BIND 9 Resolver crashes after logging an error in query.c
An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.
The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature.
Update as of 5 December:
Having completed our analysis of the data submitted by those who experienced the crash, ISC has identified how and why this event occurred.
We have confirmed that it was triggered by an accidental operational error that exposed a previously unknown bug in BIND, causing an internal inconsistency which is effectively prevented by the mitigation patches we have produced and distributed.
While the original trigger for this incident no longer exists, it is very possible that the same set of circumstances could be made to recur deliberately rather than accidentally. Therefore, ISC strongly recommends that those running vulnerable servers continue to update to a patched release of BIND.
Translations of original CVE:
Spanish translation of this Advisory https://www.isc.org/advisorycve20114313ES
Japanese translation of this Advisory https://www.isc.org/advisorycve20114313JP
German translation of the Advisory http://cert.uni-stuttgart.de/ticker/article.php?mid=1686
Chinese translation of this Advisory https://www.isc.org/advisorycve20114313CN
Portuguese translation of this Advisory https://www.isc.org/advisorycve20114313PT
CVSS Score: 7.8
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
The best solution is to upgrade. Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1
5 December Update: For customers who are unable to migrate immediately to a patched version of BIND, there is now a mitigation strategy available. ISC continues to strongly recommend installing a patched version as the safest course of action, but if circumstances prevent you from doing so you can still reduce or eliminate your exposure to the CVE-2011-4313 vulnerability with a configuration option addition to named.conf.
Please see this Supplemental page in our KnowledgeBase for full details of this workaround and other operational considerations.
ISC is receiving multiple reports and working with multiple customers on this issue. Please E-mail all questions, packet captures, and details to email@example.com
We very much appreciate all reports received on this issue.
Document Revision History
1.0 16 November 2011 - Interim Advisory
1.1 16 November 2011 - Mitigation patches, further information
1.2 16 November 2011 - Added Spanish and Japanese translations & CVSS info
1.2.1 17 November 2011 - Added German and Chinese translations, updated versions affected, and related documents
1.3 18 November 2011 - Added all BIND 9 Versions as vulnerable & Portuguese translation
1.3.1 21 November 2011 - Added O/S vendor specific patch links and updated versions affected to include all 9.6.x versions and 9.9.0Alpha & Beta, corrected Doc version #
1.3.2 24 November 2011 - Removed FreeBSD link for patch
2.0 5 December 2011 - Added additional description about verifying the cause of this issue, and add workaround
2.0.1 29 December 2011 - Added FreeBSD link for patch
Do you have Questions? Questions regarding this advisory should go to firstname.lastname@example.org.
ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy
This security advisory is also located in our KnowledgeBase https://deepthought.isc.org/article/AA-00544
A supplemental document is also available with additional details on the workaround and other Operational considerations. https://deepthought.isc.org/article/AA-00549.
See our BIND Security Matrix for a complete listing of Security Vulnerabilites and versions affected.
Note: ISC patches only Currently supported versions. When possible we indicate EOL versions affected.
O/S vendor specific patches can be found here:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC