[as112-ops] [dns-operations] BIND Security Advisory (fwd)

William F. Maton Sotomayor wmaton at ryouko.imsb.nrc.ca
Tue Jul 28 20:44:13 UTC 2009


FYI

wfms

---------- Forwarded message ----------
Date: Tue, 28 Jul 2009 16:37:08 -0400
From: Keith Mitchell <keith at isc.org>
To: dns-operations at mail.dns-oarc.net
Subject: [dns-operations] BIND Security Advisory

[Apologies for any duplicate postings, but this is kind of critical]

See also https://www.isc.org/node/474

BIND Dynamic Update DoS

CVE:	  	CVE-2009-0696 
CERT:	  	VU#725188 
Posting date:  	2009-07-28 
Program Impacted: BIND 
Versions affected:BIND 9 (all versions)
Severity:  	High 
Exploitable:  	remotely 
Summary:  	BIND denial of service (server crash) caused by receipt
 		of a specific remote dynamic update message.

Description:

Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message may cause BIND 9
servers to exit. This vulnerability affects all servers ÿÿ it is not
limited to those that are configured to allow dynamic updates. Access
controls will not provide an effective workaround.

dns_db_findrdataset() fails when the prerequisite section of the dynamic
update message contains a record of type ÿÿANYÿÿ and where at least one
RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).

Workarounds:	None.
(Some sites may have firewalls that can be configured with packet
filtering techniques to prevent nsupdate messages from reaching their
nameservers.)

Active exploits:
An active remote exploit is in wide circulation at this time.

Solution:

Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions
can be downloaded from:

     http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz
     http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz
     http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz

Acknowledgement: Matthias Urlichs

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations


More information about the as112-ops mailing list