====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN291
____________________________________________________________________

DATE                :  25/07/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running BIND9 versions 9.9.0 up to and
                                   including 9.9.1-P1.

======================================================================
https://kb.isc.org/article/AA-00730
https://kb.isc.org/article/AA-00729
______________________________________________________________________

CVE-2012-3868: High TCP Query Load Can Trigger a Memory Leak in BIND 9
Author: Michael McNally Reference Number: AA-00730 Views: 686 Created:
2012-07-20 17:02 Last Updated: 2012-07-24 13:26 	

Title: High TCP Query Load Can Trigger a Memory Leak in BIND 9

Summary:

Under heavy incoming TCP query loads named experiences a memory leak
which may lead to significant reductions in query response performance.
Additionally, this can trigger an automatic shutdown if named is
running on a system that kills out-of-memory processes.

CVE: CVE-2012-3868

Document Version: 2.0

Posting date: 24 July 2012

Program Impacted: BIND9

Versions affected: 9.9.0 through 9.9.1-P1

Severity: High

Exploitable: Remotely

Description:

BIND 9 tracks incoming queries using a structure called "ns_client".
When a query has been answered and the ns_client structure is no longer
needed, it is stored on a queue of inactive ns_clients. When a new
ns_client is needed to service a new query, the queue is checked to see
if any inactive ns_clients are available before a new one is allocated;
this speeds up the system by avoiding unnecessary memory allocations
and de-allocations. However, when the queue is empty, and one thread
inserts an ns_client into it while another thread attempts to remove
it, a race bug could cause the ns_client to be lost; since the queue
would appear empty in that case, a new ns_client would be allocated
from memory. This condition occurred very infrequently with UDP queries
but much more frequently under high TCP query loads; over time, the
number of allocated but misplaced ns_client objects could grow large
enough to affect system performance, and could trigger an automatic
shutdown of the named process on systems with an "OOM killer" (out of
memory killer) mechanism.

CVSS Score: 5.0

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please
visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P)

Workarounds: None available

Solution: Upgrade to BIND 9 version 9.9.1-P2.

BIND 9.9.1-P2 is available from www.isc.org/downloads/all

Exploit Status: Not known

Acknowledgment: ISC would like to thank Kevin Sheehan of Infoblox,
Inc., and Anand Buddhdev from the RIPE NCC.

Document Revision History:

    1.0 -Phase 1 contacted 11 July, 2012
    1.1 -Phase 1 re-issued 17 July, 2012. Re-released this patch with
additional code to Phase 1.

    1.2 - 23 July 2012 Phase 2 & 3 notified
    2.0 - 24 July 2012 Phase 4-Public released

References:

     Do you have Questions? Questions regarding this advisory should go
to security-officer@isc.org.
     ISC Security Vulnerability Disclosure Policy: Details of our
current security advisory policy and practice can be found
here:https://www.isc.org/security-vulnerability-disclosure-policy
    Japanese Translation: https://kb.isc.org/article/AA-00753
    Spanish Translation: https://kb.isc.org/article/AA-00751
    German Translation: https://kb.isc.org/article/AA-00742

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be inferred. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred to
in this notice, including, without limitation, any inferred warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of non-infringement. Your use of, or reliance on, this
notice or materials referred to in this notice is at your own risk. ISC
may change this notice at any time.

A stand-alone copy or paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy. Uncontrolled copies may lack important information, be out of
date, or contain factual errors.

© 2001-2012 Internet Systems Consortium
Feedback

    Please help us to improve the content of our knowledge base by
letting us know how we can improve this article or by submitting
suggestions for other articles you'd like to see created. Information
on how to obtain further help on our products or services can be found
on our main website.

______________________________________________________________________

CVE-2012-3817: Heavy DNSSEC Validation Load Can Cause a "Bad Cache"
Assertion Failure in BIND9
Author: Michael McNally Reference Number: AA-00729 Views: 700 Created:
2012-07-20 16:59 Last Updated: 2012-07-24 13:38 	0 Rating/ Voters 	

Title: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion
Failure in BIND9

Summary: High numbers of queries with DNSSEC validation enabled can
cause an assertion failure in named, caused by using a "bad cache" data
structure before it has been initialized.

CVE: CVE-2012-3817

Document Version: 2.0

Posting date: 24 July, 2012

Program Impacted: BIND 9

Versions affected:

    9.6-ESV-R1 through 9.6-ESV-R7-P1; 9.7.1 through 9.7.6-P1; 9.8.0
through 9.8.3-P1; 9.9.0 through 9.9.1-P1.

Severity: Critical

Exploitable: Remotely

Description:

    BIND 9 stores a cache of query names that are known to be failing
due to misconfigured name servers or a broken chain of trust. Under
high query loads when DNSSEC validation is active, it is possible for a
condition to arise in which data from this cache of failing queries
could be used before it was fully initialized, triggering an assertion
failure.

    This bug cannot be encountered unless your server is doing DNSSEC
validation.

    Please Note: Versions of BIND 9.4 and 9.5 are also affected, but
these branches are beyond their "end of life" (EOL) and no longer
receive testing or security fixes from ISC. For current information on
which versions are actively supported, please see
http://www.isc.org/software/bind/versions

CVSS Score: 7.8

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please
visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds: None

Solution: Upgrade to the patched release most closely related to your
current version of BIND. These can all be downloaded from
www.isc.org/downloads/all

    BIND 9 version 9.9.1-P2
    BIND 9 version 9.8.3-P2
    BIND 9 version 9.7.6-P2
    BIND 9 version 9.6-ESV-R7-P2

Exploit Status: None known at this time

Acknowledgment: ISC would like to thank Einar Lonn of IIS.se

Document Revision History:

    1.0 - 11 July, 2012 Phase 1 notice sent
    1.1 - 17 July, 2012 Phase 1 re-issued due to change in patch for
CVE-2012-3868 that affects 9.9.x only
    1.2 - 23 July, 2012 Phase 2 & 3 sent
    2.0 - 24 July, 2012 Phase 3 (Public) notified

References:

- Do you have Questions? Questions regarding this advisory should go to
security-officer@isc.org.

- ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
https://www.isc.org/security-vulnerability-disclosure-policy

- Japanese Translation:  https://kb.isc.org/article/AA-00752

- Spanish Translation: https://kb.isc.org/article/AA-00750

- German Translation:  https://kb.isc.org/article/AA-00743

This security advisory is also located in our KnowledgeBase:
https://deepthought.isc.org/Article/AA-00729

See our BIND Security Matrix for a complete listing of Security
Vulnerabilites and versions affected.

Note: ISC patches only Currently supported versions. When possible we
indicate EOL versions affected.

If you'd like more information on our Forum or BIND/DHCP support please
visit www.isc.org/software/guild or www.isc.org/support

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be inferred. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred to
in this notice, including, without limitation, any inferred warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of non-infringement. Your use of, or reliance on, this
notice or materials referred to in this notice is at your own risk. ISC
may change this notice at any time.

A stand-alone copy or paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy. Uncontrolled copies may lack important information, be out of
date, or contain factual errors.

© 2001-2012 Internet Systems Consortium
Feedback

    Please help us to improve the content of our knowledge base by
letting us know how we can improve this article or by submitting
suggestions for other articles you'd like to see created. Information
on how to obtain further help on our products or services can be found
on our main website.



======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================