CVE-2011-1907: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones
RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones
When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.
Document Version: 1.1
Posting Date: 05 May 2011
Program Impacted: BIND
Versions Affected: 9.8.0
This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.
Workarounds: Install 9.8.0-P1 or higher.
Active Exploits: None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure.
Solution: Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.
CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.
For more information about DNS RPZ, please check the following: Blocking DNS.
Do you have questions? Questions regarding this advisory should go to firstname.lastname@example.org.
Do you need software support? Questions on ISC's Support services or other offerings should be sent to email@example.com. More information on ISC's support and other offerings is available at: https://www.isc.org/bind-subscription-2/.
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.