CVE-2011-2464: ISC BIND 9 Remote Packet Denial of Service Against Authoritative and Recursive Servers
- Updated on 07 Jun 2012
- 5 minutes to read
ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers
A specially constructed packet will cause BIND 9 ("named") to exit, affecting DNS service.
05 Jul 2011
9.6.3, 9.6-ESV-R4, 9.6-ESV-R4-P1, 9.6-ESV-R5b1 9.7.0, 9.7.0-P1, 9.7.0-P2, 9.7.1, 9.7.1-P1, 9.7.1-P2, 9.7.2, 9.7.2-P1, 9.7.2-P2, 9.7.2-P3, 9.7.3, 9.7.3-P1, 9.7.3-P2, 9.7.4b1 9.8.0, 9.8.0-P1, 9.8.0-P2, 9.8.0-P3, 9.8.1b1
A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time.
A remote attacker would need to be able to send a specially crafted packet directly to a server running a vulnerable version of BIND. There is also the potential for an indirect attack via malware that is inadvertently installed and run, where infected machines have direct access to an organization's nameservers.
CVSS Score: 7.8
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
There are no known workarounds for publicly available servers. Administrators of servers that are not publicly available may be able to limit exposure via firewalls and packet filters.
ISC knows of no public tools to exploit this defect at the time of this advisory.
Upgrade to: 9.6-ESV-R4-P3, 9.7.3-P3 or 9.8.0-P4.
Review the BIND Vulnerability Matrix to insure older versions of BIND are not at risk to an older vulnerability.
Download these versions from the following locations:
- ISC releases of BIND 9 software may be downloaded from http://www.isc.org/software/bind
- If you do not obtain your BIND software directly from ISC, contact your operating system or software vendor for an update.
- If you are participating in ISC's beta or release candidate (RC) programs, please upgrade. ISC Beta/RC testers are expected to remove vulnerable versions and upgrade. No security advisories are issued for beta / release candidates once the corresponding final release is made.
In addition, 9.5.3b1 and 9.5.3rc1 are affected although ISC has not released a final production version of 9.5.3. Note that BIND 9.5 is End-of-Life, therefore if you are running a pre-release version of 9.5.3 we recommend upgrading to a supported production version of BIND.
9.6-ESV-R4-P2 is not affected by any known attack vectors, but has been replaced by 9.6-ESV-R4-P3 which carries a more complete fix
Other versions of BIND 9 not listed in this advisory are not vulnerable to this problem.
Acknowledgements: ISC thanks Roy Arends from Nominet for pin-pointing the exact nature of the vulnerability. We also thank Ramesh Damodaran of Infoblox for finding a variation of the attack vector and Mats Dufberg of TeliaSonera Sweden for confirming additional variants.
Document Revision History:
- Version 1.0 - 14 June 2011: Phase One Disclosure Date
- Version 1.1 - 20 June 2011: Phase Two Disclosure Date with updates.
- Version 1.2 - 21 June 2011: Updates on beta, RC, and clarity editing
- Verison 1.3 - 21 June 2011: Sent Hold Notices to Phase I constituents, extended Acknowledgments
- Version 1.4 - 23 June 2011: Updated -P versions to include Advanced Security Patches release to Phase I, and "Upgrade to:" versions
- Version 1.5 - 24 June 2011: Added document URL, sent schedule update to Phase I constituents.
- Version 1.6 - 28 June 2011: Updated Versions Affected, extended Acknowledgments, sent Phase I updates
- Version 1.7 - 30 June 2011: Updated attribution text.
- Version 1.8 - 4 July 2011: Phase Three and Four Disclosure Date
- version 2.0 - 5 July 2011: Public Disclosure
- version 2.1 - 5 July 2011: Added link to BIND Vulnerablity Matrix and CVSS Worksheet. Added JPRS Partner Link, along with ISC's Spanish and Japanese Translations
Do you have Questions? Questions regarding this advisory should go to email@example.com.
This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2011-2464
Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to firstname.lastname@example.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support
ISC Security Vulnerability Disclosure Policy : Details of our current security advisory policy and practice can be found here:https://www.isc.org/security-vulnerability-disclosure-policy
- JPRS (Japan Registry Services) Advisory of CVE-2011-2464
- Negación de servicio remoto contra servidores autoritativos y recursivos usando ISC BIND9
- ISC BIND 9の権威およびキャッシュサーバに対する遠隔サービス妨害攻撃
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
© 2001-2018 Internet Systems Consortium For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership. ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.