Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2013-3919: A recursive resolver can be crashed by a query for a malformed zone
Author: Michael McNally Reference Number: AA-00967 Views: 17727 Created: 2013-06-04 21:16 Last Updated: 2013-06-13 10:46 0 Rating/ Voters

A defect exists which allows an attacker to crash a BIND 9 recursive resolver with a RUNTIME_CHECK error in resolver.c

Document Version:          
1.1
Posting date: 
04 Jun 2013
Program Impacted: 
BIND 9

Versions affected: 

BIND 9.6-ESV-R9, 9.8.5, and 9.9.3 are affected

Versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2, and 9.9.0 through 9.9.2-P2 ARE NOT affected.

Other major branches of BIND (e.g. 9.7, 9.5, etc) are not vulnerable but they are no longer supported by ISC and may lack other important security fixes.

Severity: 
High
Exploitable: 
Remotely

Description:

A bug has been discovered in the most recent releases of BIND 9 which has the potential for deliberate exploitation as a denial-of-service attack. By sending a recursive resolver a query for a record in a specially malformed zone, an attacker can cause BIND 9 to exit with a fatal "RUNTIME_CHECK" error in resolver.c

Impact:

Triggering this defect will cause the affected server to exit with an error, denying service to recursive DNS clients that use that particular server.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=%28AV:N/AC:L/Au:N/C:N/I:N/A:C%29

Workarounds:

None.

Active exploits:

At the time of this advisory no intentional exploitation of this bug has been observed in the wild. However, the existence of the issue has been disclosed on an open mailing list with enough accompanying detail to reverse engineer an attack and ISC is therefore treating this as a Type II (publicly disclosed) vulnerability, in accordance with our Phased Disclosure Process.

Solution: 

New versions of BIND are being provided which contain a fix for the defect. The recommended solution is to upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://ftp.isc.org/isc/bind9

  • BIND 9 version 9.9.3-P1
  • BIND 9 version 9.8.5-P1
  • BIND 9 version 9.6-ESV-R9-P1

Acknowledgements:

Document Revision History:

1.0 Type II Public Disclosure, 04 June, 2013
1.1 Published FAQ and Supplemental Information, 13 June, 2013

Related Documents:

See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected.

This new Knowledge Base article includes additional information and Frequently Asked Questions about this advisory.

If you'd like more information on our product support please visit www.isc.org/support.

Do you still have questions?  Questions regarding this advisory should go to security-officer@isc.org

Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy:  Details of our current security advisory policy and practice can be found here: ISC Software Defect and Security Vulnerability Disclosure Policy

This Knowledge Base article https://kb.isc.org/article/AA-00967 is the complete and official security advisory document.

Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.  A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu