[as112-ops] [dns-operations] BIND Security Advisory (fwd)
William F. Maton Sotomayor
wmaton at ryouko.imsb.nrc.ca
Tue Jul 28 20:44:13 UTC 2009
FYI
wfms
---------- Forwarded message ----------
Date: Tue, 28 Jul 2009 16:37:08 -0400
From: Keith Mitchell <keith at isc.org>
To: dns-operations at mail.dns-oarc.net
Subject: [dns-operations] BIND Security Advisory
[Apologies for any duplicate postings, but this is kind of critical]
See also https://www.isc.org/node/474
BIND Dynamic Update DoS
CVE: CVE-2009-0696
CERT: VU#725188
Posting date: 2009-07-28
Program Impacted: BIND
Versions affected:BIND 9 (all versions)
Severity: High
Exploitable: remotely
Summary: BIND denial of service (server crash) caused by receipt
of a specific remote dynamic update message.
Description:
Urgent: this exploit is public. Please upgrade immediately.
Receipt of a specially-crafted dynamic update message may cause BIND 9
servers to exit. This vulnerability affects all servers ÿÿ it is not
limited to those that are configured to allow dynamic updates. Access
controls will not provide an effective workaround.
dns_db_findrdataset() fails when the prerequisite section of the dynamic
update message contains a record of type ÿÿANYÿÿ and where at least one
RRset for this FQDN exists on the server.
db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).
Workarounds: None.
(Some sites may have firewalls that can be configured with packet
filtering techniques to prevent nsupdate messages from reaching their
nameservers.)
Active exploits:
An active remote exploit is in wide circulation at this time.
Solution:
Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions
can be downloaded from:
http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz
http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz
http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz
Acknowledgement: Matthias Urlichs
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the as112-ops
mailing list