Date: 27 March 2013
References: ESB-2013.0453 ESB-2013.0455 ESB-2013.0463 ESB-2013.0573 ESB-2013.0613 ESB-2013.0620
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0440
A critical defect in BIND 9 allows an attacker to cause excessive memory
consumption in named or other programs linked to libdns
27 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIND
Publisher: ISC
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2266
Original Bulletin:
https://kb.isc.org/article/AA-00871
- --------------------------BEGIN INCLUDED TEXT--------------------
A critical defect in BIND 9 allows an attacker to cause excessive
memory consumption in named or other programs linked to libdns.
CVE: CVE-2013-2266
Document Version: 2.0
Posting date: 26 March 2013
Program Impacted: BIND
Versions affected: "Unix" versions of BIND 9.7.x, 9.8.0 -> 9.8.5b1,
9.9.0 -> 9.9.3b1. (Windows versions are not
affected.
Versions of BIND 9 prior to BIND 9.7.0 (including
BIND 9.6-ESV) are not affected. BIND 10 is
not affected.)
Severity: Critical
Exploitable: Remotely
Description:
A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled
on Unix and related operating systems, allows an attacker to
deliberately cause excessive memory consumption by the named
process, potentially resulting in exhaustion of memory resources
on the affected server. This condition can crash BIND 9 and
will likely severely affect operation of other programs running
on the same machine.
Please Note: Versions of BIND 9.7 are beyond their "end of life"
(EOL) and no longer receive testing or security fixes from ISC.
However, the re-compilation method described in the "Workarounds"
section of this document will prevent exploitation in BIND 9.7
as well as in currently supported versions.
For current information on which versions are actively supported,
please seehttp://www.isc.org/software/bind/versions.
Additional information is available in the CVE-2013-2266 FAQ and
Supplemental Information article in the ISC Knowledge base,
https://kb.isc.org/article/AA-00879.
Impact:
Intentional exploitation of this condition can cause denial of
service in all authoritative and recursive nameservers running
affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0
through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1
(inclusive)]. Additionally, other services which run on the
same physical machine as an affected BIND server could be
compromised as well through exhaustion of system memory.
Programs using the libdns library from affected versions of BIND
are also potentially vulnerable to exploitation of this bug if
they can be forced to accept input which triggers the condition.
Tools which are linked against libdns (e.g. dig) should also be
rebuilt or upgraded, even if named is not being used
CVSS Score: 7.8
CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Workarounds:
Patched versions are available (see the "Solutions:" section
below) or operators can prevent exploitation of this bug in any
affected version of BIND 9 by compiling without regular expression
support.
Compilation without regular expression support:
BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1),
and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely
safe from this bug by re-compiling the source with regular
expression support disabled. In order to disable inclusion
of regular expression support:
- After configuring BIND features as desired using the configure
script in the top level source directory, manually edit the
"config.h" header file that was produced by the configure
script.
- Locate the line that reads "#define HAVE_REGEX_H 1" and
replace the contents of that line with "#undef
HAVE_REGEX_H".
- Run "make clean" to remove any previously compiled object
files from the BIND 9 source directory, then proceed to
make and install BIND normally.
Active exploits:
No known active exploits.
Solution:
Compile BIND 9 without regular expression support as described
in the "Workarounds" section of this advisory or upgrade to the
patched release most closely related to your current version of
BIND. These can be downloaded fromhttp://www.isc.org/downloads/all.
BIND 9 version 9.8.4-P2
BIND 9 version 9.9.2-P2
Acknowledgements:
ISC would like to thank Matthew Horsfall of Dyn, Inc. for
discovering this bug and bringing it to our attention.
Document Revision History:
1.0 Phase One - Advance Notification, 11 March 2013
1.1 Phase Two & Three, 25 March 2013
2.0 Notification to Public (Phase Four), 26 March 2013
Related Documents:
Japanese Translation:https://kb.isc.org/article/AA-00881
Spanish Translation:https://kb.isc.org/article/AA-00882
German Translation:https://kb.isc.org/article/AA-00883
Portuguese Translation:https://kb.isc.org/article/AA-00884
See our BIND Security Matrix for a complete listing of Security
Vulnerabilities and versions affected.
If you'd like more information on our product support please visit
www.isc.org/support.
Do you still have questions? Questions regarding this advisory
should go tosecurity-officer@isc.org
Note:
ISC patches only currently supported versions. When possible we
indicate EOL versions affected.
ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:
https://www.isc.org/security-vulnerability-disclosure-policy
This Knowledge Base articlehttps://kb.isc.org/article/AA-00871 is
the complete and official security advisory document.
Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
(c) 2001-2013 Internet Systems Consortium
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUVJQg+4yVqjM2NGpAQKNGhAAll7LgVHaeBism/8wndpxmMjCuLYO00ue
jA4Xjwj8X3VPGYEPcqR8h4vTLjzKHwp40wqG9ATu8fAw/L1/YC9vnoIyOMQ1pSok
q6YPdkGiL3yK6IQrAe3CkO7ktnUrc9SAifiC6PkkFJ/vwhT8Rj2MMitkbf27YfHA
f2mY7o7KjSVJm209O+YxJYRLrpLvowNm4Ohnw2jUKBj3slHYRrN2NkKWL1q98VnB
UwLpzxihZXRDewXF+iVxzrhvWVfWaKThK5enRj2ghEUs3f9ayb8QghxZJbmfmDSY
Za/340R2SnlSARnWWuj1NTei+t6DzK7k/7zC07v1OKjPspQhRH/F3HGL9+609E6Z
H1Gw7QLL7820myi9NmWQbKwyt0InAC1jxWtE7qSFQomS0EVTokyPC5bRiNUfFwWF
TZbtRB3351KCz80V2epnNToEEHXIt2VIgJugQNsG/tLvf1isFFfpb0vhbExUAwF2
qufK6alcXsRtrnglJulI08W34xFt+tGu+tuv3ruw2DKnK4AGJiHZ4y3gqHE61E4P
/PTMds94hb3Q0L1F1XfoOp+1XgqqxoFwcEup2wOyKrfQUFSa9a6HqOuxQbIdz4jD
C8KkoXtUEiIj5rnVy2U0GORvBcgCWiUc0D0QjplQaF0iA2k3xcJZ8wwu/TYThsiK
XyCLU0TTn7A=
=hfmx
-----END PGP SIGNATURE-----
|