Tech Talk

[BIND 9.x security patch]

FYI...

BIND 9.x security patch
- http://isc.sans.org/diary.html?storyid=5641
Last Updated: 2009-01-08 02:00:56 UTC - ""The Internet Systems Consortium  http://www.isc.org  has released an update for all supported BIND 9.x versions today (2009-Jan-07) containing a security patch to address a potential DNS poisoning vector. *NOTE*  This patch release does not appear to be an emergency situation requiring immediate updates for all... Patch deployment would appear most critical among recursive name resolvers. The flaw affects all actively developed and supported versions prior to and resolved with today's release of BIND 9.3.6-P1, 9.4.3-P1, 9.5.0-P2(-W2), 9.5.1-P1 and 9.6.0-P1... check with your vendor.
From the BIND "RELEASE NOTES" relative to each specific supported version:
"BIND 9.6.0-P1 is a SECURITY patch for BIND 9.6.0. It addresses a bug in which return values from some OpenSSL functions were left unchecked, making it theoretically possible to spoof answers from some signed zones."
ISC BIND Server software Index
https://www.isc.org/downloadables/11 ..."

> https://www.isc.org/node/373
7 January 2009

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0025
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5077

 

[BIND Dynamic Update DoS - update]

FYI...

BIND Dynamic Update DoS - update
- https://www.isc.org/node/474
CVE: CVE-2009-0696    
CERT: http://www.kb.cert.org/vuls/id/725188    
Posting date: 2009-07-28    
Program Impacted: BIND    
Versions affected: BIND 9 (all versions)
Severity: High    
Exploitable: remotely    
Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.
Description:
Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.
This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.
dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.
db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).
Workarounds: None.
(Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.)

Active exploits: An active remote exploit is in wide circulation at this time.
Solution: Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:
    http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz
    http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz
    http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz ...

- http://www.us-cert.gov/current/#internet_systems_consortium_bind_9
July 29, 2009

 

[ISC BIND DNSSEC Cache Poisoning vuln - update available]

FYI...

ISC BIND DNSSEC Cache Poisoning vuln - update available
- http://secunia.com/advisories/37426/2/
Release Date: 2009-11-25
Impact: Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.4.x, ISC BIND 9.5.x, ISC BIND 9.6.x ...
Solution: Update to version 9.4.3-P4, 9.5.2-P1, or 9.6.1-P2.
https://www.isc.org/downloadables/11
Original Advisory:
https://www.isc.org/node/504
CVE reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4022
Last revised: 11/27/2009

- http://atlas.arbor.net/briefs/index#1385906170

 

[BIND name server updates - DNSSEC]

FYI...

BIND name server updates - DNSSEC
- http://isc.sans.org/diary.html?storyid=7750
Last Updated: 2009-12-15 13:47:50 UTC - "Over the first half of 2010, ICANN/IANA plan to sign the root zone [1]. The DNSSEC signature will use SHA256 hashes, which are not supported in older but common versions of BIND. If you run BIND 9.6.0 or 9.6.0P1, you may have issues with these signatures. The bug was fixed in BIND 9.6.1.
From the ISC.org mailing list:
"ISC has arranged for two test zones to be made available which are signed using the new algorithms which are listed in dlv.isc.org.
You can test whether you can successfully resolve these zones using the following queries.
dig rsasha256.island.dlvtest.dns-oarc.net soa
dig rsasha512.island.dlvtest.dns-oarc.net soa

[1] http://www.icann.org/en/announcements/announcement-2-09oct08-en.htm
[2] https://www.isc.org/software/bind/dnssec "

 

[BIND v9.6.1-P3 released]

FYI...

BIND v9.6.1-P3 released
- http://isc.sans.org/diary.html?storyid=8029
Last Updated: 2010-01-20 03:24:17 UTC - "Internet Systems Consortium (ISC) announced the release of the BIND 9.6.1-P3 security patch to address two cache poisoning vulnerabilities, "both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid."
- https://www.isc.org/advisories/CVE-2010-0097
- https://www.isc.org/advisories/CVE-2009-4022v6
Download:
- https://www.isc.org/downloadables/11 ..."

- http://secunia.com/advisories/38219/2/
Release Date: 2010-01-20
Impact: Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.4.x, ISC BIND 9.5.x, ISC BIND 9.6.x
US-CERT VU#360341: http://www.kb.cert.org/vuls/id/360341

 

[BIND v9.6.2 released]

FYI...

BIND v9.6.2 released
- http://isc.org/files/release-notes/962.html#RELEASE
28 Feb 2010

- http://isc.org/files/release-notes/962.html#DOWNLOADS

Windows Download
- http://isc.org/software/bind/962/download/bind962zip

- http://isc.sans.org/diary.html?storyid=8335
Last Updated: 2010-03-02 13:19:13 UTC

 

[BIND vulns/updates released]

FYI...

BIND vulns/updates released

Security Advisories
- http://www.isc.org/advisories/bind

- http://secunia.com/advisories/42374/
Release Date: 2010-12-02
Software: ISC BIND 9.6.x, ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/software/bind/advisories/cve-2010-3613

- http://secunia.com/advisories/42435/
Release Date: 2010-12-02
Software: ISC BIND 9.4.x, ISC BIND 9.6.x, ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/software/bind/advisories/cve-2010-3614

- http://secunia.com/advisories/42458/
Release Date: 2010-12-02
Software: ISC BIND 9.7.x
Original Advisory:
https://www.isc.org/software/bind/advisories/cve-2010-3615

- http://www.us-cert.gov/current/#internet_systems_consortium_bind_vulnerabilities
December 2, 2010

- http://www.securitytracker.com/id?1024817
Dec 2 2010

 

[BIND DoS vuln advisory - v9.7.1-9.7.2-P3]

FYI...

BIND DoS vuln advisory - v9.7.1-9.7.2-P3
- http://www.isc.org/software/bind/advisories/cve-2011-0414
22 Feb 2011
Versions affected: 9.7.1-9.7.2-P3
Severity: High
Exploitable: remotely
"... upgrade to BIND 9.7.3.... If you run BIND 9.6.x, 9.6-ESV-Rx, or 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is not supported by ISC. BIND 9.8 is -not- vulnerable..."

- http://www.isc.org/software/bind

- http://www.securitytracker.com/id/1025110
Feb 23 2011

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0414
Last revised: 02/23/2011

 

[BIND - DoS vuln - update available]

FYI...

BIND - DoS vuln - update available
- http://secunia.com/advisories/44416/
Release Date: 2011-05-06
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch
Software: ISC BIND 9.8.x
CVE Reference: CVE-2011-1907   
Solution: Update to version 9.8.0-P1 or higher.
Original Advisory: https://www.isc.org/CVE-2011-1907

- http://www.securitytracker.com/id/1025503
May 6 2011

 

[ISC BIND vuln]

FYI...

ISC BIND vuln...
- http://secunia.com/advisories/44719/
Release Date: 2011-05-27
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Software: ISC BIND 9.4.x, 9.6.x, 9.7.x, 9.8.x
CVE Reference: CVE-2011-1910
Solution: Update to version 9.4-ESV-R4-P1 as soon as available or versions 9.6-ESV-R4-P1, 9.7.3-P1, and 9.8.0-P2.
Original Advisory: https://www.isc.org/software/bind/advisories/cve-2011-1910

 

[ISC BIND - DoS vulns/updates]

FYI...

ISC BIND - DoS vulns/updates
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2464
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2465

- http://secunia.com/advisories/45082/
Release Date: 2011-07-05
Criticality level: Moderately critical
Impact: DoS
Where: From remote ...
Software: ISC BIND 9.6.x, ISC BIND 9.7.x
Solution: Update to versions 9.6-ESV-R4-P3, 9.7.3-P3.
Original Advisory: http://www.isc.org/software/bind/advisories/cve-2011-2464
Severity: High
- http://secunia.com/advisories/45185/
Release Date: 2011-07-05
Criticality level: Moderately critical
Impact: DoS
Where: From remote ...
Software: ISC BIND 9.8.x
Solution: Update to version 9.8.0-P4.
Original Advisory: http://www.isc.org/software/bind/advisories/cve-2011-2465
Severity: High
- http://www.securitytracker.com/id/1025743
- http://www.securitytracker.com/id/1025742
Jul 5 2011
___

IBM AIX BIND - DNSSEC
- http://aix.software.ibm.com/aix/efixes/security/bind9_advisory2.asc
Jul 15 2011
CVE Numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3613
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3614

 

[BIND 9 updates released]

FYI...

BIND 9 updates released

- https://www.isc.org/software/bind/advisories/cve-2011-4313
5 December update... "... Workarounds:
The best solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1
5 December Update: For customers who are unable to migrate immediately to a patched version of BIND, there is now a mitigation strategy available.  ISC continues to strongly recommend installing a patched version as the safest course of action, but if circumstances prevent you from doing so you can still reduce or eliminate your exposure to the CVE-2011-4313 vulnerability with a configuration option addition to named.conf.
Please see this Supplemental page* in our KnowledgeBase for full details of this workaround and other operational considerations...
* https://deepthought.isc.org/article/AA-00549
Last Updated: 2011-12-05
• Authoritative-only servers are -not- vulnerable. Only servers acting in a recursive / resolving capacity are affected.
• Recursive servers are vulnerable if they query zones which you do not directly control (for example, if they query zones on the internet.)
• Resolving queries through a forwarder does not prevent exposure to this vulnerability.
• You are potentially vulnerable if you resolve queries for data provided by a third party.  Examples could include addresses in email, html links in web pages, or queries submitted by users..."

* https://www.isc.org/software/bind/advisories/cve-2011-4313
16 November 2011 - "... reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9...
CVE: CVE-2011-4313
Versions affected: All currently supported versions of BIND, 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x
Severity: Serious
Exploitable: Remotely ...
Workarounds: No workarounds are known. The solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1
Active exploits: Under investigation
Solution: Patches mitigating the issue are available at:
https://www.isc.org/software/bind/981-p1
https://www.isc.org/software/bind/974-p1
https://www.isc.org/software/bind/96-esv-r5-p1
https://www.isc.org/software/bind/94-esv-r5-p1 ...

- https://secunia.com/advisories/46887/
Last Update: 2011-11-17
Criticality level: Highly critical
Impact: DoS
Where: From remote
... vulnerability is reported in versions 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x.
Solution: Update to a fixed version or apply patch (please see the vendor's advisory* for details)....

- http://www.securitytracker.com/id/1026335
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313
Date: Nov 17 2011
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes  
Version(s): 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x ...

- https://isc.sans.edu/diary.html?storyid=12049
Last Updated: 2011-11-17 12:58:47 UTC

- http://h-online.com/-1380518
17 November 2011 - "... Update: Patches for Red Hat Enterprise Linux have been released; the advisories RHSA-2011:1458 and RHSA-2011:1459 contain further details."
- http://rhn.redhat.com/errata/RHSA-2011-1458.html
- http://rhn.redhat.com/errata/RHSA-2011-1459.html

- http://www.theregister.co.uk/2011/11/16/bind_in_a_bind_again/
16th November 2011 22:17 GMT - "... apparently being exploited to attack networks, with multiple members of the BIND users email list from Germany, France and the US reporting simultaneous crashes across multiple servers..."

 

[Oracle Solaris ISC-BIND vuln]

FYI...

Oracle Solaris ISC-BIND vuln
- https://secunia.com/advisories/46984/
Release Date: 2011-11-24
Criticality level: Highly critical
Impact: DoS
Where: From remote
Operating System: Sun Solaris 10.x, 8, 9
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313
CVSS v2 Base Score: 5.0 (MEDIUM)
Last revised: 12/01/2011
Solution: Apply patches.
Original Advisory: http://blogs.oracle.com/sunsecurity/entry/cve_2011_4313_denial_of
Nov 29, 2011

Others: http://blogs.oracle.com/sunsecurity/
___

- https://www.isc.org/software/bind/advisories/cve-2011-4313
CVE: CVE-2011-4313
16 Nov 2011

 

[BIND TCP Memory Leak]

FYI...

BIND TCP Memory Leak ...
- http://www.securitytracker.com/id/1027297
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3868 - 4.3
Jul 25 2012
Version(s): 9.9.0 through 9.9.1-P1
Description: A vulnerability was reported in BIND. A remote user can cause denial of service conditions...
Impact: A remote user can cause performance degradation on the target system.
Solution: The vendor has issued a fix (9.9.1-P2).
The vendor's advisory is available at: https://kb.isc.org/article/AA-00730
Severity: High

BIND DNSSEC Validation Cache Failure ...
- http://www.securitytracker.com/id/1027296
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817 - 7.8 (HIGH)
Jul 25 2012
Version(s): 9.6-ESV-R1 through 9.6-ESV-R7-P1; 9.7.1 through 9.7.6-P1; 9.8.0 through 9.8.3-P1; 9.9.0 through 9.9.1-P1
Description: A vulnerability was reported in BIND. A remote user can cause denial of service conditions...
Impact: A remote user can cause the target system to crash.
Solution: The vendor has issued a fix (9.9.1-P2, 9.8.3-P2, 9.7.6-P2, 9.6-ESV-R7-P2).
The vendor's advisory is available at: https://kb.isc.org/article/AA-00729
Severity: Critical

 

[ISC BIND DoS vuln - update available]

FYI...

ISC BIND DoS vuln - update available
- http://www.securitytracker.com/id/1027529
Sep 13 2012
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4244 - 7.8 (HIGH)
Impact: Denial of service via network
Solution: The vendor has issued a fix (9.7.6-P3, 9.7.7, 9.6-ESV-R7-P3, 9.6-ESV-R8, 9.8.3-P3, 9.8.4, 9.9.1-P3, 9.9.2).
Description: ... A remote user can cause denial of service conditions.
The vendor's advisory is available at:
https://kb.isc.org/article/AA-00778/74
Severity: Critical

- https://secunia.com/advisories/50610/
Release Date: 2012-09-13
Criticality level: Moderately critical
Impact: DoS
Where: From remote...
___

- https://www.isc.org/software/bind/security/matrix