[dns-operations] [ISC Security Advisory] BIND 9 Resolvercrashes after logging an error in query.c

Stephan Lagerholm stephan.lagerholm at secure64.com
Wed Nov 16 22:39:42 UTC 2011


David,

You can disable dnssec validation in the option section. It would be
interested to hear from ISC if that would prevent Bind from crashing.

options {
     dnssec-validation no;
};



> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net
[mailto:dns-operations-
> bounces at lists.dns-oarc.net] On Behalf Of David Conrad
> Sent: Wednesday, November 16, 2011 4:00 PM
> To: Peter Losher
> Cc: dns-operations at mail.dns-oarc.net
> Subject: Re: [dns-operations] [ISC Security Advisory] BIND 9
> Resolvercrashes after logging an error in query.c
> 
> Is it even possible to disable DNSSEC without recompilation?
> 
> Regards,
> -drc
> 
> On Nov 16, 2011, at 1:15 PM, David Ulevitch wrote:
> 
> > The bug appears to be RRSIG / DNSSEC related.  Does disabling all
> DNSSEC support fix it for folks who can't upgrade?
> >
> > -David
> >
> > On Nov 16, 2011, at 12:25 PM, Peter Losher wrote:
> >
> >> BIND 9 Resolver crashes after logging an error in query.c
> >>
> >> Summary: Organizations across the Internet reported crashes
> interrupting service on BIND 9 nameservers performing recursive
> queries. Affected servers crashed after logging an error in query.c
> with the following message: "INSIST(!
> dns_rdataset_isassociated(sigrdataset))" Multiple versions were
> reported being affected, including all currently supported release
> versions of ISC BIND 9. ISC is actively investigating the root cause
> and has produced patches which prevent the crash. Further information
> will be made available soon.
> >>
> >> CVE: CVE-2011-4313
> >> Document Version: 1.1
> >> Document URL: http://www.isc.org/software/bind/advisories/cve-2011-
> 4313
> >> Posting date: 16 Nov 2011
> >> Program Impacted: BIND
> >> Versions affected: All currently supported versions of BIND, 9.4-
> ESV, 9.6-ESV, 9.7.x, 9.8.x
> >> Severity: Serious
> >> Exploitable: Remotely
> >>
> >> Description:
> >> An as-yet unidentified network event caused BIND 9 resolvers to
> cache an invalid record, subsequent queries for which could crash the
> resolvers with an assertion failure. ISC is working on determining the
> ultimate cause by which a record with this particular inconsistency is
> cached.At this time we are making available a patch which makes named
> recover gracefully from the inconsistency, preventing the abnormal
> exit.
> >>
> >> The patch has two components. When a client query is handled, the
> code which processes the response to the client has to ask the cache
> for the records for the name that is being queried. The first
component
> of the patch prevents the cache from returning the inconsistent data.
> The second component prevents named from crashing if it detects that
it
> has been given an inconsistent answer of this nature.
> >>
> >> CVSS Score: 7.8
> >>
> >> CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> >>
> >> Workarounds:
> >> No workarounds are known. The solution is to upgrade. Upgrade BIND
> to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1,
9.6-
> ESV-R5-P1, 9.4-ESV-R5-P1
> >>
> >> Active exploits:
> >> Under investigation
> >>
> >> Solution:
> >> Patches mitigating the issue are available at:
> >> https://www.isc.org/software/bind/981-p1
> >> https://www.isc.org/software/bind/974-p1
> >> https://www.isc.org/software/bind/96-esv-r5-p1
> >> https://www.isc.org/software/bind/94-esv-r5-p1
> >>
> >> ISC is receiving multiple reports and working with multiple
> customers on this issue. Please E-mail all questions, packet captures,
> and details to security-officer at isc.org
> >>
> >> We very much appreciate all reports received on this issue.
> >>
> >> Related Documents:
> >> Do you have Questions? Questions regarding this advisory should go
> to security-officer at isc.org.
> >>
> >> ISC Security Vulnerability Disclosure Policy: Details of our
current
> security advisory policy and practice can be found here:
> https://www.isc.org/security-vulnerability-disclosure-policy
> >>
> >> Legal Disclaimer:
> >> Internet Systems Consortium (ISC) is providing this notice on an
"AS
> IS" basis. No warranty or guarantee of any kind is expressed in this
> notice and none should be implied. ISC expressly excludes and
disclaims
> any warranties regarding this notice or materials referred to in this
> notice, including, without limitation, any implied warranty of
> merchantability, fitness for a particular purpose, absence of hidden
> defects, or of non-infringement. Your use or reliance on this notice
or
> materials referred to in this notice is at your own risk. ISC may
> change this notice at any time.
> >>
> >> A stand-alone copy or paraphrase of the text of this document that
> omits the document URL is an uncontrolled copy. Uncontrolled copies
may
> lack important information, be out of date, or contain factual errors.
> >>
> >> --
> >> [ plosher at isc.org | Senior Operations Architect | ISC | PGP
E8048D08
> ]
> >>
> >> _______________________________________________
> >> dns-operations mailing list
> >> dns-operations at lists.dns-oarc.net
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >> dns-jobs mailing list
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >>
> >
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list