[dns-operations] [ISC Security Advisory] BIND 9 Resolver crashes after logging an error in query.c

Mark Andrews marka at isc.org
Wed Nov 16 22:32:45 UTC 2011 

In message <1BB81A08-DAF3-469A-8545-1A44D0A15B38 at virtualized.org>, David Conrad
 writes:
> Is it even possible to disable DNSSEC without recompilation?
> 
> Regards,
> -drc

server 0.0.0.0/0 {
	edns no;
};

server ::/0 {
	edns no;
};

> 
> On Nov 16, 2011, at 1:15 PM, David Ulevitch wrote:
> 
> > The bug appears to be RRSIG / DNSSEC related.  Does disabling all DNSSEC su
> pport fix it for folks who can't upgrade?
> > 
> > -David
> > 
> > On Nov 16, 2011, at 12:25 PM, Peter Losher wrote:
> > 
> >> BIND 9 Resolver crashes after logging an error in query.c
> >> 
> >> Summary: Organizations across the Internet reported crashes interrupting s
> ervice on BIND 9 nameservers performing recursive queries. Affected servers c
> rashed after logging an error in query.c with the following message: "INSIST(
> ! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported be
> ing affected, including all currently supported release versions of ISC BIND 
> 9. ISC is actively investigating the root cause and has produced patches whic
> h prevent the crash. Further information will be made available soon.
> >> 
> >> CVE: CVE-2011-4313
> >> Document Version: 1.1
> >> Document URL: http://www.isc.org/software/bind/advisories/cve-2011-4313 
> >> Posting date: 16 Nov 2011
> >> Program Impacted: BIND
> >> Versions affected: All currently supported versions of BIND, 9.4-ESV, 9.6-
> ESV, 9.7.x, 9.8.x
> >> Severity: Serious
> >> Exploitable: Remotely
> >> 
> >> Description: 
> >> An as-yet unidentified network event caused BIND 9 resolvers to cache an i
> nvalid record, subsequent queries for which could crash the resolvers with an
>  assertion failure. ISC is working on determining the ultimate cause by which
>  a record with this particular inconsistency is cached.At this time we are ma
> king available a patch which makes named recover gracefully from the inconsis
> tency, preventing the abnormal exit. 
> >> 
> >> The patch has two components. When a client query is handled, the code whi
> ch processes the response to the client has to ask the cache for the records 
> for the name that is being queried. The first component of the patch prevents
>  the cache from returning the inconsistent data. The second component prevent
> s named from crashing if it detects that it has been given an inconsistent an
> swer of this nature.
> >> 
> >> CVSS Score: 7.8
> >> 
> >> CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) 
> >> 
> >> Workarounds: 
> >> No workarounds are known. The solution is to upgrade. Upgrade BIND to one 
> of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.
> 4-ESV-R5-P1
> >> 
> >> Active exploits: 
> >> Under investigation
> >> 
> >> Solution: 
> >> Patches mitigating the issue are available at: 
> >> https://www.isc.org/software/bind/981-p1
> >> https://www.isc.org/software/bind/974-p1
> >> https://www.isc.org/software/bind/96-esv-r5-p1
> >> https://www.isc.org/software/bind/94-esv-r5-p1
> >> 
> >> ISC is receiving multiple reports and working with multiple customers on t
> his issue. Please E-mail all questions, packet captures, and details to secur
> ity-officer at isc.org
> >> 
> >> We very much appreciate all reports received on this issue.
> >> 
> >> Related Documents: 
> >> Do you have Questions? Questions regarding this advisory should go to secu
> rity-officer at isc.org.
> >> 
> >> ISC Security Vulnerability Disclosure Policy: Details of our current secur
> ity advisory policy and practice can be found here: https://www.isc.org/secur
> ity-vulnerability-disclosure-policy
> >> 
> >> Legal Disclaimer: 
> >> Internet Systems Consortium (ISC) is providing this notice on an "AS IS" b
> asis. No warranty or guarantee of any kind is expressed in this notice and no
> ne should be implied. ISC expressly excludes and disclaims any warranties reg
> arding this notice or materials referred to in this notice, including, withou
> t limitation, any implied warranty of merchantability, fitness for a particul
> ar purpose, absence of hidden defects, or of non-infringement. Your use or re
> liance on this notice or materials referred to in this notice is at your own 
> risk. ISC may change this notice at any time.
> >> 
> >> A stand-alone copy or paraphrase of the text of this document that omits t
> he document URL is an uncontrolled copy. Uncontrolled copies may lack importa
> nt information, be out of date, or contain factual errors.
> >> 
> >> -- 
> >> [ plosher at isc.org | Senior Operations Architect | ISC | PGP E8048D08 ]
> >> 
> >> _______________________________________________
> >> dns-operations mailing list
> >> dns-operations at lists.dns-oarc.net
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >> dns-jobs mailing list
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >> 
> > 
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list