Opened 6 years ago

Closed 6 years ago

#6697 closed enhancement (fixed)

bind9.10.2-P2 and BIND Utilities-9.10.2-P2

Reported by: Fernando de Oliveira Owned by: bdubbs@…
Priority: high Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

ftp://ftp.isc.org/isc/bind9/9.10.2-P2/bind-9.10.2-P2.tar.gz

ftp://ftp.isc.org/isc/bind9/9.10.2-P2/bind-9.10.2-P2.tar.gz.sha512.asc

https://kb.isc.org/article/AA-01267

CVE-2015-4620: Specially Cbind9.10.2-P1 and BIND Utilities-9.10.2-P1onstructed Zone Data Can Cause a Resolver to
Crash when Validating

Author: Michael McNally Reference Number: AA-01267 Views: 2884
Created: 2015-06-16 19:57 Last Updated: 2015-07-07 18:15 	

An attacker who can cause a validating resolver to query a zone
containing specifically constructed contents can cause that resolver to
fail an assertion and terminate due to a defect in validation code.

CVE: CVE-2015-4620
Document Version: 2.0
Posting date: 7 July 2015
Program Impacted: BIND
Versions affected: BIND 9.7.1 -> 9.7.7, 9.8.0 -> 9.8.8, 9.9.0 -> 9.9.7,
9.10.0 -> 9.10.2-P1.  


Severity: Critical
Exploitable: Remotely

Description:

A very uncommon combination of zone data has been found that triggers a
bug in BIND, with the result that named will exit with a "REQUIRE"
failure in name.c when validating the data returned in answer to a
recursive query. 

This means that a recursive resolver that is performing DNSSEC
validation can be deliberately stopped by an attacker who can cause the
resolver to perform a query against a maliciously-constructed zone.

Impact:

A recursive resolver that is performing DNSSEC validation can be
deliberately terminated by any attacker who can cause a query to be
performed against a maliciously constructed zone.  This will result in a
denial of service to clients who rely on that resolver.

DNSSEC validation is only performed by a recursive resolver if it has
"dnssec-validation auto;" in its configuration or if it has a root trust
anchor defined and has "dnssec-validation yes;" set (either by accepting
the default or via an explicitly set value of "yes".)  By default ISC
BIND recursive servers will not validate.  (However, ISC defaults may
have been changed by your distributor.)

CVSS Score:  7.8

CVSS Vector:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

ftp://ftp.isc.org/isc/bind9/9.10.2-P2/CHANGES

ftp://ftp.isc.org/isc/bind9/9.10.2-P2/RELEASE-NOTES-9.10.2-P2.txt

Release Notes for BIND Version 9.10.2-P2

Introduction

   This document summarizes changes since BIND 9.10.2:

   BIND 9.10.2-P2 addresses a security issue described in CVE-2015-4620.

   BIND 9.10.2-P1 addressed several bugs that have been identified ...

Security Fixes

     * On servers configured to perform DNSSEC validation an assertion
       failure could be triggered on answers from a specially configured
       server.
       This flaw was discovered by Breno Silveira Soares, and is disclosed
       in CVE-2015-4620. [RT #39795]

New Features

     * None

Feature Changes

     * None

Bug Fixes

    ... 

Change History (2)

comment:1 by bdubbs@…, 6 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:2 by bdubbs@…, 6 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 16235.

Note: See TracTickets for help on using tickets.