CVE-2011-0414: BIND -- Server Lockup Upon IXFR or DDNS Update Combined With High Query Rate

AA-00461

When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur.
CERT: 
VU#559980
Document Version: 
1.1
Posting date: 
22 Feb 2011
Program Impacted: 
BIND
Versions affected: 
9.7.1-9.7.2-P3
Severity: 
High
Exploitable: 
remotely
Description: 

When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.

CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Workarounds: 

Depending on your performance requirements, a work-around may be available. ISC was not able to reproduce this defect in 9.7.2 using -n1, which causes named to use only one worker thread, thus avoiding the deadlock. If your server is powerful enough to serve your data with a single processor, this option may be fast to implement until you have time to perform an upgrade.

Active exploits: 
None known, but a description of the issue is available in the release notes for BIND 9.6.3 and 9.7.3.
Solution: 

If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3. Earlier versions are not vulnerable. If you run BIND 9.6.x, 9.6-ESV-Rx, or 9.4-ESV-R4, you do not need to upgrade.
BIND 9.5 is End of Life and is not supported by ISC. BIND 9.8 is not vulnerable.

Credits: Thank you to Neustar for finding the initial defect and JPRS for further testing and analysis.

Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.

Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support

ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy.

This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2011-0414