CVE-2011-1910: Large RRSIG RRsets and Negative Caching Can Crash named
- Updated on 07 Jun 2012
- 3 minutes to read
Large RRSIG RRsets and Negative Caching Can Crash named
A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash.
26 May 2011
9.4: 9.4-ESV-R3, -R4, -R5b1 9.5: 9.5.3b1, 9.5.3rc1 (end-of-life) 9.6: 9.6.3, 9.6-ESV-R2, -R3, -R4, -R5b1 9.7: 9.7.1, 9.7.1-P1, -P2, 9.7.2, 9.7.2-P1, -P2, -P3, 9.7.3, 9.7.4b1 9.8: 9.8.0, 9.8.0-P1, 9.8.1b1
DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the negative cache.
The authority data will be cached along with the negative cache information. These authoritative “Start of Authority” (SOA) and NSEC/NSEC3 records prove the nonexistence of the requested name/type. In DNSSEC, all of these records are signed; this adds one additional RRSIG record, per DNSSEC key, for each record returned in the authority section of the response.
In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.
The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).
DNSSEC does not need to be enabled on the resolver for it to be vulnerable.
CVSS Score: Base 7.8
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Restricting access to the DNS caching resolver infrastructure will provide partial mitigation. Active exploitation can be accomplished through malware or SPAM/Malvertizing actions that will force authorized clients to look up domains that would trigger this vulnerability.
This issue has caused unintentional outages.
Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2 or the latest fixed version of the software.
See our BIND Software Downloads page to get the latest version: http://www.isc.org/downloads/all
Note: Engineering has confirmed that 9.6.2-P3 is unaffected.
Credits: Thanks to Frank Kloeker and Michael Sinatra for getting the details of this issue to the DNS Operations community and to Michael Sinatra, Team Cymru, and other community members for testing.
Document Revision History
- Version 1.0 - 26 May 2011: Updated/corrected Description
- Version 1.1 - 27 May 2011: Published 9.4-ESV-P1 to the website and ftp
- Version 1.2 - 27 May 2011: Updated, corrected text, and added clarifications based on questions to firstname.lastname@example.org.
- Version 1.3 - 27 May 2011: Added VU#
- Version 1.4 - 14 Jun 2011: Clarified versions affected
- Version 1.5 - 20 Jun 2011: Link to CI Lab's translation to Chinese.
Do you have Questions? Questions regarding this advisory should go to email@example.com.
This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2011-1910
Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to firstname.lastname@example.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support
© 2001-2018 Internet Systems Consortium For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership. ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.