[dns-operations] [ISC Security Advisory] BIND 9 Resolver crashes after logging an error in query.c
David Ulevitch
david at opendns.com
Wed Nov 16 23:32:46 UTC 2011
On Nov 16, 2011, at 2:32 PM, Mark Andrews wrote:
>
> In message <1BB81A08-DAF3-469A-8545-1A44D0A15B38 at virtualized.org>, David Conrad
> writes:
>> Is it even possible to disable DNSSEC without recompilation?
>>
>> Regards,
>> -drc
>
> server 0.0.0.0/0 {
> edns no;
> };
>
> server ::/0 {
> edns no;
> };
>
1) Does that prevent the bug?
2) I'm not a BIND expert, is that the preferred way of disabling DNSSEC? Losing edns support has other consequences that may be undesirable.
-David
>>
>> On Nov 16, 2011, at 1:15 PM, David Ulevitch wrote:
>>
>>> The bug appears to be RRSIG / DNSSEC related. Does disabling all DNSSEC su
>> pport fix it for folks who can't upgrade?
>>>
>>> -David
>>>
>>> On Nov 16, 2011, at 12:25 PM, Peter Losher wrote:
>>>
>>>> BIND 9 Resolver crashes after logging an error in query.c
>>>>
>>>> Summary: Organizations across the Internet reported crashes interrupting s
>> ervice on BIND 9 nameservers performing recursive queries. Affected servers c
>> rashed after logging an error in query.c with the following message: "INSIST(
>> ! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported be
>> ing affected, including all currently supported release versions of ISC BIND
>> 9. ISC is actively investigating the root cause and has produced patches whic
>> h prevent the crash. Further information will be made available soon.
>>>>
>>>> CVE: CVE-2011-4313
>>>> Document Version: 1.1
>>>> Document URL: http://www.isc.org/software/bind/advisories/cve-2011-4313
>>>> Posting date: 16 Nov 2011
>>>> Program Impacted: BIND
>>>> Versions affected: All currently supported versions of BIND, 9.4-ESV, 9.6-
>> ESV, 9.7.x, 9.8.x
>>>> Severity: Serious
>>>> Exploitable: Remotely
>>>>
>>>> Description:
>>>> An as-yet unidentified network event caused BIND 9 resolvers to cache an i
>> nvalid record, subsequent queries for which could crash the resolvers with an
>> assertion failure. ISC is working on determining the ultimate cause by which
>> a record with this particular inconsistency is cached.At this time we are ma
>> king available a patch which makes named recover gracefully from the inconsis
>> tency, preventing the abnormal exit.
>>>>
>>>> The patch has two components. When a client query is handled, the code whi
>> ch processes the response to the client has to ask the cache for the records
>> for the name that is being queried. The first component of the patch prevents
>> the cache from returning the inconsistent data. The second component prevent
>> s named from crashing if it detects that it has been given an inconsistent an
>> swer of this nature.
>>>>
>>>> CVSS Score: 7.8
>>>>
>>>> CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
>>>>
>>>> Workarounds:
>>>> No workarounds are known. The solution is to upgrade. Upgrade BIND to one
>> of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.
>> 4-ESV-R5-P1
>>>>
>>>> Active exploits:
>>>> Under investigation
>>>>
>>>> Solution:
>>>> Patches mitigating the issue are available at:
>>>> https://www.isc.org/software/bind/981-p1
>>>> https://www.isc.org/software/bind/974-p1
>>>> https://www.isc.org/software/bind/96-esv-r5-p1
>>>> https://www.isc.org/software/bind/94-esv-r5-p1
>>>>
>>>> ISC is receiving multiple reports and working with multiple customers on t
>> his issue. Please E-mail all questions, packet captures, and details to secur
>> ity-officer at isc.org
>>>>
>>>> We very much appreciate all reports received on this issue.
>>>>
>>>> Related Documents:
>>>> Do you have Questions? Questions regarding this advisory should go to secu
>> rity-officer at isc.org.
>>>>
>>>> ISC Security Vulnerability Disclosure Policy: Details of our current secur
>> ity advisory policy and practice can be found here: https://www.isc.org/secur
>> ity-vulnerability-disclosure-policy
>>>>
>>>> Legal Disclaimer:
>>>> Internet Systems Consortium (ISC) is providing this notice on an "AS IS" b
>> asis. No warranty or guarantee of any kind is expressed in this notice and no
>> ne should be implied. ISC expressly excludes and disclaims any warranties reg
>> arding this notice or materials referred to in this notice, including, withou
>> t limitation, any implied warranty of merchantability, fitness for a particul
>> ar purpose, absence of hidden defects, or of non-infringement. Your use or re
>> liance on this notice or materials referred to in this notice is at your own
>> risk. ISC may change this notice at any time.
>>>>
>>>> A stand-alone copy or paraphrase of the text of this document that omits t
>> he document URL is an uncontrolled copy. Uncontrolled copies may lack importa
>> nt information, be out of date, or contain factual errors.
>>>>
>>>> --
>>>> [ plosher at isc.org | Senior Operations Architect | ISC | PGP E8048D08 ]
>>>>
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.dns-oarc.net
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>> dns-jobs mailing list
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>>>
>>>
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> dns-jobs mailing list
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
More information about the dns-operations
mailing list