A Few Additional Words About CVE-2014-0591
mcnally at isc.org
Mon Jan 13 19:13:30 UTC 2014
Hello, Bind-Users Readers --
Since you are all subscribers to bind-announce as well [You are,
aren't you? It's where we make announcements about security
vulnerabilities and about new versions of BIND] you are probably
already aware that ISC has announced CVE-2014-0591, a vulnerability
which can cause BIND to crash while servicing certain queries against
an NSEC3-signed zone.
The official announcements can be found in bind-announce or at:
https://kb.isc.org/article/AA-01078 and new versions of BIND which
patch the vulnerability can be found at http://www.isc.org/downloads
But we'd like to point out a few additional facts about this advisory
which you might find relevant.
1) Security Patches Are Ending for the BIND 9.6-ESV Branch
Back in 2012 we announced our intention to retire the
9.6-ESV branch in 2013. We previously extended the
EOL ("End of Life") date for 9.6-ESV by six months but
those six months are almost over and the rescheduled
EOL date for 9.6-ESV is upon us. Unless there are
extraordinary circumstances justifying it, 9.6-ESV will
not receive future security patches and 9.6-ESV-R11 is
the last version planned in the 9.6-ESV sequence.
BIND 9.9 was designated an ESV version of BIND in May 2013.
Users who require long-term support for their version of
BIND should migrate to BIND 9.9.
2) Vulnerability to CVE-2014-0591 is OS and libc Dependent
We have issued a general warning for the bug that causes
CVE-2014-0591, because with security it is better to be
safe than sorry, but per our developer's analysis, the
bug (which causes an INSIST crash in name.c) can only be
triggered on servers using a memcpy call that behave in a
certain fashion. This bug went undiscovered until recently
because under most memcpy implementations the software
behaves safely. However, recent optimizations to glibc's
memcpy have exposed the underlying bug on systems using
newer versions of glibc.
To date our reports of CVE-2014-0591 crashes have all
been from Linux users using glibc version 2.18, but because
of the multiplicity of Unix-like operating systems and
C library variants we cannot represent all others as safe.
The safest course of action is to patch the underlying bug
and ensure that your server is not vulnerable regardless of
memcpy optimizations, but we do believe that users are unlikely
to encounter this crash on older glibc versions or on
non-Linux operating systems that do not use glibc.
Slightly more information about this is available in our
CVE-2014-0591 FAQ and Supplemental Information article in
the ISC Knowledge Base: https://kb.isc.org/article/AA-01085
More information about the bind-users