JPCERT-AT-2013-0026 JPCERT/CC 2013-06-05 <<< JPCERT/CC Alert 2013-06-05 >>> Denial of service vulnerability in ISC BIND 9 (CVE-2013-3919) https://www.jpcert.or.jp/english/at/2013/at130026.html I. Overview ISC BIND 9 contains a vulnerability that causes a denial of service (DoS). An error may occur in named when receiving a query for a record in a specially malformed zone, which may result in a denial of service (DoS) condition. According to ISC, attacks leveraging this issue have yet to be confirmed in the wild. However, if using a version that is affected, please refer to the information in "III. Solution" and consider updating to the most recent version. Internet Systems Consortium, Inc. (ISC) CVE-2013-3919: A recursive resolver can be crashed by a query for a malformed zone https://kb.isc.org/article/AA-00967 II. Products Affected According to ISC, the following versions are affected by this vulnerability. ISC BIND - 9.6-ESV-R9 - 9.8.5 - 9.9.3 Severity according to ISC: High * Versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 are not affected. * Versions 9.7.x and 9.5.x are not affected, but are no longer supported. If using one of these versions, please consider transitioning to a version that is currently supported. III. Solution ISC has released versions of BIND that address this vulnerability. Please update to a fixed version after thorough testing. Updated versions are as follows: ISC BIND - 9.6-ESV-R9-P1 - 9.8.5-P1 - 9.9.3-P1 IV. References Japan Registry Services Co., Ltd. (JPRS) (Critical) Vulnerability in BIND 9.x (DNS service suspension) (Release on June 5, 2013) http://jprs.jp/tech/security/2013-06-05-bind9-vuln-malformed-zone.html Japan Network Information Center (JPNIC) Vulnerability in ISC BIND 9 (June, 2013) https://www.nic.ad.jp/ja/topics/2013/20130605-01.html