[Infowarrior] - BIND Dynamic Update DoS

[Richard Forno]

https://www.isc.org/node/474

BIND denial of service (server crash) caused by receipt of a specific  
remote dynamic update message.

Summary:

BIND denial of service (server crash) caused by receipt of a specific  
remote dynamic update message.
Description:
Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for  
which the server is the master may cause BIND 9 servers to exit.  
Testing indicates that the attack packet has to be formulated against  
a zone for which that machine is a master. Launching the attack  
against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or  
more zones – it is not limited to those that are configured to allow  
dynamic updates. Access controls will not provide an effective  
workaround.

dns_db_findrdataset() fails when the prerequisite section of the  
dynamic update message contains a record of type “ANY” and where at  
least one RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
exiting (due to assertion failure).

Workarounds:
None.
(Some sites may have firewalls that can be configured with packet  
filtering techniques to prevent nsupdate messages from reaching their  
nameservers.)

Active exploits:
An active remote exploit is in wide circulation at this time.
Solution:
Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions  
can be downloaded from:

http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz

http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz

http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz

Acknowledgment:
Matthias Urlichs for reporting the problem.
Tom Daly for methodical follow-on testing.

Revision History:
2009-07-28 Initial text
2009-07-29 Update to reflect Tom Daly's findings

back to top© 2001-2009 Internet Systems Consortium