Executive Summary
Summary | |
---|---|
Title | bind security update |
Informations | |||
---|---|---|---|
Name | RHSA-2010:0976 | First vendor Publication | 2010-12-13 |
Vendor | RedHat | Last vendor Modification | 2010-12-13 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated bind packages that fix three security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. It was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613) A flaw was found in the DNSSEC validation code in named. If named had multiple trust anchors configured for a zone, a response to a request for a record in that zone with a bad signature could cause named to crash. (CVE-2010-3762) It was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC. (CVE-2010-3614) All BIND users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 640730 - CVE-2010-3762 Bind: DoS (assertion failure) via a DNS query with bad signatures 658974 - CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named 658977 - CVE-2010-3614 bind: key algorithm rollover may mark secure answers as insecure |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2010-0976.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-20 | Improper Input Validation |
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12601 | |||
Oval ID: | oval:org.mitre.oval:def:12601 | ||
Title: | HP-UX Running BIND, Remote Denial of Service (DoS) | ||
Description: | named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3613 | Version: | 12 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12722 | |||
Oval ID: | oval:org.mitre.oval:def:12722 | ||
Title: | DSA-2130-1 bind9 -- several | ||
Description: | Several remote vulnerabilities have been discovered in BIND, an implementation of the DNS protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3762 When DNSSEC validation is enabled, BIND does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service via a DNS query. CVE-2010-3614 BIND does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which may lead to zone unavailability during rollovers. CVE-2010-3613 BIND does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service via a query for cached data. In addition, this security update improves compatibility with previously installed versions of the bind9 package. As a result, it is necessary to initiate the update with "apt-get dist-upgrade" instead of "apt-get update". For the stable distribution, these problems have been fixed in version 1:9.6.ESV.R3+dfsg-0+lenny1. For the upcoming stable distribution and the unstable distribution, these problems have been fixed in version 1:9.7.2.dfsg.P3-1. We recommend that you upgrade your bind9 packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2130-1 CVE-2010-3762 CVE-2010-3614 CVE-2010-3613 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | bind9 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19985 | |||
Oval ID: | oval:org.mitre.oval:def:19985 | ||
Title: | VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm. | ||
Description: | ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service (daemon crash) via a DNS query. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3762 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20346 | |||
Oval ID: | oval:org.mitre.oval:def:20346 | ||
Title: | VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm. | ||
Description: | named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3614 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20446 | |||
Oval ID: | oval:org.mitre.oval:def:20446 | ||
Title: | VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm. | ||
Description: | named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3613 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20785 | |||
Oval ID: | oval:org.mitre.oval:def:20785 | ||
Title: | Denial of service vulnerability in BIND | ||
Description: | named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3614 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20922 | |||
Oval ID: | oval:org.mitre.oval:def:20922 | ||
Title: | Denial of service vulnerability in BIND | ||
Description: | named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3613 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22234 | |||
Oval ID: | oval:org.mitre.oval:def:22234 | ||
Title: | RHSA-2010:0975: bind security update (Important) | ||
Description: | named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0975-01 CVE-2010-3613 CVE-2010-3614 | Version: | 29 |
Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22294 | |||
Oval ID: | oval:org.mitre.oval:def:22294 | ||
Title: | RHSA-2010:0976: bind security update (Important) | ||
Description: | ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service (daemon crash) via a DNS query. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0976-01 CESA-2010:0976 CVE-2010-3613 CVE-2010-3614 CVE-2010-3762 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23144 | |||
Oval ID: | oval:org.mitre.oval:def:23144 | ||
Title: | ELSA-2010:0976: bind security update (Important) | ||
Description: | ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service (daemon crash) via a DNS query. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0976-01 CVE-2010-3613 CVE-2010-3614 CVE-2010-3762 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23440 | |||
Oval ID: | oval:org.mitre.oval:def:23440 | ||
Title: | ELSA-2010:0975: bind security update (Important) | ||
Description: | named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0975-01 CVE-2010-3613 CVE-2010-3614 | Version: | 13 |
Platform(s): | Oracle Linux 6 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27985 | |||
Oval ID: | oval:org.mitre.oval:def:27985 | ||
Title: | DEPRECATED: ELSA-2010-0975 -- bind security update (important) | ||
Description: | [32:9.7.0-5.P2.1] - fix CVE-2010-3613 and CVE-2010-3614 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0975 CVE-2010-3613 CVE-2010-3614 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | bind |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28216 | |||
Oval ID: | oval:org.mitre.oval:def:28216 | ||
Title: | DEPRECATED: ELSA-2010-0976 -- bind security update (important) | ||
Description: | [30:9.3.6-4.P1.3] - fixes for CVE-2010-3762, CVE-2010-3613 and CVE-2010-3614 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0976 CVE-2010-3613 CVE-2010-3614 CVE-2010-3762 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | bind |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-01 (bind) File : nvt/glsa_201206_01.nasl |
2012-07-30 | Name : CentOS Update for bind CESA-2010:1000 centos4 x86_64 File : nvt/gb_CESA-2010_1000_bind_centos4_x86_64.nasl |
2012-03-16 | Name : VMSA-2011-0004.3 VMware ESX/ESXi SLPD denial of service vulnerability and ESX... File : nvt/gb_VMSA-2011-0004.nasl |
2011-10-20 | Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-006) File : nvt/gb_macosx_su11-006.nasl |
2011-08-09 | Name : CentOS Update for bind CESA-2010:0976 centos5 i386 File : nvt/gb_CESA-2010_0976_bind_centos5_i386.nasl |
2011-06-06 | Name : Ubuntu Update for bind9 USN-1139-1 File : nvt/gb_ubuntu_USN_1139_1.nasl |
2011-05-05 | Name : HP-UX Update for BIND HPSBUX02655 File : nvt/gb_hp_ux_HPSBUX02655.nasl |
2011-01-31 | Name : CentOS Update for bind CESA-2010:1000 centos4 i386 File : nvt/gb_CESA-2010_1000_bind_centos4_i386.nasl |
2011-01-14 | Name : ISC BIND 9 < 9.7.2-P2 Multiple Vulnerabilities File : nvt/gb_bind_9_7_2_P2.nasl |
2011-01-14 | Name : ISC BIND 9 'RRSIG' Record Type Negative Cache Remote Denial of Service Vulner... File : nvt/gb_bind_multiple_vuln_01_11.nasl |
2010-12-28 | Name : RedHat Update for bind RHSA-2010:1000-01 File : nvt/gb_RHSA-2010_1000-01_bind.nasl |
2010-12-28 | Name : RedHat Update for bind RHSA-2010:0976-01 File : nvt/gb_RHSA-2010_0976-01_bind.nasl |
2010-12-28 | Name : Mandriva Update for bind MDVSA-2010:253 (bind) File : nvt/gb_mandriva_MDVSA_2010_253.nasl |
2010-12-23 | Name : Fedora Update for bind FEDORA-2010-18469 File : nvt/gb_fedora_2010_18469_bind_fc14.nasl |
2010-12-23 | Name : Fedora Update for bind-dyndb-ldap FEDORA-2010-18521 File : nvt/gb_fedora_2010_18521_bind-dyndb-ldap_fc13.nasl |
2010-12-23 | Name : Fedora Update for bind FEDORA-2010-18521 File : nvt/gb_fedora_2010_18521_bind_fc13.nasl |
2010-12-23 | Name : Fedora Update for dnsperf FEDORA-2010-18521 File : nvt/gb_fedora_2010_18521_dnsperf_fc13.nasl |
2010-12-09 | Name : Ubuntu Update for bind9 vulnerabilities USN-1025-1 File : nvt/gb_ubuntu_USN_1025_1.nasl |
2010-09-30 | Name : ISC BIND Denial Of Service and Security Bypass Vulnerability File : nvt/gb_bind_43573.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2010-350-01 bind File : nvt/esoft_slk_ssa_2010_350_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
69559 | ISC BIND named Key Algorithm Rollover Weakness ISC BIND named contains a flaw when acting as a DNSSEC validating resolver. The issue is triggered when querying a zone undergoing a key algorithm rollover. This may allow a remote attacker to mark certain zone data as insecure. |
69558 | ISC BIND named RRSIG Negative Caching DoS ISC BIND contains a flaw that may allow a remote denial of service. The issue is triggered when the named program does not properly clear matching RRSIG records from the cache when negatively caching a 'NO DATA'. This can be exploited to result in loss of availability. |
68271 | ISC BIND DNSSEC Query Validation Response Signature Handling Remote DoS |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2011-05-12 | IAVM : 2011-A-0066 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0027158 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-04 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2011-0004_remote.nasl - Type : ACT_GATHER_INFO |
2015-09-18 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15172.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_bind-101207.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0975.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-1000.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0976.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV01118.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IV01119.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ99391.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20101220_bind_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20101213_bind_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-06-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-01.nasl - Type : ACT_GATHER_INFO |
2011-10-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2011-006.nasl - Type : ACT_GATHER_INFO |
2011-06-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1139-1.nasl - Type : ACT_GATHER_INFO |
2011-05-28 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2010-350-01.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_bind-101207.nasl - Type : ACT_GATHER_INFO |
2011-03-08 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2011-0004.nasl - Type : ACT_GATHER_INFO |
2011-01-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-1000.nasl - Type : ACT_GATHER_INFO |
2010-12-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-1000.nasl - Type : ACT_GATHER_INFO |
2010-12-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-253.nasl - Type : ACT_GATHER_INFO |
2010-12-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0976.nasl - Type : ACT_GATHER_INFO |
2010-12-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0975.nasl - Type : ACT_GATHER_INFO |
2010-12-14 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0976.nasl - Type : ACT_GATHER_INFO |
2010-12-12 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2130.nasl - Type : ACT_GATHER_INFO |
2010-12-09 | Name : The remote Fedora host is missing a security update. File : fedora_2010-18469.nasl - Type : ACT_GATHER_INFO |
2010-12-08 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2010-18521.nasl - Type : ACT_GATHER_INFO |
2010-12-03 | Name : The remote name server is affected by multiple vulnerabilities. File : bind9_972_p3.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1025-1.nasl - Type : ACT_GATHER_INFO |
2010-10-06 | Name : The remote name server is affected by multiple vulnerabilities. File : bind9_972_p2.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:54:10 |
|