7.1 - VU#559980

Executive Summary

Summary
Title	ISC Bind 9 IXFR or DDNS update combined with high query rate DoS vulnerability

Informations
Name	VU#559980	First vendor Publication	2011-02-22
Vendor	VU-CERT	Last vendor Modification	2011-02-23
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Cvss Base Score	7.1	Attack Range	Network
Cvss Impact Score	6.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#559980

ISC Bind 9 IXFR or DDNS update combined with high query rate DoS vulnerability

Overview

A denial-of-service condition exists in certain cases when an ISC Bind server processes a IXFR transfer or dynamic update.

I. Description

The ISC security advisory states:

"When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition."

II. Impact

An attacker may cause the Bind server to stop processing all requests.

III. Solution

BIND 9.7.1 or 9.7.2 users should upgrade to BIND 9.7.3. Earlier versions are not vulnerable. BIND 9.5 is End of Life and is not supported by ISC. BIND 9.8 is not vulnerable.

The ISC advisory contains the following workaround:
"Depending on your performance requirements, a work-around may be available. ISC was not able to reproduce this defect in 9.7.2 using -n 1, which causes named to use only one worker thread, thus avoiding the deadlock. If your server is powerful enough to serve your data with a single processor, this option may be fast to implement until you have time to perform an upgrade."

Vendor Information

Vendor	Status	Date Notified	Date Updated
Internet Systems Consortium	Affected	2011-01-24	2011-02-23

References

http://www.isc.org/software/bind/advisories/cve-2011-0414

Credit

Thanks to ISC for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:	2011-02-22
Date First Published:	2011-02-22
Date Last Updated:	2011-02-23
CERT Advisory:
CVE-ID(s):	CVE-2011-0414
NVD-ID(s):	CVE-2011-0414
US-CERT Technical Alerts:
Severity Metric:	4.50
Document Revision:	12

Original Source

Url : http://www.kb.cert.org/vuls/id/559980

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-399	Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12628

Oval ID:	oval:org.mitre.oval:def:12628
Title:	DSA-2208-2 bind9 -- denial of service
Description:	The BIND, a DNS server, contains a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. If DNSSEC validation is enabled, this issue can make domains ending in .COM unavailable when the DS record for .COM is added to the DNS root zone on March 31st, 2011. An unpatched server which is affected by this issue can be restarted, thus re-enabling resolution of .COM domains. Configurations not using DNSSEC validations are not affected by this usse.
Family:	unix	Class:	patch
Reference(s):	DSA-2208-2 CVE-2011-0414	Version:	5
Platform(s):	Debian GNU/Linux 5.0	Product(s):	bind9
Definition Synopsis:
Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND bind9 DPKG is earlier than 1:9.6.ESV.R4+dfsg-0+lenny1

Definition Id: oval:org.mitre.oval:def:12924

Oval ID:	oval:org.mitre.oval:def:12924
Title:	DSA-2208-1 bind9 -- denial of service
Description:	It was discovered that BIND, a DNS server, contains a race condition when processing zones updates in an authoritative server, either through dynamic DNS updates or incremental zone transfer. Such an update while processing a query could result in deadlock and denial of service. In addition, this security update addresses a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. If DNSSEC validation is enabled, this issue can make domains ending in .COM unavailable when the DS record for .COM is added to the DNS root zone on March 31st, 2011. An unpatched server which is affected by this issue can be restarted, thus re-enabling resolution of .COM domains. This workaround applies to the version in oldstable, too. Configurations not using DNSSEC validations are not affected by this second issue.
Family:	unix	Class:	patch
Reference(s):	DSA-2208-1 CVE-2011-0414	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	bind9
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND Installed architecture is all AND bind9 DPKG is earlier than 1:9.7.3.dfsg-1~squeeze1

Definition Id: oval:org.mitre.oval:def:13186

Oval ID:	oval:org.mitre.oval:def:13186
Title:	USN-1070-1 -- bind9 vulnerability
Description:	It was discovered that Bind incorrectly handled IXFR transfers and dynamic updates while under heavy load when used as an authoritative server. A remote attacker could use this flaw to cause Bind to stop responding, resulting in a denial of service.
Family:	unix	Class:	patch
Reference(s):	USN-1070-1 CVE-2011-0414	Version:	5
Platform(s):	Ubuntu 10.10	Product(s):	bind9
Definition Synopsis:
Ubuntu 10.10 is installed Architecture section Architecture independent section Installed architecture is all AND Packages section host DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND bind9-doc DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 OR Architecture depended section Supported architectures section Installed architecture is powerpc AND Installed architecture is armel AND Installed architecture is amd64 AND Installed architecture is i386 AND Packages section dnsutils DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND libbind-dev DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND libisccc60 DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND libisccfg60 DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND bind9utils DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND bind9-host DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND libbind9-60 DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND liblwres60 DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND libdns66 DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND bind9 DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND libisc60 DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2 AND lwresd DPKG is earlier than 1:9.7.1.dfsg.P2-2ubuntu0.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Isc Bind cpe:2.3:a:isc:bind:9.7.2::::-::: cpe:2.3:a:isc:bind:9.7.2:rc1:::-:::* cpe:2.3:a:isc:bind:9.7.2:p3:::-:::* cpe:2.3:a:isc:bind:9.7.2:p1:::-:::* cpe:2.3:a:isc:bind:9.7.2:p2:::-:::* cpe:2.3:a:isc:bind:9.7.1::::-::: cpe:2.3:a:isc:bind:9.7.1:rc1:::-:::* cpe:2.3:a:isc:bind:9.7.1:p1:::-:::* cpe:2.3:a:isc:bind:9.7.1:p2:::-:::*	9

OpenVAS Exploits

Date	Description
2012-08-10	Name : Gentoo Security Advisory GLSA 201206-01 (bind) File : nvt/glsa_201206_01.nasl
2011-05-12	Name : Debian Security Advisory DSA 2208-1 (bind9) File : nvt/deb_2208_1.nasl
2011-05-12	Name : Debian Security Advisory DSA 2208-2 (bind9) File : nvt/deb_2208_2.nasl
2011-02-28	Name : Ubuntu Update for bind9 vulnerability USN-1070-1 File : nvt/gb_ubuntu_USN_1070_1.nasl
2011-02-23	Name : ISC BIND 9 IXFR Transfer/DDNS Update Remote Denial of Service Vulnerability File : nvt/gb_bind_46491.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
72539	ISC BIND Authoritative Server Crafted IXFR / DDNS Query Update Deadlock DoS

Nessus® Vulnerability Scanner

Date	Description
2017-04-21	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2017-0066.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_bind-110224.nasl - Type : ACT_GATHER_INFO
2012-06-21	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-01.nasl - Type : ACT_GATHER_INFO
2011-03-31	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2208.nasl - Type : ACT_GATHER_INFO
2011-02-24	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1070-1.nasl - Type : ACT_GATHER_INFO
2011-02-23	Name : The remote name server is affected by a denial of service vulnerability. File : bind9_973.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:07:58	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	3
CPE ID(s)	9
osvdb(s)	1
Openvas Exploit(s)	5
Nessus® Exploit(s)	6

	Related
7.1	CVE-2011-0414
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)