Large RRSIG RRsets and Negative Caching can crash named
DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the negative cache.
The authority data will be cached along with the negative cache information. These authoritative “Start of Authority” (SOA) and NSEC/NSEC3 records prove the nonexistence of the requested name/type. In DNSSEC, all of these records are signed; this adds one additional RRSIG record, per DNSSEC key, for each record returned in the authority section of the response.
In this vulnerability, very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.
The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).
DNSSEC does not need to be enabled on the resolver for it to be vulnerable.
CVSS Score: Base 7.8
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
Restricting access to the DNS caching resolver infrastructure will provide partial mitigation. Active exploitation can be accomplished through malware or SPAM/Malvertizing actions that will force authorized clients to look up domains that would trigger this vulnerability.
Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2 or the latest fixed version of the software.
See our BIND Software Downloads page to get the latest version: http://www.isc.org/downloads/all
Note: Engineering has confirmed that 9.6.2-P3 is unaffected.
Thanks to Frank Kloeker and Michael Sinatra for getting the details of this issue to the DNS Operations community and to Michael Sinatra, Team Cymru, and other community members for testing.
Document Revision History
- Version 1.0 - 26 May 2011: Updated/corrected Description
- Version 1.1 - 27 May 2011: Published 9.4-ESV-P1 to the website and ftp
- Version 1.2 - 27 May 2011: Updated, corrected text, and added clarifications based on questions to firstname.lastname@example.org.
- Version 1.3 - 27 May 2011: Added VU#
- Version 1.4 - 14 Jun 2011: Clarified versions affected
- Version 1.5 - 20 Jun 2011: Link to CI Lab's translation to Chinese.
Do you have Questions? Questions regarding this advisory should go to email@example.com.
Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to firstname.lastname@example.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support
ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC