JPCERT-AT-2011-0031 JPCERT/CC 2011-11-17 (First edition) 2011-11-25 (Updated) <<< JPCERT/CC Alert 17.11.11 >>> ISC BIND 9 DoS Vulnerability https://www.jpcert.or.jp/at/2011/at110031.txt I. Overview ISC BIND 9 cache DNS servers contain a vulnerability that can be used in denial of service (DoS) attacks. As a result, it is possible for remote attackers to have specially crafted records cached in DNS servers using BIND 9, and carry out a denial of service (DoS) attack by having those records requested. According to ISC, there have been reports from several organizations of DNS servers crashing. As of November 17, 2011, JPCERT/CC has not confirmed publicly released attack code. ISC has released patches to prevent systems from crashing. Please refer to "III. Solution" and consider applying these patches. Japanese version of notice for CVE-2011-4313 IND 9 Resolver Crashes after Logging an Error in query.c https://www.isc.org/advisorycve20114313JP II. Products Affected *** Update: Modified on 25.11.2011 *********************************** According to ISC, the following versions are affected by this vulnerability. ISC BIND 9 * Affects all versions of BIND 9. For more information, refer to information from ISC. ISC BIND 9 Resolver crashes after logging an error in query.c https://www.isc.org/software/bind/advisories/cve-2011-4313 If using a BIND supplied by a distributor, please refer to information provided by said distributor. ********************************************************************** III. Solution ISC has released patches that prevent system crashes as a result of the vulnerability. When a DNS server crashes as a result of this vulnerability, the following message will appear in its logs. Please test patches thoroughly before applying them. If you decide not to apply these patches, check the logs on your DNS servers as appropriate, and if the following error message appears in the server log files, please consider applying the patches. "INSIST(! dns_rdataset_isassociated(sigrdataset))" Patches have been applied to the following versions. ISC BIND - 9.4-ESV-R5-P1 - 9.6-ESV-R5-P1 - 9.7.4-P1 - 9.8.1-P1 Additionally, corrected versions are also being provided by several distributors. IV. References ISC BIND 9 Resolver crashes after logging an error in query.c https://www.isc.org/software/bind/advisories/cve-2011-4313 Japanese version of notice for CVE-2011-4313 IND 9 Resolver Crashes after Logging an Error in query.c https://www.isc.org/advisorycve20114313JP?https://www.isc.org/software/bind/advisories/cve-2011-4313 BIND software version status http://www.isc.org/software/bind/versions Japan Registry Services Co., Ltd. (JPRS) (Urgent) Shutdown of named Service Due to Problems in BIND 9.x Cache DNS Server Function Implementation http://jprs.jp/tech/security/2011-11-17-bind9-vuln-crash-after-logging-an-error.html *** Update: Added on 25.11.2011 ************************************** JVNVU#606539 ISC BIND Denial of Service (DoS) vulnerability https://jvn.jp/cert/JVNVU606539/ ********************************************************************** *** Update: Added on 18.11.2011 ************************************** Japan Network Information Center (JPNIC) Vulnerability in ISC BIND 9 http://www.nic.ad.jp/ja/topics/2011/20111117-01.html Red Hat, Inc CVE-2011-4313 https://www.redhat.com/security/data/cve/CVE-2011-4313.html ********************************************************************** Debian GNU Linux [SECURITY] [DSA 2347-1] bind9 security update http://lists.debian.org/debian-security-announce/2011/msg00225.html Ubuntu Ubuntu Security Notice USN-1264-1 http://www.ubuntu.com/usn/usn-1264-1/ If you have any further questions or information regarding this alert, please contact JPCERT/CC. ________ Revision history 2011-11-17 First edition 2011-11-18 Added references 2011-11-25 Modified "II. Products Affected" added references ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/