A Few Additional Words About CVE-2014-0591

Michael McNally mcnally at isc.org
Mon Jan 13 19:13:30 UTC 2014

Hello, Bind-Users Readers --

Since you are all subscribers to bind-announce as well [You are,
aren't you?  It's where we make announcements about security
vulnerabilities and about new versions of BIND] you are probably
already aware that ISC has announced CVE-2014-0591, a vulnerability
which can cause BIND to crash while servicing certain queries against
an NSEC3-signed zone.

The official announcements can be found in bind-announce or at:
https://kb.isc.org/article/AA-01078 and new versions of BIND which
patch the vulnerability can be found at http://www.isc.org/downloads

But we'd like to point out a few additional facts about this advisory
which you might find relevant.

1)  Security Patches Are Ending for the BIND 9.6-ESV Branch

    Back in 2012 we announced our intention to retire the
    9.6-ESV branch in 2013.  We previously extended the
    EOL ("End of Life") date for 9.6-ESV by six months but
    those six months are almost over and the rescheduled
    EOL date for 9.6-ESV is upon us.  Unless there are
    extraordinary circumstances justifying it, 9.6-ESV will
    not receive future security patches and 9.6-ESV-R11 is
    the last version planned in the 9.6-ESV sequence.

    BIND 9.9 was designated an ESV version of BIND in May 2013.
    Users who require long-term support for their version of
    BIND should migrate to BIND 9.9.

2)  Vulnerability to CVE-2014-0591 is OS and libc Dependent

    We have issued a general warning for the bug that causes
    CVE-2014-0591, because with security it is better to be
    safe than sorry, but per our developer's analysis, the
    bug (which causes an INSIST crash in name.c) can only be
    triggered on servers using a memcpy call that behave in a
    certain fashion.  This bug went undiscovered until recently
    because under most memcpy implementations the software
    behaves safely.  However, recent optimizations to glibc's
    memcpy have exposed the underlying bug on systems using
    newer versions of glibc.

    To date our reports of CVE-2014-0591 crashes have all
    been from Linux users using glibc version 2.18, but because
    of the multiplicity of Unix-like operating systems and
    C library variants we cannot represent all others as safe.
    The safest course of action is to patch the underlying bug
    and ensure that your server is not vulnerable regardless of
    memcpy optimizations, but we do believe that users are unlikely
    to encounter this crash on older glibc versions or on
    non-Linux operating systems that do not use glibc.

    Slightly more information about this is available in our
    CVE-2014-0591 FAQ and Supplemental Information article in
    the ISC Knowledge Base:  https://kb.isc.org/article/AA-01085

More information about the bind-users mailing list