===================================================================== CERT-Renater Note d'Information No. 2009/VULN478 _____________________________________________________________________ DATE : 25/11/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running BIND versions 9. ====================================================================== https://www.isc.org/node/504 https://lists.isc.org/pipermail/bind-announce/2009-November/000610.html https://lists.isc.org/pipermail/bind-announce/2009-November/000609.html https://lists.isc.org/pipermail/bind-announce/2009-November/000608.html ______________________________________________________________________ BIND 9 Cache Update from Additional Section CVE: CVE-2009-4022 CERT: VU#418861 Posting date: 2009-11-23 Program Impacted: BIND Versions affected: 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.6.1-P1 Severity: Medium Exploitable: Remotely Summary: A validating recursive nameserver may incorrectly cache records from the additional section of a query response. If the nameserver is authoritative-only this will not occur. Description: A nameserver with DNSSEC validation enabled may incorrectly add records to its cache from the additional section of responses received during resolution of a recursive client query. This behavior only occurs when processing client queries with checking disabled (CD) at the same time as requesting DNSSEC records (DO). Impact: This problem only affects nameservers that allow recursive queries and are performing DNSSEC validation on behalf of their clients. It is unlikely to be encountered by most DNSSEC-validating nameservers because queries that might induce a nameserver to exhibit this behavior would not normally be received with CD in combination with DO. We are not aware of any (client) stub resolvers that do this; however, at least one other DNS server implementation has been observed crafting queries in this way when forwarding. Workarounds: Ensure that recursion is restricted appropriately via the 'allow-recursion' option in named.conf. Disabling DNSSEC validation will also prevent incorrect caching of additional records due to this defect. However, this removes DNSSEC validation protection and the ability of the nameserver to deliver authenticated data in query responses. Active exploits: None known at this time. Solution: Upgrade BIND to one of the following: 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2. There are no fixes available for BIND versions 9.0 through 9.3, as those releases are at End of Life. Note for BIND 9.7 beta-testers: BIND 9.7.0b3, which is not yet released, will contain a fix for this. However, all previous pre-releases of 9.7.0 are vulnerable. Acknowledgment: Michael Sinatra, UC Berkeley, for finding and investigating the bug. Revision History: Nov. 22 - Added VU# for Public Release. Nov. 23 - Added CVE# Questions should be addressed to bind9-bugs@isc.org ___________________________________________________________________________________ BIND 9.4.3-P4 is now available. BIND 9.4.3-P4 is a SECURITY PATCH for BIND 9.4.3. It addresses a potential cache poisoning vulnerability, in which data in the additional section of a response could be cached without proper DNSSEC validation. Bugs should be reported to bind9-bugs@isc.org. BIND 9.4.3-P4 can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz PGP signatures of the distribution are at: ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P4/bind-9.4.3-P4.tar.gz.sha512.asc The signatures were generated with the ISC public key, which is available at https://www.isc.org/about/openpgp A binary kit for Windows XP, Windows 2003 and Windows 2008 is at: ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.zip ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.debug.zip PGP signatures of the binary kit are at: ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.zip.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P4/BIND9.4.3-P4.debug.zip.sha512.asc Changes since 9.4.3-P3: 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] - -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc. _______________________________________________ BIND 9.5.2-P1 is now available. BIND 9.5.2-P1 is a SECURITY PATCH for BIND 9.5.2. It addresses a potential cache poisoning vulnerability, in which data in the additional section of a response could be cached without proper DNSSEC validation. Bugs should be reported to bind9-bugs@isc.org. BIND 9.5.2-P1 can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.5.2-P1/bind-9.5.2-P1.tar.gz PGP signatures of the distribution are at: ftp://ftp.isc.org/isc/bind9/9.5.2-P1/bind-9.5.2-P1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P1/bind-9.5.2-P1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P1/bind-9.5.2-P1.tar.gz.sha512.asc The signatures were generated with the ISC public key, which is available at https://www.isc.org/about/openpgp A binary kit for Windows XP, Windows 2003 and Windows 2008 is at: ftp://ftp.isc.org/isc/bind9/9.5.2-P1/BIND9.5.2-P1.zip ftp://ftp.isc.org/isc/bind9/9.5.2-P1/BIND9.5.2-P1.debug.zip PGP signatures of the binary kit are at: ftp://ftp.isc.org/isc/bind9/9.5.2-P1/BIND9.5.2-P1.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P1/BIND9.5.2-P1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P1/BIND9.5.2-P1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P1/BIND9.5.2-P1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P1/BIND9.5.2-P1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P1/BIND9.5.2-P1.debug.zip.sha512.asc Changes since 9.5.2: 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] - -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc. _______________________________________________ BIND 9.6.1-P2 is now available. BIND 9.6.1-P2 is a SECURITY PATCH for BIND 9.6.1. It addresses a potential cache poisoning vulnerability, in which data in the additional section of a response could be cached without proper DNSSEC validation. Bugs should be reported to bind9-bugs@isc.org. BIND 9.6.1-P2 can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz PGP signatures of the distribution are at: ftp://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz.sha512.asc The signatures were generated with the ISC public key, which is available at https://www.isc.org/about/openpgp A binary kit for Windows XP, Windows 2003 and Windows 2008 is at: ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.zip ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.debug.zip PGP signatures of the binary kit are at: ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.zip.asc ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.debug.zip.sha512.asc Changes since 9.6.1-P1: 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] - -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================