copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.2323 - [Win][UNIX/Linux] BIND 9: Denial of service - Remote/unauthenticated

Date: 09 December 2014
References: ESB-2014.2350  ESB-2014.2390  ESB-2014.2508  ESB-2015.0046  ESB-2015.0138.4  ESB-2015.0477  ESB-2015.0940  ESB-2016.0222  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2323
          Multiple vulnerabilities have been identified in BIND 9
                              9 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIND 9
Publisher:         ISC
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-8680 CVE-2014-8500 

Original Bulletin: 
   https://kb.isc.org/article/AA-01216/74/CVE-2014-8500
   https://kb.isc.org/article/AA-01217/74/CVE-2014-8680

Comment: This bulletin contains two (2) ISC security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND

Author: Michael McNally 
Reference Number: AA-01216 
Views: 2043 
Created: 2014-11-18 08:55 
Last Updated: 2014-12-08 19:16 	

Failure to place limits on delegation chaining can allow an attacker to crash 
BIND or cause memory exhaustion.

CVE: 			CVE-2014-8500 
Document Version:       2.0
Posting date: 		08 December 2014
Program Impacted: 	BIND 9
Versions affected: 	9.0.x -> 9.8.x, 9.9.0 -> 9.9.6, 9.10.0 -> 9.10.1
Severity: 		Critical
Exploitable: 		Remotely

Description:

By making use of maliciously-constructed zones or a rogue server, an attacker 
can exploit an oversight in the code BIND 9 uses to follow delegations in the 
Domain Name Service, causing BIND to issue unlimited queries in an attempt to 
follow the delegation.  This can lead to resource exhaustion and denial of 
service (up to and including termination of the named server process.)

Impact:

All recursive resolvers are affected.  Authoritative servers can be affected if
an attacker can control a delegation traversed by the authoritative server in
servicing the zone.

CVSS Score:  7.8

CVSS Vector:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain 
your specific environmental score please visit: 
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds:

No workarounds exist.  Vulnerable versions of BIND 9 should be upgraded.

Active exploits:

No known active exploits.

Solution:  Upgrade to the patched release most closely related to your current
version of BIND.  Patched builds of currently supported branches of BIND 
(9.9 and 9.10) can be downloaded via http://www.isc.org/downloads

    BIND 9 version 9.9.6-P1
    BIND 9 version 9.10.1-P1

Regarding older versions:

    BIND 9.6-ESV and BIND 9.8 have been officially designated "end of life" 
    (EOL) and no longer receive support.  All organizations running EOL 
    branches should be planning transition to currently supported branches.  
    However, due to the severity of this particular issue, source code diffs 
    which can be applied to BIND 9.8 and BIND 9.6-ESV will be made available on
    request to security-officer@isc.org.

Acknowledgements: ISC would like to thank Florian Maury (ANSSI) for discovering
and reporting this vulnerability.

Document Revision History:

1.0 Advance Notification: 20 November 2014 
2.0 Public Disclosure: 08 December 2014

Related Documents:

See our BIND9 Security Vulnerability Matrix at 
https://kb.isc.org/article/AA-00913 for a complete listing of Security 
Vulnerabilities and versions affected.

If you'd like more information on ISC Subscription Support and Advance Security
Notifications, please visit http://www.isc.org/support/.

Do you still have questions?  Questions regarding this advisory should go to
security-officer@isc.org.  To report a new issue, please encrypt your message
using security-officer@isc.org's PGP key which can be found here: 
https://www.isc.org/downloads/software-support-policy/openpgp-key/.  If you are
unable to use encrypted email, you may also report new issues at: 
http://www.isc.org/community/report-bug/.

Note: ISC patches only currently supported versions. When possible we indicate
EOL versions affected.  (For current information on which versions are actively
supported, please see http://www.isc.org/downloads/). 
ISC Security Vulnerability Disclosure Policy:  Details of our current security 
advisory policy and practice can be found here: 
https://kb.isc.org/article/AA-00861/164/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html

This Knowledge Base article https://kb.isc.org/article/AA-01216 is the complete and official security advisory document.

Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis.
No warranty or guarantee of any kind is expressed in this notice and none 
should be implied. ISC expressly excludes and disclaims any warranties
regarding this notice or materials referred to in this notice, including, 
without limitation, any implied warranty of merchantability, fitness for a 
particular purpose, absence of hidden defects, or of non-infringement. Your 
use or reliance on this notice or materials referred to in this notice is at
your own risk. ISC may change this notice at any time.  A stand-alone copy or 
paraphrase of the text of this document that omits the document URL is an 
uncontrolled copy. Uncontrolled copies may lack important information, be out
of date, or contain factual errors.


2001-2014 Internet Systems Consortium

Please help us to improve the content of our knowledge base by letting us know
below how we can improve this article.

If you have a technical question or problem on which you'd like help, please 
don't submit it here as article feedback.

For assistance with problems and questions for which you have not been able to
find an answer in our Knowledge Base, we recommend searching our community
mailing list archives and/or posting your question there (you will need to
register there first for your posts to be accepted). The bind-users and the 
dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development
of its open source software products. If you would like to support future 
product evolution and maintenance as well having peace of mind knowing that 
our team of experts are poised to provide you with individual technical 
assistance whenever you call upon them, then please consider our Professional 
Subscription Support services - details can be found on our main website.

- -------------------------------------------------------------------------------
CVE-2014-8680: Defects in GeoIP features can cause BIND to crash

Author: Michael McNally 
Reference Number: AA-01217 
Views: 1203 
Created: 2014-11-19 10:36 
Last Updated: 2014-12-08 19:16	

Two defects have been identified in the GeoIP feature added in BIND 9.10 which, 
when triggered, cause BIND to exit with an assertion failure.

CVE: 			CVE-2014-8680
Document Version:       2.0
Posting date: 		08 December 2014
Program Impacted: 	BIND 9
Versions affected: 	9.10.0 -> 9.10.1
Severity: 		High
Exploitable: 		Remotely

Description:

Multiple errors have been identified in the GeoIP features added in BIND 9.10. 
Two are capable of crashing BIND -- triggering either can cause named to exit 
with an assertion failure, resulting in a denial of service condition.  A 
third defect is also corrected, which could have caused GeoIP databases to not
be loaded properly if their location was changed while BIND was running.

Only servers built to include GeoIP functionality are affected.

Impact:

The GeoIP features in BIND 9.10 are enabled by a compile-time option which is 
not selected by default. If you did not compile your BIND binary, or do not 
know whether you selected GeoIP features, you can test whether the 
functionality is compiled in by examining the output of the command "named -V"
for "--with-geoip".  Only servers which were compiled with GeoIP enabled can be
affected by these defects. 

Servers which encounter either of the first two defects will terminate with an 
"assertion failure" error.

CVSS Score:  5.4

CVSS Vector:  (AV:N/AC:H/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain 
your specific environmental score please visit: 
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C)

Workarounds:

Of the two errors, the first can occur with server binaries which were 
configured with GeoIP enabled if an IPv4 GeoIP database is loaded but no 
corresponding IPv6 database is found or if an IPv6 GeoIP database is loaded 
but no corresponding IPv4 database is found. This error can be avoided by 
ensuring that both IPv6 and IPv4 GeoIP databases are loaded.

A workaround for the second error is to disable IPv6 support by running named 
with the -4 option or configuring with "listen-on-v6 { none; };".

Upgrading to a patched version is recommended.

Active exploits:

No known active exploits.

Solution:  Upgrade to BIND 9.10.1-P1, which is available from 
http://www.isc.org/downloads

Acknowledgements:  ISC would like to thank Felipe Ecker of Azion Technologies 
for reporting the initial issues.

Document Revision History:

1.0 Advance Notification: 20 November 2014

2.0 Public Disclosure: 08 December 2014

Related Documents:

See our BIND9 Security Vulnerability Matrix at 
https://kb.isc.org/article/AA-00913 for a complete listing of Security 
Vulnerabilities and versions affected.

If you'd like more information on ISC Subscription Support and Advance Security
Notifications, please visit http://www.isc.org/support/.

Do you still have questions?  Questions regarding this advisory should go to
security-officer@isc.org.  To report a new issue, please encrypt your message 
using security-officer@isc.org's PGP key which can be found here: 
https://www.isc.org/downloads/software-support-policy/openpgp-key/.  If you are
unable to use encrypted email, you may also report new issues at:
https://www.isc.org/community/report-bug/.

Note: ISC patches only currently supported versions. When possible we indicate 
EOL versions affected.  (For current information on which versions are actively
supported, please see http://www.isc.org/downloads/). 

ISC Security Vulnerability Disclosure Policy:  Details of our current security
advisory policy and practice can be found here: 
https://kb.isc.org/article/AA-00861/164/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html

This Knowledge Base article https://kb.isc.org/article/AA-01217 is the complete
and official security advisory document.

Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis.
No warranty or guarantee of any kind is expressed in this notice and none 
should be implied. ISC expressly excludes and disclaims any warranties 
regarding this notice or materials referred to in this notice, including,
without limitation, any implied warranty of merchantability, fitness for a
particular purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this notice is at
your own risk. ISC may change this notice at any time.  A stand-alone copy or
paraphrase of the text of this document that omits the document URL is an 
uncontrolled copy. Uncontrolled copies may lack important information, be out
of date, or contain factual errors.

2001-2014 Internet Systems Consortium

Please help us to improve the content of our knowledge base by letting us 
know below how we can improve this article.

If you have a technical question or problem on which you'd like help, please
don't submit it here as article feedback.

For assistance with problems and questions for which you have not been able 
to find an answer in our Knowledge Base, we recommend searching our community
mailing list archives and/or posting your question there (you will need to 
register there first for your posts to be accepted). The bind-users and the 
dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development 
of its open source software products. If you would like to support future 
product evolution and maintenance as well having peace of mind knowing that
our team of experts are poised to provide you with individual technical 
assistance whenever you call upon them, then please consider our Professional
Subscription Support services - details can be found on our main website.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVIY7RxLndAQH1ShLAQLlsA//dZZVqLBspQ92wI7afgb5wfnHmUkkggCf
CCH3YB1rhfiqwG6FzqwHV5Pj/xPGYzCXib9NepbtKHVTU59FbR1169ByE9CcxzIa
jSIIiaAvMSsxIVlHR34OznonwhINnAPtOkBGC2Dmg1vuHefwVsChNHGAS6VRKsDJ
7FT+1IjdnpJJ5tNKggGLJy1VFJLunbpoMFAcM5j8MrNBVLzPN8b2NUgrm80YBAWC
P7pCkNaJGbu15vGR5eAMu6YZwyObS+6CbmyXoRsFmFoIzD8a7lWnkDs2A7NBn86M
UMcwqOLHu1phMfAUp6C93+qXSmKWgh5L6UPqYag6Kb17CIfLtuKInyIGOjja14bw
aC5SfxjGX0jd7LxcACKAd7NlOErn2VH5fWCeIsSCe10QOfICJTDeiYo8xmh7ipfT
hBCIPWjUx4zy/xYEf/VeFWc96DM8H0KrTV2/y9/QBSFPKrY4aZCTCTlblDUsjJh2
Ec6hB/Wx+sk7j5Oez1IpHDKM5cBUmn9hP87vfezciXhxsVxiz7dNXqHdFcVrGpzQ
CALXe2okioZGFMujYtJUTstBoG4Hnynfi0nX4YtnXRfr6IPLt8YvGH+a5FIQTmzq
jZL/byzFmnrkUU8aOeCvD0oeLcgEQoXT05YvgVKFv2ronRFjYram8X2x5q834xBi
Jg/eB3qPItU=
=sSkd
-----END PGP SIGNATURE-----