ISC Security Advisories

Reporting security issues:

If you need to report a security issue with any ISC product or service, please do so here.  For some additional guidance on the latest security advisories see these: DHCP or BIND.  This Matrix contains BIND 9 Security advisories and which versions are affected.

As of Oct, 2010 ISC is now using the CVSS, a program of first.org and NIST, to determine the severity of potential security issues. Here is our CVSS scoring guideline chart.

Please see our Security Vulnerabilty Disclosure Policy for details on how we publish security vulnerabilities.

Large RRSIG RRsets and Negative Caching can crash named

Summary: 
A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash.
CVE: 
CVE-2011-1910
CERT: 
VU#795694
Document Version: 
1.5
Posting date: 
26 May 2011
Program Impacted: 
BIND
Versions affected: 
9.4: 9.4-ESV-R3, -R4, -R5b1 9.5: 9.5.3b1, 9.5.3rc1 (end-of-life) 9.6: 9.6.3, 9.6-ESV-R2, -R3, -R4, -R5b1 9.7: 9.7.1, 9.7.1-P1, -P2, 9.7.2, 9.7.2-P1, -P2, -P3, 9.7.3, 9.7.4b1 9.8: 9.8.0, 9.8.0-P1, 9.8.1b1
Severity: 
High
Exploitable: 
remotely

RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

Summary: 
When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.
CVE: 
CVE-2011-1907
Document Version: 
1.1
Posting date: 
05 May 2011
Program Impacted: 
BIND
Versions affected: 
9.8.0
Severity: 
High
Exploitable: 
remotely
Attachments
application/pdf icon
Response Policy Zones for the (not just) Domain Name System (DNS RPZ)
application/pdf icon
DNS Response Policy Zone

DHCP: dhclient does not strip or escape shell meta-characters

Summary: 
dhclient doesn't strip or escape certain shell meta-characters in dhcpd responses, allowing a rogue server or party with with escalated privileges on the server to cause remote code execution on the client.
CVE: 
CVE-2011-0997
CERT: 
VU#107886
Document Version: 
1.1
Posting date: 
05 Apr 2011
Program Impacted: 
DHCP
Versions affected: 
3.0.x-4.2.x
Severity: 
Medium
Exploitable: 
remotely

BIND: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate

Summary: 
When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur.
CVE: 
CVE-2011-0414
CERT: 
VU#559980
Document Version: 
1.1
Posting date: 
22 Feb 2011
Program Impacted: 
BIND
Versions affected: 
9.7.1-9.7.2-P3
Severity: 
High
Exploitable: 
remotely

DHCP May Crash After Processing a DHCPv6 Decline Message

Summary: 
Processing an address previously declined and tagged as abandoned can crash the server.
CVE: 
CVE-2011-0413
CERT: 
VU#686084
Document Version: 
1.1
Posting date: 
26 Jan 2011
Program Impacted: 
DHCP
Versions affected: 
4.0.x-4.2.x
Severity: 
Medium
Exploitable: 
remotely

DHCP: Server Hangs with TCP to Failover Peer Port

Summary: 
If a server receives a TCP connection on a port that has been configured for communication with a failover peer, this can cause it to become non-responsive to all normal DHCP protocol traffic.
CVE: 
CVE-2010-3616
CERT: 
VU#159528
Posting date: 
10 Dec 2010
Program Impacted: 
DHCP
Versions affected: 
4.2
Severity: 
High
Exploitable: 
remotely

BIND: cache incorrectly allows a ncache entry and a rrsig for the same type

Summary: 
Failure to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named.
CVE: 
CVE-2010-3613
CERT: 
VU#706148
Posting date: 
01 Dec 2010
Program Impacted: 
BIND
Versions affected: 
9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2
Severity: 
High
Exploitable: 
remotely

BIND: allow-query processed incorrectly

Summary: 
Using "allow-query" in the "options" or "view" statements to restrict access to authoritative zones has no effect.
CVE: 
CVE-2010-3615
CERT: 
VU#510208
Posting date: 
01 Dec 2010
Program Impacted: 
BIND
Versions affected: 
9.7.2-P2
Severity: 
High
Exploitable: 
remotely

BIND: Key algorithm rollover bug in bind9

Summary: 
named (acting as DNSSEC validating resolver) could incorrectly mark zone data as insecure when the zone being queried is undergoing a key algorithm rollover.
CVE: 
CVE-2010-3614
CERT: 
VU#837744
Posting date: 
01 Dec 2010
Program Impacted: 
BIND
Versions affected: 
9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2
Severity: 
Low
Exploitable: 
remotely

DHCP: Server Crash with Empty Link-Address Field

Summary: 
If the server receives a DHCPv6 packet containing one or more Relay-Forward messages, and none of them supply an address in the Relay-Forward link-address field, then the server will crash. This can be used as a single packet crash attack vector.
CVE: 
CVE-2010-3611
CERT: 
VU#102047
Posting date: 
02 Nov 2010
Program Impacted: 
DHCP
Versions affected: 
4.0 through 4.2
Severity: 
High
Exploitable: 
remotely
Share this