Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-197: ISC BIND Denial of Service Vulnerability

July 29, 2009 16:00 GMT
PROBLEM: ISC BIND has a vulnerability that could allow remote unauthenticated users to cause a denial of service.
PLATFORM: All versions except 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1.
ABSTRACT: ISC BIND is prone to a remote denial-of-service vulnerability because the application fails to properly handle specially crafted dynamic update requests.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-197.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35848/discuss
US Cert
http://www.kb.cert.org/vuls/id/725188
ISC
https://www.isc.org/node/474

  CVE: CVE-2009-0696
IMPACT ASSESSMENT: This risk is high. This vulnerability is currently being attacked in the wild. Vulnerable servers should be patched as soon as possible. 
Discussion: 

Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or more zones it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type ANY and where at least one RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure). 

Solution:
Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:

http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz
http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz
http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz
DOE-CIRC wishes to acknowledge the contributions of Matthias Urlichs for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788