Gentoo Logo

BIND: Denial of Service

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200908-02 / bind
Release Date August 01, 2009
Latest Revision August 01, 2009: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-dns/bind < 9.4.3_p3 >= 9.4.3_p3 All supported architectures

Related bugreports: #279508

Synopsis

Dynamic Update packets can cause a Denial of Service in the BIND daemon.

2.  Impact Information

Background

ISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol.

Description

Matthias Urlichs reported that the dns_db_findrdataset() function fails when the prerequisite section of the dynamic update message contains a record of type "ANY" and where at least one RRset for this FQDN exists on the server.

Impact

A remote unauthenticated attacker could send a specially crafted dynamic update message to the BIND daemon (named), leading to a Denial of Service (daemon crash). This vulnerability affects all primary (master) servers -- it is not limited to those that are configured to allow dynamic updates.

3.  Resolution Information

Workaround

Configure a firewall that performs Deep Packet Inspection to prevent nsupdate messages from reaching named. Alternatively, expose only secondary (slave) servers to untrusted networks.

Resolution

All BIND users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p3"

4.  References

Print

Updated August 01, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Support OSL
Gentoo Centric Hosting: vr.org
Tek Alchemy
SevenL.net
Global Netoptex Inc.
Bytemark
Online Kredit Index
Copyright 2001-2009 Gentoo Foundation, Inc. Questions, Comments? Contact us.