===================================================================== CERT-Renater Note d'Information No. 2010/VULN486 _____________________________________________________________________ DATE : 02/12/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running BIND versions 9 prior to 9.7.2-P3, 9.6.2-P3, 9.6-ESV-R3, 9.4-ESV-R4. ====================================================================== https://lists.isc.org/pipermail/bind-announce/2010-December/000660.html https://www.isc.org/software/bind/advisories/cve-2010-3613 https://www.isc.org/software/bind/advisories/cve-2010-3614 https://www.isc.org/software/bind/advisories/cve-2010-3615 ______________________________________________________________________ BIND 9.7.2-P3, 9.6.2-P3, 9.6-ESV-R3 and 9.4-ESV-R4 are now available We've published four releases that contain various security and bug fixes. The detailed Security Advisories are located at: http://www.isc.org/advisories Guidance as to recommended upgrades are available at: http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories BIND 9.7.2-P3 Release Note http://ftp.isc.org/isc/bind9/9.7.2-P3/RELEASE-NOTES-BIND-9.7.2-P3.txt BIND 9.6.2-P3 Release Note http://ftp.isc.org/isc/bind9/9.6.2-P3/RELEASE-NOTES-BIND-9.6.2-P3.txt BIND 9.6-ESV-R3 Release Note http://ftp.isc.org/isc/bind9/9.6-ESV-R3/RELEASE-NOTES-BIND-9.6-ESV-R3.txt BIND 9.4-ESV-R4 Release Note http://ftp.isc.org/isc/bind9/9.4-ESV-R4/RELEASE-NOTES-BIND-9.4-ESV-R4.txt DOWNLOADS are available from our website or ftp site: 9.4-ESV-R4 ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4/bind-9.4-ESV-R4.tar.gz ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4/BIND9.4-ESV-R4.debug.zip ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4/BIND9.4-ESV-R4.zip 9.6-ESV-R3 ftp://ftp.isc.org/isc/bind9/9.6-ESV-R3/bind-9.6-ESV-R3.tar.gz ftp://ftp.isc.org/isc/bind9/9.6-ESV-R3/BIND9.6-ESV-R3.debug.zip ftp://ftp.isc.org/isc/bind9/9.6-ESV-R3/BIND9.6-ESV-R3.zip 9.6.2-P3 ftp://ftp.isc.org/isc/bind9/9.6.2-P3/bind-9.6.2-P3.tar.gz ftp://ftp.isc.org/isc/bind9/9.6.2-P3/BIND9.6.2-P3.debug.zip ftp://ftp.isc.org/isc/bind9/9.6.2-P3/BIND9.6.2-P3.zip 9.7.2-P3 ftp://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz ftp://ftp.isc.org/isc/bind9/9.7.2-P3/BIND9.7.2-P3.debug.zip ftp://ftp.isc.org/isc/bind9/9.7.2-P3/BIND9.7.2-P3.zip ____________________________________________________________________ BIND: cache incorrectly allows a ncache entry and a rrsig for the same type Summary: Failure to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named. CVE: CVE-2010-3613 CERT: VU#706148 Posting date: 01 Dec 2010 Program Impacted: BIND Versions affected: 9.6.2 - 9.6.2-P2, 9.6-ESV - 9.6-ESV-R2, 9.7.0 - 9.7.2-P2 Severity: High Exploitable: remotely Description: Adding certain types of signed negative responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (INSIST). CVSS: 7.8 - (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more on CVSS scores and to calculate your environment's specific risk, please visit: CVSS Calculator: http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Impact and Risk Assessment: The INSIST crashes the server. This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled. Workarounds: none Active exploits: None known at this time. Solution: If you are running: 9.6.x: upgrade to 9.6.2-P3 or newer 9.6ESV: upgrade to 9.6-ESV-R3 or newer 9.7.x: upgrade to 9.7.2-P3 We are not patching EOL versions of BIND Revision History: Nov24: Corrected/Updated: Versions affected, CVSS Score, Impact and Risk Assessment and Solution For more information please contact bind9-bugs@isc.org _________________________________________________________________________ BIND: Key algorithm rollover bug in bind9 Summary: named (acting as DNSSEC validating resolver) could incorrectly mark zone data as insecure when the zone being queried is undergoing a key algorithm rollover. CVE: CVE-2010-3614 CERT: VU#837744 Posting date: 01 Dec 2010 Program Impacted: BIND Versions affected: 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2 Severity: Low Exploitable: remotely Description: named, acting as a DNSSEC validator, was determining if an NS RRset is insecure based on a value that could mean either that the RRset is actually insecure or that there wasn't a matching key for the RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY RRset. This can happen when in the middle of a DNSKEY algorithm rollover, when two different algorithms were used to sign a zone but only the new set of keys are in the zone DNSKEY RRset. See http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-02#section-4.2.4 for example scenario. CVSS: 5.0 - (AV:N/AC:L/Au:N/C:N/I:P/A:N) For more on CVSS scores and to calculate your environment's specific risk, please visit: CVSS Calculator: http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) Impact and Risk Assessment: Answers are marked incorrectly as insecure. Workarounds: None Active exploits: None known at this time. Solution: If you are running anything not listed below, upgrade as other versions are EOL and not being patched. 9.4: upgrade to 9.4-ESV-R4, or newer 9.6: upgrade to 9.6.2-P3 or 9.6-ESV-R3, or newer 9.7: upgrade to 9.7.2-P3 Revision History: Nov24-Corrected/updated: Versions Affected, CVSS Base Score and Solution For more information please contact bind9-bugs@isc.org _______________________________________________________________________ BIND: allow-query processed incorrectly Summary: Using "allow-query" in the "options" or "view" statements to restrict access to authoritative zones has no effect. CVE: CVE-2010-3615 CERT: VU#510208 Posting date: 01 Dec 2010 Program Impacted: BIND Versions affected: 9.7.2-P2 Severity: High Exploitable: remotely Description: When named is running as an authoritative server for a zone and receives a query for that zone data, it first checks for allow-query acls in the zone statement, then in that view, then in global options. If none of these exist, it defaults to allowing any query (allow-query {"any"};). With this bug, if the allow-query is not set in the zone statement, it failed to check in view or global options and fell back to the default of allowing any query. This means that queries that the zone owner did not wish to allow were incorrectly allowed. This bug doesn't affect allow-recursion or allow-query-cache acls, since they are not relevant to a zone for which the server is authoritative. CVSS: 7.8 - (AV:N/AC:L/Au:N/C:C/I:N/A:N) For more on CVSS scores and to calculate your environment's specific risk, please visit: CVSS Calculator: http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:N/A:N) Impact and Risk Assessment: The configured acl is not correctly applied, allowing queries that the owner did not wish to allow. Workarounds: Put the allow-query acl in each zone statement. Active exploits: None known at this time. Solution: Upgrade to 9.7.2-P3. 9.6ESV-R2 does not have this flaw. We are not patching EOL versions. Revision History: 24Nov - Corrected/Updated Versions affected, CVSS Score and Solution For more information please contact bind9-bugs@isc.org ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================