-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-007 Title: Denial of Service on Bind BIND nameservers [1] Version history: 22.01.2014 Initial publication Summary ======= Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect an attacker deliberately constructing a query with the right properties could achieve denial of service against an authoritative nameserver serving NSEC3-signed zones. CVE Numbers: CVE-2014-0591 CVSS v2 Base Score:5.4 (MEDIUM) (AV:N/AC:H/Au:N/C:N/I:N/A:C) [2] Vulnerable systems ================== 9.6.0.x -> 9.6-ESV-R10-P1, 9.7 (all versions), 9.8.0 -> 9.8.6-P1, 9.9.0 -> 9.9.4-P1. Development releases 9.6-ESV-R11b1, 9.8.7b1, and 9.9.5b1 are also affected. Original Details ================ Follow them in the original report [1]. What can you do? ================ Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. What to tell your users? ======================== N/A More information ================ [1] https://kb.isc.org/article/AA-01078/74/CVE-2014-0591%3A-A-Crafted-Query-Against-an-NSEC3-signed-Zone-Can-Crash-BIND.html [2] http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C) Best regards, CERT-EU configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJS39GqAAoJEPpzpNLI8SVo+QcP/1IU2qeIuKA7hrpFwnw8NVuv zsUDsh+sJxBGFU3/V9DwHpf58s22oJX1RV7VOaYOkz/9+xqFiIPn65VXBvLsmZ8x w4ujgmTPB5FUcjrR0TZo1fZ7W0V2gCum0914k29m4D6R9nV7NCvmsLUZ2E0WYw1n w+s3kd+cZ6AAYLqeL6lkip2dFKhD/yP7DpEBhpLahI040dkmL8wxKuxqVRtWOYkB 6qjv0ADNCzi+nSxw38nChGqPN8DmJVvNLv3LHLbndyTdpIdRl+HzLRwriCGVvAlI WT9pUy9yc8ydTaIjmBCllU90yliaDi5QaD9Ik7K8KjQXhSIudoXrDcHLcyFRramH JDyxpD572RTJDW66siuJBFwTwDcJnkjvMfCvMuoPseOomoQC/j2MUNmFyyH2KJYW psqie/o6NAWUukx5h0bOjbwyezDrjiUfPRPptGYMrOfdbjGtWxrs+gLfjF2d44KM IBi23c/1v4LQG35Kkzg2hSIvkHjivM/K/bV4Rwf1V+czyuARvREJ2i7dig0EjpVR D/fHOfcoKPtx4l06kgGO6ceG1zN2dRd4C8oyqnk/TTMDvqtGXuUQjuc+ddApiz/m aWCjp96Oid7xTSIDGevq04yeoIVg+2WsJ7ZTaccOUUBwCOqRqEPgHbG6+CV4iFBQ oJEqgSf/1FtGgZTEuws6 =3R9R -----END PGP SIGNATURE-----