[<prev] [next>] [day] [month] [year] [list]
Message-Id: <D0A6C87A-66B8-4BBA-94BD-19DCF40F5407@senki.org>
Date: Thu, 5 May 2011 17:24:09 -0700
From: Barry Greene <bgreene@...ki.org>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Cc: ISC Security Officer <security-officer@....org>
Subject: Security Advisory: DNS BIND Security Advisory:
RRSIG Queries Can Trigger Server Crash When Using Response
Policy Zones
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Note: https://www.isc.org/CVE-2011-1907 is the authoritative source
for this Security Advisory. Please check the source for any updates.
Summary: When a name server is configured with a response policy zone
(RPZ), queries for type RRSIG can trigger a server crash.
CVE: CVE-2011-1907
Posting date: 05 May 2011
Program Impacted: BIND
Versions affected: 9.8.0
Severity: High
Exploitable: remotely
Description: This advisory only affects BIND users who are using the
RPZ feature configured for RRset replacement. BIND 9.8.0 introduced
Response Policy Zones (RPZ), a mechanism for modifying DNS responses
returned by a recursive server according to a set of rules which are
either defined locally or imported from a reputation provider. In
typical configurations, RPZ is used to force NXDOMAIN responses for
untrusted names. It can also be used for RRset replacement, i.e.,
returning a positive answer defined by the response policy. When RPZ
is being used, a query of type RRSIG for a name configured for RRset
replacement will trigger an assertion failure and cause the name
server process to exit.
Workarounds: Install 9.8.0-P1 or higher.
Active exploits: None. However, some DNSSEC validators are known to
send type=RRSIG queries, innocently triggering the failure.
Solution: Use RPZ only for forcing NXDOMAIN responses and not for
RRset replacement.
CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5
(AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Thank you to Mitsuru Shimamura at Internet Initiative Japan for
finding this defect.
For more information on support and other services for ISC's software
products, please visit
https://www.isc.org/community/blog/201102/BIND-support
For more information about DNS RPZ, please check security advisory @
https://www.isc.org/CVE-2011-1907
Questions about this Security Advisory should be sent to the ISC
Security Officer <security-officer@....org>.
-----BEGIN PGP SIGNATURE-----
Version: 10.1.0.860
wsBVAwUBTcM/blVuk3AWv0XzAQhSSAgAlvGfryj+hJ66PcqmTG1bLxUBiRjVgb3S
bMAz70oKcNhDL3gFkAbT4I0bLIgUtr59hg4A5rvS6S8GZz/OgkK3J5By7NP+BAUm
OUuey2EUUHm1xH8sKMOyHcAb7OHaaI20Bew9nVvHn4V6EYySrnqR7woZblCM+i9x
r/YucIL6c2Nrikud3M9sRfQKZmPtVciy2Oh2/miXQT8y5MrZlw5KowzhFc13Vy8O
8FzXpiqyJD6+/zq2J1eCbAe4hNg4FVk59ySy4IKLS1Ni9l3NKFOaljFOitVQ+1xV
9wzj+0mitqfkhPdgJE/n9WqmlSfjX6VLzlKfWR/vW0PS7A16V+kEGA==
=tcnF
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists