Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2011-1910: Large RRSIG RRsets and Negative Caching Can Crash named
Author: Michael McNally Reference Number: AA-00459 Views: 2631 Created: 2011-09-09 23:22 Last Updated: 2012-06-07 17:43 0 Rating/ Voters

Large RRSIG RRsets and Negative Caching Can Crash named


A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash.


CERT
VU#795694
Document Version: 
 1.5
Posting date: 
26 May 2011
Program Impacted: 
BIND
Versions affected: 
9.4: 9.4-ESV-R3, -R4, -R5b1 9.5: 9.5.3b1, 9.5.3rc1 (end-of-life) 9.6: 9.6.3, 9.6-ESV-R2, -R3, -R4, -R5b1 9.7: 9.7.1, 9.7.1-P1, -P2, 9.7.2, 9.7.2-P1, -P2, -P3, 9.7.3, 9.7.4b1 9.8: 9.8.0, 9.8.0-P1, 9.8.1b1
Severity: 
High
Exploitable: 
remotely
Description: 

DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the negative cache.

The authority data will be cached along with the negative cache information. These authoritative “Start of Authority” (SOA) and NSEC/NSEC3 records prove the nonexistence of the requested name/type. In DNSSEC, all of these records are signed; this adds one additional RRSIG record, per DNSSEC key, for each record returned in the authority section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.

The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).

DNSSEC does not need to be enabled on the resolver for it to be vulnerable.

 

CVSS Score: Base 7.8

(AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Workarounds: 

Restricting access to the DNS caching resolver infrastructure will provide partial mitigation. Active exploitation can be accomplished through malware or SPAM/Malvertizing actions that will force authorized clients to look up domains that would trigger this vulnerability.

Active exploits: 
This issue has caused unintentional outages.
Solution: 

Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2 or the latest fixed version of the software.

See our BIND Software Downloads page to get the latest version: http://www.isc.org/downloads/all

Note: Engineering has confirmed that 9.6.2-P3 is unaffected.

 

 

 

Credits:
Thanks to Frank Kloeker and Michael Sinatra for getting the details of this issue to the DNS Operations community and to Michael Sinatra, Team Cymru, and other community members for testing.
 

Document Revision History

  • Version 1.0 - 26 May 2011: Updated/corrected Description
  • Version 1.1 - 27 May 2011: Published 9.4-ESV-P1 to the website and ftp
  • Version 1.2 - 27 May 2011: Updated, corrected text, and added clarifications based on questions to security-officer@isc.org.
  • Version 1.3 - 27 May 2011: Added VU#
  • Version 1.4 - 14 Jun 2011:  Clarified versions affected
  • Version 1.5 - 20 Jun 2011:  Link to CI Lab's translation to Chinese. 
     

 

CI Labs Translation of the Security Advisory in Chinesehttp://www.cilab.cn/security/201106/t20110602_21236.htm

Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.

This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2011-1910

Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu