BIND Security Advisories

ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers

Summary: 
A specially constructed packet will cause BIND 9 ("named") to exit, affecting DNS service.
CVE: 
CVE-2011-2464
Document Version: 
2.1
Posting date: 
05 Jul 2011
Program Impacted: 
BIND
Versions affected: 
9.6.3, 9.6-ESV-R4, 9.6-ESV-R4-P1, 9.6-ESV-R5b1 9.7.0, 9.7.0-P1, 9.7.0-P2, 9.7.1, 9.7.1-P1, 9.7.1-P2, 9.7.2, 9.7.2-P1, 9.7.2-P2, 9.7.2-P3, 9.7.3, 9.7.3-P1, 9.7.3-P2, 9.7.4b1 9.8.0, 9.8.0-P1, 9.8.0-P2, 9.8.0-P3, 9.8.1b1
Severity: 
High
Exploitable: 
Remotely

ISC BIND 9 Remote Crash with Certain RPZ Configurations

Summary: 
Two defects were discovered in ISC's BIND 9 code. These defects only affect BIND 9 servers which have recursion enabled and which use a specific feature of the software known as Response Policy Zones (RPZ) and where the RPZ zone contains a specific rule/action pattern.
CVE: 
CVE-2011-2465
Document Version: 
2.1
Posting date: 
05 Jul 2011
Program Impacted: 
BIND
Versions affected: 
9.8.0, 9.8.0-P1, 9.8.0-P2 and 9.8.1b1 Other versions of BIND 9 not listed here are not vulnerable to this problem.
Severity: 
High
Exploitable: 
Remotely

Large RRSIG RRsets and Negative Caching can crash named

Summary: 
A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash.
CVE: 
CVE-2011-1910
CERT: 
VU#795694
Document Version: 
1.5
Posting date: 
26 May 2011
Program Impacted: 
BIND
Versions affected: 
9.4: 9.4-ESV-R3, -R4, -R5b1 9.5: 9.5.3b1, 9.5.3rc1 (end-of-life) 9.6: 9.6.3, 9.6-ESV-R2, -R3, -R4, -R5b1 9.7: 9.7.1, 9.7.1-P1, -P2, 9.7.2, 9.7.2-P1, -P2, -P3, 9.7.3, 9.7.4b1 9.8: 9.8.0, 9.8.0-P1, 9.8.1b1
Severity: 
High
Exploitable: 
remotely

RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

Summary: 
When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.
CVE: 
CVE-2011-1907
Document Version: 
1.1
Posting date: 
05 May 2011
Program Impacted: 
BIND
Versions affected: 
9.8.0
Severity: 
High
Exploitable: 
remotely
Attachments
application/pdf icon
Response Policy Zones for the (not just) Domain Name System (DNS RPZ)
application/pdf icon
DNS Response Policy Zone

BIND: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

Summary: 
When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur.
CVE: 
CVE-2011-0414
CERT: 
VU#559980
Document Version: 
1.1
Posting date: 
22 Feb 2011
Program Impacted: 
BIND
Versions affected: 
9.7.1-9.7.2-P3
Severity: 
High
Exploitable: 
remotely
Share this