RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

Summary: 
When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.
CVE: 
CVE-2011-1907
Document Version: 
1.1
Posting date: 
05 May 2011
Program Impacted: 
BIND
Versions affected: 
9.8.0
Severity: 
High
Exploitable: 
remotely
Description: 

This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.

Workarounds: 

Install 9.8.0-P1 or higher.

Active exploits: 
None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure.
Solution: 

Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.

CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.

Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.

Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support

ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy


 

For more information about DNS RPZ, please check the following:

Legal Disclaimer: 

Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.

Attachments
application/pdf icon
Response Policy Zones for the (not just) Domain Name System (DNS RPZ)
application/pdf icon
DNS Response Policy Zone
Share this