BIND: cache incorrectly allows a ncache entry and a rrsig for the same type

Summary: 
Failure to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named.
CVE: 
CVE-2010-3613
CERT: 
VU#706148
Posting date: 
01 Dec 2010
Program Impacted: 
BIND
Versions affected: 
9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2
Severity: 
High
Exploitable: 
remotely
Description: 

Adding certain types of signed negative responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (INSIST).

CVSS: 7.8 - (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more on CVSS scores and to calculate your environment's specific risk, please visit: CVSS Calculator:
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Impact and Risk Assessment:
The INSIST crashes the server.
This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled.

Workarounds: 

none

Active exploits: 
None known at this time.
Solution: 

The versions listed below are supported by ISC.  All other versions are End of Life, and will not be patched.  If you are running a version not listed below, you should upgrade as soon as possible.

  • 9.4.x: upgrade to 9.4-ESV-R4, or newer
  • 9.6.x: upgrade to 9.6.2-P3 or newer
  • 9.6-ESV: upgrade to 9.6-ESV-R3 or newer
  • 9.7.x: upgrade to 9.7.2-P3

Acknowledgment: Shinichi Furuso

Revision History:
24 Nov 2010: Corrected/Updated: Versions affected, CVSS Score, Impact and Risk Assessment and Solution
14 Dec 2010: Updated Versions Affected, Solution and Acknowledgement

For more information please contact bind9-bugs@isc.org

Share this