[dns-operations] [ISC Security Advisory] BIND 9 Resolver crashes after logging an error in query.c

Wed Nov 16 23:32:46 UTC 2011

On Nov 16, 2011, at 2:32 PM, Mark Andrews wrote:

> 
> In message <1BB81A08-DAF3-469A-8545-1A44D0A15B38 at virtualized.org>, David Conrad
> writes:
>> Is it even possible to disable DNSSEC without recompilation?
>> 
>> Regards,
>> -drc
> 
> server 0.0.0.0/0 {
> 	edns no;
> };
> 
> server ::/0 {
> 	edns no;
> };
> 

1) Does that prevent the bug?

2) I'm not a BIND expert, is that the preferred way of disabling DNSSEC?  Losing edns support has other consequences that may be undesirable.

-David

>> 
>> On Nov 16, 2011, at 1:15 PM, David Ulevitch wrote:
>> 
>>> The bug appears to be RRSIG / DNSSEC related.  Does disabling all DNSSEC su
>> pport fix it for folks who can't upgrade?
>>> 
>>> -David
>>> 
>>> On Nov 16, 2011, at 12:25 PM, Peter Losher wrote:
>>> 
>>>> BIND 9 Resolver crashes after logging an error in query.c
>>>> 
>>>> Summary: Organizations across the Internet reported crashes interrupting s
>> ervice on BIND 9 nameservers performing recursive queries. Affected servers c
>> rashed after logging an error in query.c with the following message: "INSIST(
>> ! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported be
>> ing affected, including all currently supported release versions of ISC BIND 
>> 9. ISC is actively investigating the root cause and has produced patches whic
>> h prevent the crash. Further information will be made available soon.
>>>> 
>>>> CVE: CVE-2011-4313
>>>> Document Version: 1.1
>>>> Document URL: http://www.isc.org/software/bind/advisories/cve-2011-4313 
>>>> Posting date: 16 Nov 2011
>>>> Program Impacted: BIND
>>>> Versions affected: All currently supported versions of BIND, 9.4-ESV, 9.6-
>> ESV, 9.7.x, 9.8.x
>>>> Severity: Serious
>>>> Exploitable: Remotely
>>>> 
>>>> Description: 
>>>> An as-yet unidentified network event caused BIND 9 resolvers to cache an i
>> nvalid record, subsequent queries for which could crash the resolvers with an
>> assertion failure. ISC is working on determining the ultimate cause by which
>> a record with this particular inconsistency is cached.At this time we are ma
>> king available a patch which makes named recover gracefully from the inconsis
>> tency, preventing the abnormal exit. 
>>>> 
>>>> The patch has two components. When a client query is handled, the code whi
>> ch processes the response to the client has to ask the cache for the records 
>> for the name that is being queried. The first component of the patch prevents
>> the cache from returning the inconsistent data. The second component prevent
>> s named from crashing if it detects that it has been given an inconsistent an
>> swer of this nature.
>>>> 
>>>> CVSS Score: 7.8
>>>> 
>>>> CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) 
>>>> 
>>>> Workarounds: 
>>>> No workarounds are known. The solution is to upgrade. Upgrade BIND to one 
>> of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.
>> 4-ESV-R5-P1
>>>> 
>>>> Active exploits: 
>>>> Under investigation
>>>> 
>>>> Solution: 
>>>> Patches mitigating the issue are available at: 
>>>> https://www.isc.org/software/bind/981-p1
>>>> https://www.isc.org/software/bind/974-p1
>>>> https://www.isc.org/software/bind/96-esv-r5-p1
>>>> https://www.isc.org/software/bind/94-esv-r5-p1
>>>> 
>>>> ISC is receiving multiple reports and working with multiple customers on t
>> his issue. Please E-mail all questions, packet captures, and details to secur
>> ity-officer at isc.org
>>>> 
>>>> We very much appreciate all reports received on this issue.
>>>> 
>>>> Related Documents: 
>>>> Do you have Questions? Questions regarding this advisory should go to secu
>> rity-officer at isc.org.
>>>> 
>>>> ISC Security Vulnerability Disclosure Policy: Details of our current secur
>> ity advisory policy and practice can be found here: https://www.isc.org/secur
>> ity-vulnerability-disclosure-policy
>>>> 
>>>> Legal Disclaimer: 
>>>> Internet Systems Consortium (ISC) is providing this notice on an "AS IS" b
>> asis. No warranty or guarantee of any kind is expressed in this notice and no
>> ne should be implied. ISC expressly excludes and disclaims any warranties reg
>> arding this notice or materials referred to in this notice, including, withou
>> t limitation, any implied warranty of merchantability, fitness for a particul
>> ar purpose, absence of hidden defects, or of non-infringement. Your use or re
>> liance on this notice or materials referred to in this notice is at your own 
>> risk. ISC may change this notice at any time.
>>>> 
>>>> A stand-alone copy or paraphrase of the text of this document that omits t
>> he document URL is an uncontrolled copy. Uncontrolled copies may lack importa
>> nt information, be out of date, or contain factual errors.
>>>> 
>>>> -- 
>>>> [ plosher at isc.org | Senior Operations Architect | ISC | PGP E8048D08 ]
>>>> 
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.dns-oarc.net
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>> dns-jobs mailing list
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>>> 
>>> 
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> dns-jobs mailing list
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 