ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
j.tavares at F5.com
Tue Mar 26 18:05:23 UTC 2013
I have a request for clarification:
The workaround states to rebuild BIND with regexp support disabled.
And I see new versions of BIND have been released.
Are those versions just a rebuild with regexp support disabled?
Or are they a more comprehensive fix?
From: bind-announce-bounces+j.tavares=f5.com at lists.isc.org [bind-announce-bounces+j.tavares=f5.com at lists.isc.org] on behalf of ISC Support Staff [support-staff at isc.org]
Sent: Tuesday, March 26, 2013 09:02
To: bind-announce at lists.isc.org
Subject: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
This email advisory is provided for your information. The most
up to date advisory information will always be at:
https://kb.isc.org/article/AA-00871 please use this URL for the
most up to date advisory information.
A critical defect in BIND 9 allows an attacker to cause excessive
memory consumption in named or other programs linked to libdns.
Document Version: 2.0
Posting date: 26 March 2013
Program Impacted: BIND
Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1,
9.9.0 -> 9.9.3b1. (Windows versions are not
Versions of BIND 9 prior to BIND 9.7.0 (including
BIND 9.6-ESV) are not affected. BIND 10 is
A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
on Unix and related operating systems, allows an attacker to
deliberately cause excessive memory consumption by the named
process, potentially resulting in exhaustion of memory resources
on the affected server. This condition can crash BIND 9 and
will likely severely affect operation of other programs running
on the same machine.
Please Note: Versions of BIND 9.7 are beyond their "end of life"
(EOL) and no longer receive testing or security fixes from ISC.
However, the re-compilation method described in the "Workarounds"
section of this document will prevent exploitation in BIND 9.7
as well as in currently supported versions.
For current information on which versions are actively supported,
Additional information is available in the CVE-2013-2266 FAQ and
Supplemental Information article in the ISC Knowledge base,
Intentional exploitation of this condition can cause denial of
service in all authoritative and recursive nameservers running
affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
(inclusive)]. Additionally, other services which run on the
same physical machine as an affected BIND server could be
compromised as well through exhaustion of system memory.
Programs using the libdns library from affected versions of BIND
are also potentially vulnerable to exploitation of this bug if
they can be forced to accept input which triggers the condition.
Tools which are linked against libdns (e.g. dig) should also be
rebuilt or upgraded, even if named is not being used.
CVSS Score: 7.8
CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit:
Patched versions are available (see the "Solutions:" section
below) or operators can prevent exploitation of this bug in any
affected version of BIND 9 by compiling without regular expression
Compilation without regular expression support:
BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
safe from this bug by re-compiling the source with regular
expression support disabled. In order to disable inclusion
of regular expression support:
- After configuring BIND features as desired using the configure
script in the top level source directory, manually edit the
"config.h" header file that was produced by the configure
- Locate the line that reads "#define HAVE_REGEX_H 1" and
replace the contents of that line with "#undef
- Run "make clean" to remove any previously compiled object
files from the BIND 9 source directory, then proceed to
make and install BIND normally.
No known active exploits.
Compile BIND 9 without regular expression support as described
in the "Workarounds" section of this advisory or upgrade to the
patched release most closely related to your current version of
BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.
BIND 9 version 9.8.4-P2
BIND 9 version 9.9.2-P2
ISC would like to thank Matthew Horsfall of Dyn, Inc. for
discovering this bug and bringing it to our attention.
Document Revision History:
1.0 Phase One - Advance Notification, 11 March 2013
1.1 Phase Two & Three, 25 March 2013
2.0 Notification to Public (Phase Four), 26 March 2013
See our BIND Security Matrix for a complete listing of Security
Vulnerabilities and versions affected.
If you'd like more information on our product support please visit
Do you still have questions? Questions regarding this advisory
should go tosecurity-officer at isc.org
ISC patches only currently supported versions. When possible we
indicate EOL versions affected.
ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
This Knowledge Base articlehttps://kb.isc.org/article/AA-00871 is
the complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
(c) 2001-2013 Internet Systems Consortium
bind-announce mailing list
bind-announce at lists.isc.org
More information about the bind-users