Executive Summary

Summary
Title BIND DNS Nameserver, DNSSEC validation Vulnerability
Informations
NameVU#418861First vendor Publication2009-12-01
VendorVU-CERTLast vendor Modification2010-01-19
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Cvss Base Score2.6Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityHigh
Cvss Expoit Score4.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#418861

BIND DNS Nameserver, DNSSEC validation Vulnerability

Overview

A vulnerability exists in the way BIND 9 handles recursive client queries that may cause additional records to be added to its cache.

I. Description

BIND 9 contains a vulnerability in the way recursive client queries are handled. According to ISC:

A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query with checking disabled (CD), or when the nameserver internally triggers a query for missing records for recursive name resolution. Cached records can be returned in response to subsequent client queries with or without requesting DNSSEC records (DO). In addition, some of them can be returned to queries with or without checking disabled (CD).


This issue affects BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.6.1-P1.

II. Impact

An attacker may be able to manipulate cache data and perform DNS Cache Poisoning.

III. Solution

Upgrade

BIND should be upgraded to version 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3.
Disable DNSSEC Validation

According to ISC:
Disabling DNSSEC validation will also prevent incorrect caching of additional records due to this defect. However, this removes DNSSEC validation protection and the ability of the nameserver to deliver authenticated data in query responses.

Systems Affected

VendorStatusDate NotifiedDate Updated
Alcatel-LucentUnknown2009-12-022009-12-02
Apple Inc.Unknown2009-12-022009-12-02
BlueCat Networks, Inc.Unknown2009-12-022009-12-02
Check Point Software TechnologiesUnknown2009-12-022009-12-02
Conectiva Inc.Unknown2009-12-022009-12-02
Cray Inc.Unknown2009-12-022009-12-02
Debian GNU/LinuxUnknown2009-12-022009-12-02
DragonFly BSD ProjectUnknown2009-12-022009-12-02
EMC CorporationUnknown2009-12-022009-12-02
Engarde Secure LinuxUnknown2009-12-022009-12-02
EricssonUnknown2009-12-022009-12-02
F5 Networks, Inc.Unknown2009-12-022009-12-02
Fedora ProjectUnknown2009-12-022009-12-02
FreeBSD ProjectUnknown2009-12-022009-12-02
FujitsuUnknown2009-12-022009-12-02
Gentoo LinuxUnknown2009-12-022009-12-02
Gnu ADNSUnknown2009-12-022009-12-02
GNU glibcUnknown2009-12-022009-12-02
Hewlett-Packard CompanyUnknown2009-12-022009-12-02
HitachiUnknown2009-12-022009-12-02
IBM CorporationUnknown2009-12-022009-12-02
IBM Corporation (zseries)Unknown2009-12-022009-12-02
IBM eServerUnknown2009-12-022009-12-02
InfobloxUnknown2009-12-022009-12-02
Internet Systems ConsortiumVulnerable2009-12-022009-12-02
Juniper Networks, Inc.Unknown2009-12-022009-12-02
Mandriva S. A.Unknown2009-12-022009-12-02
McAfeeUnknown2009-12-022009-12-02
Men & MiceUnknown2009-12-022009-12-02
Metasolv Software, Inc.Unknown2009-12-022009-12-02
Microsoft CorporationUnknown2009-12-022009-12-02
MontaVista Software, Inc.Unknown2009-12-022009-12-02
NEC CorporationUnknown2009-12-022009-12-02
NetBSDUnknown2009-12-022009-12-02
NixuUnknown2009-12-022009-12-02
NokiaUnknown2009-12-022009-12-02
NominumUnknown2009-12-022009-12-02
Nortel Networks, Inc.Unknown2009-12-022009-12-02
Novell, Inc.Unknown2009-12-022009-12-02
OpenBSDUnknown2009-12-022009-12-02
Openwall GNU/*/LinuxUnknown2009-12-022009-12-02
QNX Software Systems Inc.Unknown2009-12-022009-12-02
Red Hat, Inc.Unknown2009-12-022009-12-02
SafeNetUnknown2009-12-022009-12-02
ShadowsupportUnknown2009-12-022009-12-02
Silicon Graphics, Inc.Unknown2009-12-022009-12-02
Slackware Linux Inc.Unknown2009-12-022009-12-02
Sony CorporationUnknown2009-12-022009-12-02
Sun Microsystems, Inc.Unknown2009-12-022009-12-02
SUSE LinuxUnknown2009-12-022009-12-02
The SCO GroupUnknown2009-12-022009-12-02
TurbolinuxUnknown2009-12-022009-12-02
UbuntuUnknown2009-12-022009-12-02
UnisysUnknown2009-12-022009-12-02
Wind River Systems, Inc.Unknown2009-12-022009-12-02

References


https://www.isc.org/node/504

Credit

ISC credits Michael Sinatra, UC Berkeley with finding this issue.

This document was written by Chris Taschner.

Other Information

Date Public:2009-11-19
Date First Published:2009-12-01
Date Last Updated:2010-01-19
CERT Advisory:
CVE-ID(s):CVE-2009-4022
NVD-ID(s):CVE-2009-4022
US-CERT Technical Alerts:
Metric:0.00
Document Revision:14

Original Source

Url : http://www.kb.cert.org/vuls/id/418861

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:7459
 
Oval ID: oval:org.mitre.oval:def:7459
Title: Security Vulnerability in BIND DNS Software Shipped With Solaris May Allow DNS Cache Poisoning
Description: Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4022
Version: 3
Platform(s): Sun Solaris 9
Sun Solaris 10
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7261
 
Oval ID: oval:org.mitre.oval:def:7261
Title: HP-UX Running BIND, Remote Denial of Service (DoS), Unauthorized Disclosure of Information
Description: Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4022
Version: 6
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11745
 
Oval ID: oval:org.mitre.oval:def:11745
Title: Vulnerability with DNSSEC validation enabled in BIND.
Description: Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4022
Version: 3
Platform(s): IBM AIX 6.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10821
 
Oval ID: oval:org.mitre.oval:def:10821
Title: Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
Description: Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4022
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22841
 
Oval ID: oval:org.mitre.oval:def:22841
Title: ELSA-2009:1620: bind security update (Moderate)
Description: Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
Family: unix Class: patch
Reference(s): ELSA-2009:1620-01
CVE-2009-4022
Version: 3
Platform(s): Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application178

OpenVAS Exploits

DateDescription
2011-10-20Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-006)
File : nvt/gb_macosx_su11-006.nasl
2011-08-09Name : CentOS Update for bind CESA-2009:1620 centos5 i386
File : nvt/gb_CESA-2009_1620_bind_centos5_i386.nasl
2011-08-09Name : CentOS Update for bind CESA-2010:0062 centos5 i386
File : nvt/gb_CESA-2010_0062_bind_centos5_i386.nasl
2011-03-09Name : Gentoo Security Advisory GLSA 201006-11 (BIND)
File : nvt/glsa_201006_11.nasl
2010-10-01Name : HP-UX Update for BIND HPSBUX02546
File : nvt/gb_hp_ux_HPSBUX02546.nasl
2010-03-02Name : Fedora Update for bind FEDORA-2010-0861
File : nvt/gb_fedora_2010_0861_bind_fc11.nasl
2010-03-02Name : Fedora Update for bind FEDORA-2010-0868
File : nvt/gb_fedora_2010_0868_bind_fc12.nasl
2010-01-29Name : SuSE Update for acroread SUSE-SA:2010:008
File : nvt/gb_suse_2010_008.nasl
2010-01-25Name : RedHat Update for bind RHSA-2010:0062-02
File : nvt/gb_RHSA-2010_0062-02_bind.nasl
2010-01-22Name : Mandriva Update for bind MDVSA-2010:021 (bind)
File : nvt/gb_mandriva_MDVSA_2010_021.nasl
2010-01-22Name : Ubuntu Update for bind9 vulnerabilities USN-888-1
File : nvt/gb_ubuntu_USN_888_1.nasl
2010-01-11Name : FreeBSD Security Advisory (FreeBSD-SA-10:01.bind.asc)
File : nvt/freebsdsa_bind8.nasl
2009-12-30Name : Debian Security Advisory DSA 1961-1 (bind9)
File : nvt/deb_1961_1.nasl
2009-12-30Name : CentOS Security Advisory CESA-2009:1620 (bind)
File : nvt/ovcesa2009_1620.nasl
2009-12-10Name : Mandriva Security Advisory MDVSA-2009:313-1 (bind)
File : nvt/mdksa_2009_313_1.nasl
2009-12-10Name : SuSE Security Advisory SUSE-SA:2009:059 (bind)
File : nvt/suse_sa_2009_059.nasl
2009-12-10Name : Ubuntu USN-865-1 (bind9)
File : nvt/ubuntu_865_1.nasl
2009-12-03Name : SLES11: Security update for bind
File : nvt/sles11_bind0.nasl
2009-12-03Name : Fedora Core 11 FEDORA-2009-12218 (bind)
File : nvt/fcore_2009_12218.nasl
2009-12-03Name : Fedora Core 12 FEDORA-2009-12233 (bind)
File : nvt/fcore_2009_12233.nasl
2009-12-03Name : RedHat Security Advisory RHSA-2009:1620
File : nvt/RHSA_2009_1620.nasl
2009-11-25Name : ISC BIND 9 DNSSEC Query Response Additional Section Remote Cache Poisoning Vu...
File : nvt/bind_37118.nasl
0000-00-00Name : Slackware Advisory SSA:2009-336-01 bind
File : nvt/esoft_slk_ssa_2009_336_01.nasl
0000-00-00Name : Slackware Advisory SSA:2010-176-01 bind
File : nvt/esoft_slk_ssa_2010_176_01.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
60493ISC BIND DNSSEC Recursive Query Additional Section Cache Poisoning

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1620.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0062.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100120_bind_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20091130_bind_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2011-10-13Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2011-006.nasl - Type : ACT_GATHER_INFO
2011-05-28Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2009-336-01.nasl - Type : ACT_GATHER_INFO
2011-05-28Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2010-176-01.nasl - Type : ACT_GATHER_INFO
2010-06-07Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHNE_40339.nasl - Type : ACT_GATHER_INFO
2010-06-02Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201006-11.nasl - Type : ACT_GATHER_INFO
2010-03-05Name : The remote VMware ESX host is missing one or more security-related patches.
File : vmware_VMSA-2010-0004.nasl - Type : ACT_GATHER_INFO
2010-02-24Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1961.nasl - Type : ACT_GATHER_INFO
2010-01-26Name : The remote SuSE system is missing a security patch for bind
File : suse_11_1_bind-100121.nasl - Type : ACT_GATHER_INFO
2010-01-26Name : The remote SuSE system is missing a security patch for bind
File : suse_11_0_bind-100121.nasl - Type : ACT_GATHER_INFO
2010-01-26Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_bind-100121.nasl - Type : ACT_GATHER_INFO
2010-01-26Name : The remote SuSE system is missing a security patch for bind
File : suse_11_2_bind-100121.nasl - Type : ACT_GATHER_INFO
2010-01-21Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0062.nasl - Type : ACT_GATHER_INFO
2010-01-21Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-021.nasl - Type : ACT_GATHER_INFO
2010-01-21Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-888-1.nasl - Type : ACT_GATHER_INFO
2010-01-21Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0062.nasl - Type : ACT_GATHER_INFO
2010-01-06Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1620.nasl - Type : ACT_GATHER_INFO
2009-12-08Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-865-1.nasl - Type : ACT_GATHER_INFO
2009-12-04Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-313.nasl - Type : ACT_GATHER_INFO
2009-12-02Name : The remote name server is affected by a cache poisoning vulnerability.
File : bind9_dnssec_cache_poisoning.nasl - Type : ACT_GATHER_INFO
2009-12-01Name : The remote SuSE system is missing a security patch for bind
File : suse_11_1_bind-091127.nasl - Type : ACT_GATHER_INFO
2009-12-01Name : The remote SuSE system is missing a security patch for bind
File : suse_11_0_bind-091127.nasl - Type : ACT_GATHER_INFO
2009-12-01Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_bind-091127.nasl - Type : ACT_GATHER_INFO
2009-12-01Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1620.nasl - Type : ACT_GATHER_INFO
2009-12-01Name : The remote SuSE system is missing a security patch for bind
File : suse_11_2_bind-091127.nasl - Type : ACT_GATHER_INFO
2009-11-30Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-304.nasl - Type : ACT_GATHER_INFO
2009-11-30Name : The remote Fedora host is missing a security update.
File : fedora_2009-12218.nasl - Type : ACT_GATHER_INFO
2009-11-30Name : The remote Fedora host is missing a security update.
File : fedora_2009-12233.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 12:07:50
  • Multiple Updates