BIND Security Advisory May 2011: Large RRSIG RRsets and Negative Caching can crash named

Fri May 27 05:35:38 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*Summary:* A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource record
sets (RRSets) when trying to negatively cache a response. This can
cause the BIND 9 DNS server (named process) to crash.

*Document ID:* CVE-2011-1910

*Document Status:* Draft

*Posting date:* 26 May 2011

*Program Impacted:* BIND

*Versions affected:* 9.4-ESV-R3 and later, 9.6-ESV-R2 and later,
9.6.3, 9.7.1 and later, 9.8.0 and later

*Severity:* High

*Exploitable:* Remotely

*CVSS Score:* Base 7.8

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

*Description:*

DNS systems use negative caching to improve DNS response time. This
will keep a DNS resolver from repeatedly looking up domains that do
not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into
the negative cache.

The authority data will be cached along with the negative cache
information. These authoritative ?Start of Authority? (SOA) and
NSEC/NSEC3 records prove the nonexistence of the requested name/type.
In DNSSEC, all of these records are signed; this adds one additional
RRSIG record, per DNSSEC key, for each record returned in the
authority section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative
cache can trigger an assertion failure that will crash named (BIND 9
DNS) due to an off-by-one error in a buffer size check.

The nature of this vulnerability would allow remote exploit. An
attacker can set up an DNSSEC signed authoritative DNS server with a
large RRSIG RRsets to act as the trigger. The attacker would then find
ways to query an organization?s caching resolvers, using the negative
caches and the ?trigger? the vulnerability. The attacker would require
access to an organization?s caching resolvers. Access to the resolvers
can be direct (open resolvers), through malware (using a BOTNET to
query negative caches), or through driving DNS resolution (a SPAM run
that has a domain in the E-mail that will cause the client to do look
up a negative cache).

*Workarounds:* Restricting access to the DNS caching resolver
infrastructure will provide partial mitigation. Active exploitation
can be accomplished through malware or SPAM/Malvertizing actions that
will force authorized clients to look up domains that would trigger
this vulnerability.

*Solution:*

Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2
ftp://ftp.isc.org/isc/bind9/9.8.0-P2
ftp://ftp.isc.org/isc/bind9/9.7.3-P1
ftp://ftp.isc.org/isc/bind9/9.6-ESV-R4-P1
BIND 9.4 is less vulnerable than other versions, and a patched version
will be available on May 27th at ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4-P1

*Exploit Status:* High. This issue has caused un-intentional outages.

US CERT is tracking this issue with INC000000152411.

*Credits:*

Thanks to Frank Kloeker and Michael Sinatra for getting the details to
this issue to the DNS Operations community and to Michael Sinatra,
Team Cmyru, and other community members for testing.

Questions regarding this advisory shoud go to security-officer at isc.org
<mailto:security-officer at isc.org>. Questions on ISC's Support services
or other offerings should be
sent to info at isc.org <mailto:dhcp-bugs at isc.org> More information on
ISC's support and other offerings are available
at:http://www.isc.org/community/blog/201102/BIND-support

- -- 
Larissa Shapiro
Internet Systems Consortium Product Manager
Technology Leadership for the Common Good
+1 650 423 1335
www.isc.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN3zgqAAoJEBOIp87tasiU0RgH/1eOHonKvvh3gcAfzzhWezNr
0X+ERXldJnylLYUrVPoVdzFXCsKkReY6qrTDUJnO6qvB62oYQNfZnO21fkM17m6Z
wA/HTnnu5YlnmHZQVabCJptLWsJ7nGwFygKdwgJbu/npWmSaEoKgNWIdcWbnVlm6
xk9XXdjc25rJLIqTgXXWWnyAsFc0SvNomOFd2zkuPsa7vuJczpdWw1Rdn9TP1vOo
BF1gS2GR7O9ewghTQGXCAcNNdezconkE7moxTZx6y8qGGyP8nvfRwGWneXKjy49r
8rY1ABo92rly60E8uCs4S8tiFQxTlwWsGBfyREk0SClvT1PFDM+Yz11U/FmBG2E=
=QKvu
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110526/02cadf83/attachment.html>