| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4DC33C5D.6080902@isc.org> Date: Thu, 05 May 2011 17:10:05 -0700 From: Larissa Shapiro <larissas@....org> To: ISC Security Officer <security-officer@....org> Subject: DNS BIND Security Advisory: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: https://www.isc.org/CVE-2011-1907 is the authoritative source for this Security Advisory. Please check the source for any updates. Summary: When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash. CVE: CVE-2011-1907 Posting date: 05 May 2011 Program Impacted: BIND Versions affected: 9.8.0 Severity: High Exploitable: remotely Description: This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit. Workarounds: Install 9.8.0-P1 or higher. Active exploits: None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure. Solution: Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement. CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect. For more information on support and other services for ISC's software products, please visit https://www.isc.org/community/blog/201102/BIND-support For more information about DNS RPZ, please check security advisory @ https://www.isc.org/CVE-2011-1907 Questions about this Security Advisory should be sent to the ISC Security Officer <security-officer@....org>. - -- Larissa Shapiro Internet Systems Consortium Product Manager Technology Leadership for the Common Good +1 650 423 1335 www.isc.org -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNwzxdAAoJEBOIp87tasiU8xAIAKavGBzpH994Sh5friyUaZeO jfA+Tusl1wxPxKGy4DSz1Zpkk1DySHPwQ9QShzyK0hR3HTARopEyWjYnWAAIjYsQ EjYZeFuPA3xrG+zCv3nkG4Y49gl+uH60vieMSGKVHYYXcquZ6PTG2Hi5NBNOoxSf 8gqOLl4eWEIDIhHumagYln2usuXw286YbS6aXy4tLOkdah+8ATceGCnJb/EUF4i9 wnbHGoJtCDgCaqOHpKNiPMkEAWmbx3lScA4GlLIEq50lyHpAhTHInLQWLvKa1EbQ NhnSC3RWI5eqI8Terbsp2RLVfe58CDRpOm3p7AUsEYXos1LcB727FQwh0OOl1Yo= =/qmS -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists