Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2011-2465: ISC BIND 9 Remote Crash With Certain RPZ Configurations
Author: Michael McNally Reference Number: AA-00458 Views: 2085 Created: 2011-09-09 23:21 Last Updated: 2012-06-07 17:39 0 Rating/ Voters

ISC BIND 9 Remote Crash with Certain RPZ Configurations

Two defects were discovered in ISC's BIND 9 code. These defects only affect BIND 9 servers which have recursion enabled and which use a specific feature of the software known as Response Policy Zones (RPZ) and where the RPZ zone contains a specific rule/action pattern.
Document Version: 
 2.1
Posting date: 
05 Jul 2011
Program Impacted: 
BIND
Versions affected: 
9.8.0, 9.8.0-P1, 9.8.0-P2 and 9.8.1b1 Other versions of BIND 9 not listed here are not vulnerable to this problem.
Severity: 
High
Exploitable: 
Remotely
Description: 

A defect in the affected versions of BIND could cause the "named" process to exit when queried, if the server has recursion enabled and was configured with an RPZ zone containing certain types of records. Specifically, these are any DNAME record and certain kinds of CNAME records.

The patch release of BIND 9.8.0-P4 alters the behavior of RPZ zones by ignoring any DNAME records in an RPZ zone, and correctly returning CNAME records from RPZ zones.

Note that DNAME has no defined effect on the RPZ engine and its presence in an RPZ zone is ignored. The definitive list of meaningful patterns in an RPZ zone is given in the BIND 9 Administrative Reference Manual and also in ISC Technical Note 2010-1.

CVSS Score: 7.8

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds: 

Do not put certain CNAME or any DNAME records into an RPZ zone file until your software can be patched. If you subscribe to a service which supplies your RPZ zone data, ensure that it does not contain any DNAME or certain CNAME records. The CNAME records which must not be used are those which signal the RPZ engine to rewrite query names. CNAME records which signal the RPZ engine to forge an NXDOMAIN response arenot affected by this defect.

An example of an RPZ rule which causes a query name to be rewritten is:

*.malicious-domain.com CNAME walled-garden.isp.net

An example of an RPZ rule which causes an NXDOMAIN response to be returned is:

*.malicious-domain.com CNAME .

Please refer to the BIND 9 Administrative Reference Manual or to ISC Technical Note 2010-1 for more information about the Response Policy Zone (RPZ) feature which was added to BIND 9 in Version 9.8.0.

Active exploits: 
ISC received reports of this software flaw and verified the report's accuracy.
Solution: 

Upgrade to: 9.8.0-P4. (Note that 9.8.0-P3 is not affected but has been replaced by 9.8.0-P4 due to CVE-2011-2464)

Review the BIND Vulnerability Matrix to insure older versions of BIND are not at risk to an older vulnerability.

Download this version from the following location:

  • ISC releases of BIND 9 software may be downloaded from http://www.isc.org/software/bind
  • If you do not obtain your BIND software directly from ISC, contact your operating system or software vendor for an update.
  • If you are participating in ISC's Beta or release candidate (RC) program, please upgrade. ISC Beta/RC testers are expected to remove vulnerable versions and upgrade. No security advisories are issued for beta / release candidates once the corresponding final release is made.

Acknowledgement: ISC thanks Bryce Moore from TELUS Security Labs for finding and reporting this issue.

Document Revision History

  • Version 1.0 - 14 June 2011: Phase One Disclosure Date
  • Version 1.1 - 20 June 2011: Phase Two Disclosure Date with updates.
  • Version 1.2 - 21 June 2011: Updates on beta, RC, and clarity editing
  • Version 1.3 - 24 June 2011: Added document URL
  • Version 1.4 - 28 June 2011:  Updated Solution and description (revised to recommend 9.8.0-P4 per CVE-2011-2464)
  • Version 1.5 - 4 July 2011:  Phase Three and Four Disclosure Date
  • Version 2.0 - 5 July 2011:  Public Disclosure
  • version 2.1 - 5 July 2011: Added link to BIND Vulnerablity Matrix and CVSS Worksheet. Added JPRS Partner Link, along with ISC's Spanish and Japanese Translations

References:

 

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu