29 June, 2015
1.2 Revised public release date (to 7 July 2015) and re-notified
Phase One and Phase Two recipients: 30 June, 2015
2.0 Phase Three: Public Disclosure, 7 July 2015
See our BIND9 Security Vulnerability Matrix at
https://kb.isc.org/article/AA-00913 for a complete listing of Security
Vulnerabilities and versions affected.
If you'd like more information on ISC Subscription Support and Advance
Security Notifications, please visit http://www.isc.org/support/.
Do you still have questions? Questions regarding this advisory should
go to security-officer at isc.org. To report a new issue, please encrypt
your message using security-officer at isc.org's PGP key which can be
If you are unable to use encrypted email, you may also report new
issues at: https://www.isc.org/community/report-bug/ .
Note: ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see
ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
This Knowledge Base article https://kb.isc.org/article/AA-01267 is the
complete and official security advisory document.
Chuck Aurora : ISC Software Support : chucka at isc.org
Internet Systems Consortium, Inc.
More information about the bind-announce