Guidance regarding Dec 1st 2010 Security Advisories

01 Dec 2010

These are some additional guidelines for our BIND community to assist you with upgrade recommendations in regards to these latest security advisories.  For more information on these advisories please see http://www.isc.org/advisories.  To download these current versions, please visit http://www.isc.org/downloads/all.
 


CVE: CVE-2010-3613
CERT: VU#706148
BIND: cache incorrectly allows a ncache entry and a rrsig for the same type

Although the defect is very unlikely to be encountered in normal operation, if your recursive resolver is being used to query public Internet zones and you cannot readily restrict your client queries then there is the potential for a remote attacker to cause your nameserver to crash.

Note particularly that disabling DNSSEC validation is NOT an effective workaround.

* We recommend that you plan to upgrade immediately if ALL of the following apply to your BIND installation:
     a) You are operating a recursive server which obtains answers from public Internet zones.
     b) You are running any version of BIND 9 including or prior to: 9.6.2 - 9.6.2-P2, 9.4-ESV - 9.6-ESV-R2, 9.7.0 - 9.7.2-P2
     c) The DNS clients accessing your resolver constitute a large pool and are not under you control or you can not limit access only
         to machines with full trust.

* We suggest that you put this upgrade in your plans for 2011 if you are not operating recursive DNS servers.
 

                                          
CVE: CVE-2010-3614
CERT: VU#837744
BIND: Key algorithm rollover bug in bind9

This problem affects recursive resolvers with DNSSEC validation enabled and all versions of BIND 9 and has the potential to cause responses to be returned incorrectly without the AD bit or to SERVFAIL incorrectly (although the circumstances when this can happen are limited and thus would seldom be encountered accidentally). The likelihood of an engineered attack is also low.

* We recommend that you upgrade at your earliest maintenance window opportunity if ALL of the following apply to your BIND installation:
     a) You are operating a recursive server which obtains answers from public Internet zones or you are operating in a test                 environment where you do key algorithm rollovers on your authoritative servers.
     b) You have DNSSEC validation enabled.
     c) Your clients trust and depend on correct DNSSEC validation.

* We suggest that you put this upgrade in your plans for 2011:
     a) Before you enable DNSSEC validation.
 

                  
CVE: CVE-2010-3615
CERT: VU#510208
BIND: allow-query processed incorrectly

This problem is applicable to those who have already installed BIND 9.7.2-P2 on servers with authoritative (master and/or slave) zone data AND who wish to restrict who can query the zone data that they're serving via global/view ACLs.

There is no impact from this defect on ACLs that control access to recursion or to recursive cache.

* We recommend that you plan to upgrade immediately if ALL of the following apply to your BIND installation:
     a) You are currently running BIND 9.7.2-P2.
     b) Your nameservers are authoritative (master or slave) for some zones.
     c) You control access to your authoritative data by means of ACLs set at global or view level.
     d) You would be adversely impacted if these ACLs fail to to restrict client queries.
     e) It is not possible to deploy a configuration workaround (add the desired ACL explicitly to each zone).

* We advise that you upgrade at your earliest maintenance window opportunity if only a), b) and c) above are applicable.

* We suggest that you add upgrading to the (then) newest version of 9.7 to your plans for 2011 if:
     a) You are now running an older version of 9.7 than 9.7.2-P2.

Share this