Executive Summary
Summary | |
---|---|
Title | bind security update |
Informations | |||
---|---|---|---|
Name | RHSA-2010:0975 | First vendor Publication | 2010-12-13 |
Vendor | RedHat | Last vendor Modification | 2010-12-13 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. It was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613) It was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC. (CVE-2010-3614) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 658974 - CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named 658977 - CVE-2010-3614 bind: key algorithm rollover may mark secure answers as insecure |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2010-0975.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12601 | |||
Oval ID: | oval:org.mitre.oval:def:12601 | ||
Title: | HP-UX Running BIND, Remote Denial of Service (DoS) | ||
Description: | named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3613 | Version: | 12 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12722 | |||
Oval ID: | oval:org.mitre.oval:def:12722 | ||
Title: | DSA-2130-1 bind9 -- several | ||
Description: | Several remote vulnerabilities have been discovered in BIND, an implementation of the DNS protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3762 When DNSSEC validation is enabled, BIND does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service via a DNS query. CVE-2010-3614 BIND does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which may lead to zone unavailability during rollovers. CVE-2010-3613 BIND does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service via a query for cached data. In addition, this security update improves compatibility with previously installed versions of the bind9 package. As a result, it is necessary to initiate the update with "apt-get dist-upgrade" instead of "apt-get update". For the stable distribution, these problems have been fixed in version 1:9.6.ESV.R3+dfsg-0+lenny1. For the upcoming stable distribution and the unstable distribution, these problems have been fixed in version 1:9.7.2.dfsg.P3-1. We recommend that you upgrade your bind9 packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2130-1 CVE-2010-3762 CVE-2010-3614 CVE-2010-3613 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | bind9 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20346 | |||
Oval ID: | oval:org.mitre.oval:def:20346 | ||
Title: | VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm. | ||
Description: | named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3614 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20446 | |||
Oval ID: | oval:org.mitre.oval:def:20446 | ||
Title: | VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm. | ||
Description: | named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3613 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20785 | |||
Oval ID: | oval:org.mitre.oval:def:20785 | ||
Title: | Denial of service vulnerability in BIND | ||
Description: | named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3614 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20922 | |||
Oval ID: | oval:org.mitre.oval:def:20922 | ||
Title: | Denial of service vulnerability in BIND | ||
Description: | named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3613 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22234 | |||
Oval ID: | oval:org.mitre.oval:def:22234 | ||
Title: | RHSA-2010:0975: bind security update (Important) | ||
Description: | named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0975-01 CVE-2010-3613 CVE-2010-3614 | Version: | 29 |
Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23440 | |||
Oval ID: | oval:org.mitre.oval:def:23440 | ||
Title: | ELSA-2010:0975: bind security update (Important) | ||
Description: | named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0975-01 CVE-2010-3613 CVE-2010-3614 | Version: | 13 |
Platform(s): | Oracle Linux 6 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27985 | |||
Oval ID: | oval:org.mitre.oval:def:27985 | ||
Title: | DEPRECATED: ELSA-2010-0975 -- bind security update (important) | ||
Description: | [32:9.7.0-5.P2.1] - fix CVE-2010-3613 and CVE-2010-3614 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0975 CVE-2010-3613 CVE-2010-3614 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | bind |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-01 (bind) File : nvt/glsa_201206_01.nasl |
2012-07-30 | Name : CentOS Update for bind CESA-2010:1000 centos4 x86_64 File : nvt/gb_CESA-2010_1000_bind_centos4_x86_64.nasl |
2012-03-16 | Name : VMSA-2011-0004.3 VMware ESX/ESXi SLPD denial of service vulnerability and ESX... File : nvt/gb_VMSA-2011-0004.nasl |
2011-10-20 | Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-006) File : nvt/gb_macosx_su11-006.nasl |
2011-08-09 | Name : CentOS Update for bind CESA-2010:0976 centos5 i386 File : nvt/gb_CESA-2010_0976_bind_centos5_i386.nasl |
2011-05-05 | Name : HP-UX Update for BIND HPSBUX02655 File : nvt/gb_hp_ux_HPSBUX02655.nasl |
2011-01-31 | Name : CentOS Update for bind CESA-2010:1000 centos4 i386 File : nvt/gb_CESA-2010_1000_bind_centos4_i386.nasl |
2011-01-14 | Name : ISC BIND 9 'RRSIG' Record Type Negative Cache Remote Denial of Service Vulner... File : nvt/gb_bind_multiple_vuln_01_11.nasl |
2010-12-28 | Name : RedHat Update for bind RHSA-2010:1000-01 File : nvt/gb_RHSA-2010_1000-01_bind.nasl |
2010-12-28 | Name : RedHat Update for bind RHSA-2010:0976-01 File : nvt/gb_RHSA-2010_0976-01_bind.nasl |
2010-12-28 | Name : Mandriva Update for bind MDVSA-2010:253 (bind) File : nvt/gb_mandriva_MDVSA_2010_253.nasl |
2010-12-23 | Name : Fedora Update for bind FEDORA-2010-18469 File : nvt/gb_fedora_2010_18469_bind_fc14.nasl |
2010-12-23 | Name : Fedora Update for bind-dyndb-ldap FEDORA-2010-18521 File : nvt/gb_fedora_2010_18521_bind-dyndb-ldap_fc13.nasl |
2010-12-23 | Name : Fedora Update for bind FEDORA-2010-18521 File : nvt/gb_fedora_2010_18521_bind_fc13.nasl |
2010-12-23 | Name : Fedora Update for dnsperf FEDORA-2010-18521 File : nvt/gb_fedora_2010_18521_dnsperf_fc13.nasl |
2010-12-09 | Name : Ubuntu Update for bind9 vulnerabilities USN-1025-1 File : nvt/gb_ubuntu_USN_1025_1.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2010-350-01 bind File : nvt/esoft_slk_ssa_2010_350_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
69559 | ISC BIND named Key Algorithm Rollover Weakness ISC BIND named contains a flaw when acting as a DNSSEC validating resolver. The issue is triggered when querying a zone undergoing a key algorithm rollover. This may allow a remote attacker to mark certain zone data as insecure. |
69558 | ISC BIND named RRSIG Negative Caching DoS ISC BIND contains a flaw that may allow a remote denial of service. The issue is triggered when the named program does not properly clear matching RRSIG records from the cache when negatively caching a 'NO DATA'. This can be exploited to result in loss of availability. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2011-05-12 | IAVM : 2011-A-0066 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0027158 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-04 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2011-0004_remote.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_bind-101207.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0975.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-1000.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0976.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ99391.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV01118.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV01119.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20101220_bind_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20101213_bind_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-06-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-01.nasl - Type : ACT_GATHER_INFO |
2011-10-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2011-006.nasl - Type : ACT_GATHER_INFO |
2011-05-28 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2010-350-01.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_bind-101207.nasl - Type : ACT_GATHER_INFO |
2011-03-08 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2011-0004.nasl - Type : ACT_GATHER_INFO |
2011-01-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-1000.nasl - Type : ACT_GATHER_INFO |
2010-12-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-1000.nasl - Type : ACT_GATHER_INFO |
2010-12-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-253.nasl - Type : ACT_GATHER_INFO |
2010-12-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0976.nasl - Type : ACT_GATHER_INFO |
2010-12-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0975.nasl - Type : ACT_GATHER_INFO |
2010-12-14 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0976.nasl - Type : ACT_GATHER_INFO |
2010-12-12 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2130.nasl - Type : ACT_GATHER_INFO |
2010-12-09 | Name : The remote Fedora host is missing a security update. File : fedora_2010-18469.nasl - Type : ACT_GATHER_INFO |
2010-12-08 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2010-18521.nasl - Type : ACT_GATHER_INFO |
2010-12-03 | Name : The remote name server is affected by multiple vulnerabilities. File : bind9_972_p3.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1025-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:54:10 |
|