-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0122 Title: Denial of Service on Bind [1] Version history: 16.10.2012 Initial publication Summary ======= A nameserver can be locked up if it can be induced to load a specially crafted combination of resource records. A nameserver that has become locked-up due to the problem reported in this advisory will not respond to queries or control commands. Normal functionality cannot be restored except by terminating and restarting named. This vulnerability can be exploited remotely against recursive servers by inducing them to query for records provided by an authoritative server. It affects authoritative servers if one of the combinations of resource records is loaded from file, provided via zone transfer, or submitted to a zone via dynamic update. CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) Vulnerable systems ================== 9.2.x -> 9.6.x 9.4-ESV -> 9.4-ESV-R5-P1 9.6-ESV- > 9.6-ESV-R7-P3 9.7.0 -> 9.7.6-P3 9.8.0 -> 9.8.3-P3 9.9.0 -> 9.9.1-P3 Original Details ================ If specific combinations of RDATA are loaded into a nameserver, either via cache or an authoritative zone, a subsequent query for a related record will cause name to lock up. What can you do? ================ Upgrade to the patched version or new release most closely related to your current version of BIND. The patched versions of BIND and new releases can be downloaded from [2]. BIND 9 version 9.7.7, 9.7.6-P4 BIND 9 version 9.6-ESV-R8, 9.6-ESV-R7-P4 BIND 9 version 9.8.4, 9.8.3-P4 BIND 9 version 9.9.2, 9.9.1-P4 Please Note: All versions of BIND 9.2, 9.3, 9.4 and 9.5 are also affected, but these branches are beyond their "end of life" (EOL) and no longer receive testing or security fixes from ISC. For current information on which versions are actively supported, please see [3]. Workarounds: Setting the option 'minimal-responses' to 'yes' will prevent the lockup. What to tell your users? ======================== N/A More information ================ [1] https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-lockup-in-named.html [2] http://www.isc.org/downloads/all [3] http://www.isc.org/software/bind/versions [4] http://cve.mitre.org/ Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQfVevAAoJEPpzpNLI8SVoB2YP/jD/+sJbAtAatJaYimPRZyNW O8ok6H0SoDbGP/5Qy0kSxtTjCMscQTlEaHUjeeX8O+o/VIzskOZ09sKHn1Kypl2n mmyl4h9kclUIh/Tx8LOTjCRTviwk389KbY49kJ0tzbRXEFGxtwRIWgcSEvxBFNsI OctPM05flr9+zDxVdnuVX8dG/6pABrFxQgPfsdyfaggjOn5G4xlDujmCCJae8WHx Fdy9NeIqocHHN8czWXOD6o5JKphjzfpXicwY7Tv6DYcaNCf082XI89cXV6jJBFMN wVulsnF0iNyC3phMz5+KHh7wyMT8Lp0TGCrK5Y0Ba93MXkmy4Ni57TfyNB2R9U6N x6PD/qPTZ14mq0quVVFZTNfGhb/X7jlr6WW7BV/XJOindkjzRZ0UNtAysctgCx0l t2+4hIztGB/Bbf4q2hUTZvcwIrZjE8/rISvNXUkEZa6PnVji+b1NnHZFxqxH5wAK VwUPM/JfOS4UfdbSnF6twRk+QJcK/55eMfyEjlJlctziBFVheKlbxpCl51b7IUpl ZQ+1shmi2CeNaVg8e9TjbLrYM5mK79hsDHjVs3d5CtnRRYInJKE1baE6506UNeSq Y7NVwH2T7xrs1UiVgVeGXvZUjfG2lcHQEz8GP+XM/03TjBfzn5ZU416NQOCWGfbJ yMd1GX1c4umRtijKPR7O =RSZA -----END PGP SIGNATURE-----