Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Author: ISC Support Reference Number: AA-00871 Views: 26775 Created: 2013-02-26 02:57 Last Updated: 2013-03-26 15:56 0 Rating/ Voters

A critical defect in BIND 9 allows an attacker to cause excessive memory consumption in named or other programs linked to libdns.

Document Version:        
 2.0
Posting date: 
26 March 2013
Program Impacted: 
BIND
Versions affected: 
"Unix" versions of  BIND 9.7.x, 9.8.0 -> 9.8.5b1, 9.9.0 -> 9.9.3b1.  (Windows versions are not affected. Versions of BIND 9 prior to BIND 9.7.0 (including BIND 9.6-ESV) are not affected.  BIND 10 is not affected.)
Severity: 
Critical
Exploitable: 
Remotely

Description:

A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server.  This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine.

Please Note: Versions of BIND 9.7 are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC.  However, the re-compilation method described in the "Workarounds" section of this document will prevent exploitation in BIND 9.7 as well as in currently supported versions.

For current information on which versions are actively supported, please see http://www.isc.org/software/bind/versions.

Additional information is available in the CVE-2013-2266 FAQ and Supplemental Information article in the ISC Knowledge base, https://kb.isc.org/article/AA-00879.

Impact:

Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 (inclusive)].   Additionally, other services which run on the same physical machine as an affected BIND server could be compromised as well through exhaustion of system memory.

Programs using the libdns library from affected versions of BIND are also potentially vulnerable to exploitation of this bug if they can be forced to accept input which triggers the condition.  Tools which are linked against libdns (e.g. dig) should also be rebuilt or upgraded, even if named is not being used.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds:

Patched versions are available (see the "Solutions:" section below) or operators can prevent exploitation of this bug in any affected version of BIND 9 by compiling without regular expression support.

Compilation without regular expression support:

BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely safe from this bug by re-compiling the source with regular expression support disabled.  In order to disable inclusion of regular expression support:

  • After configuring BIND features as desired using the configure script in the top level source directory, manually edit the "config.h" header file that was produced by the configure script.
  • Locate the line that reads "#define HAVE_REGEX_H 1" and replace the contents of that line with "#undef HAVE_REGEX_H".
  • Run "make clean" to remove any previously compiled object files from the BIND 9 source directory, then proceed to make and install BIND normally.

Active exploits:

No known active exploits.

Solution: 

Compile BIND 9 without regular expression support as described in the "Workarounds" section of this advisory or upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from http://www.isc.org/downloads/all.

  • BIND 9 version 9.8.4-P2
  • BIND 9 version 9.9.2-P2

Acknowledgements: ISC would like to thank Matthew Horsfall of Dyn, Inc. for discovering this bug and bringing it to our attention.

Document Revision History:

1.0 Phase One - Advance Notification, 11 March 2013

1.1 Phase Two & Three, 25 March 2013

2.0 Notification to Public (Phase Four), 26 March 2013

Related Documents:

Japanese Translation:  https://kb.isc.org/article/AA-00881
Spanish Translation:  https://kb.isc.org/article/AA-00882
German Translation:  https://kb.isc.org/article/AA-00883
Portuguese Translation:  https://kb.isc.org/article/AA-00884

See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected.

If you'd like more information on our product support please visit www.isc.org/support.

Do you still have questions?  Questions regarding this advisory should go to security-officer@isc.org

Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy:  Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy

This Knowledge Base article https://kb.isc.org/article/AA-00871 is the complete and official security advisory document.

Legal Disclaimer: 

Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.  A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu